STIG ID: APPL-14-002170 | SRG: SRG-OS-000095-GPOS-00049 | Severity: medium | CCI: | Vulnerability Id: V-259525
Enterprise networks may be required to audit all network traffic by policy; therefore, iCloud Private Relay must be disabled.
Network administrators can also prevent the use of this feature by blocking DNS resolution of mask.icloud.com and mask-h2.icloud.com.
Configure the macOS system to disable the iCloud Private Relay by installing the "com.apple.applicationaccess" configuration profile.
Verify the macOS system is configured to disable the iCloud Private Relay with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowCloudPrivateRelay').js
EOS
If the result is not "false", this is a finding.