The macOS system must disable iCloud Private Relay.

STIG ID: APPL-14-002170  |  SRG: SRG-OS-000095-GPOS-00049 | Severity: medium |  CCI: CCI-000381

Vulnerability Discussion

Enterprise networks may be required to audit all network traffic by policy; therefore, iCloud Private Relay must be disabled.

Network administrators can also prevent the use of this feature by blocking DNS resolution of mask.icloud.com and mask-h2.icloud.com.

Check

Verify the macOS system is configured to disable the iCloud Private Relay with the following command:

/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowCloudPrivateRelay').js
EOS

If the result is not "false", this is a finding.

Fix

Configure the macOS system to disable the iCloud Private Relay by installing the "com.apple.applicationaccess" configuration profile.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.