Blocking icloud private relay "nicely"

I'd think if you block QUIC, that would take care of it. I think Cato recommends you do this anyway. 

If for some reason you can't block QUIC completley via the internet firewall, I suppose you could make a custom app for UDP/443 to the relevant domains and block that. 

iCloud Private Relay uses QUIC, a new standard transport protocol based on UDP. QUIC connections in Private Relay are set up using port 443

ddaniel​ Just wanted to say that you are not crazy! I am very familiar with this prompt. We use Cisco Umbrella and they offer a backend configuration change you can request to perform Apple's recommended approach. BUT especially with cellular devices I think they hop back and forth between WiFi and Cellular at times and it will throw that message a few times a day sometimes. 

I wish it was easier to manage from an enterprise standpoint as well... but likely it's overcomplicated deliberately to discourage disableing Apple's "magic".

Thanks for the reply.  I do block QUIC which makes it stop working but doesn't alert the user.  In most cases, they need to manually turn it off to work.  And our support folks get a call as to why their wifi is not working.  My goal is to block it cleanly so that their phone or macbook lets them know what is going on.   According to Apple, the proper way is to return NXDOMAIN to the DNS queries.  But the DNS queries are not blocked, only their access once the device tries to enable the icloud private relay.

I think that if the DNS filtering offered custom rules, I could block the two DNS records they use to enable it and that would trigger the device to gracefully alert the user.  Although the DNS query needs a NXDOMAIN reply and the DNS filtering may only offer to drop the request.

Hi ddaniel,
I think it's a great idea for the idea hub! Please post this request there!
Thanks,
Mihai