You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Why do my devices access mask.icloud.com

Hello,


Currently i have three Apple devices being monitored in my home network primarily for add sites, but interestingly the monitoring software ( which is resident on another non Apple system within my network) is indicating that these devices are accessing, or trying to access the subject domain( mask.icloud.com) which is being blocked by the monitoring system.


What is causing me concern is that previously i had already decided to disable Private Relay access as it was causing me some limited access to other important sites relating to support activities relating to Applications running on my Apple products.


So can anyone tell me why an Apple product running up to date software and OS is trying to access a domain that is linked with a service ( ie Private Relay) which i have disabled on my account please?


thanks


JohnW

MacBook Pro 14″, macOS 13.0

Posted on Dec 7, 2022 3:00 PM

Reply
Question marked as Top-ranking reply

Posted on Dec 8, 2022 1:55 AM

Hello,


First, thank you for taking the time to respond, which i have read several times.


However, to be perfectly honest, your response tone does not sit that well with me....and it may be that you hadn't intended it to be but it reads as a threat. --- Do it the Apple way or ELSE!!!!


It is not my intention to get philosophical in this response, but I do not live (not yet anyway) in a totalitarian state, if I make a decision I do not want to do something as I feel it is not right for my way of life that that's my decision. If Apple has decided to use servers that are directly linked with their Private Relay service to verify Private Relay access then, in my opinion, they are WRONG, there are many other less contentious ways to verify if I use the Private Relay service or not.


At this point, I have to ask what else are they doing on these servers. Are you confident you know?


I have been a loyal user of Apple products for over 30 years + but there have been times recently when i start to think ... has this company Lost Their Way ..... their corporate ethos is changing..... has changed......


Apologies.... if i seemed to go "over the top a little" BUT


Thank You

JohnW



Similar questions

8 replies
Question marked as Top-ranking reply

Dec 8, 2022 1:55 AM in response to etresoft

Hello,


First, thank you for taking the time to respond, which i have read several times.


However, to be perfectly honest, your response tone does not sit that well with me....and it may be that you hadn't intended it to be but it reads as a threat. --- Do it the Apple way or ELSE!!!!


It is not my intention to get philosophical in this response, but I do not live (not yet anyway) in a totalitarian state, if I make a decision I do not want to do something as I feel it is not right for my way of life that that's my decision. If Apple has decided to use servers that are directly linked with their Private Relay service to verify Private Relay access then, in my opinion, they are WRONG, there are many other less contentious ways to verify if I use the Private Relay service or not.


At this point, I have to ask what else are they doing on these servers. Are you confident you know?


I have been a loyal user of Apple products for over 30 years + but there have been times recently when i start to think ... has this company Lost Their Way ..... their corporate ethos is changing..... has changed......


Apologies.... if i seemed to go "over the top a little" BUT


Thank You

JohnW



Dec 8, 2022 6:39 AM in response to welshguru

None of us work for Apple except for those listed as moderators. This community is merely Apple users helping other Apple users.


@Etresoft was merely warning you about blocking Apple macOS network traffic. The tone was intended as a warning, because many of us assisting those on these community forums have experienced the pain of blocking Apple network connections and suffered the consequences. Then had to engage in lengthy battles with our corporate network security overlords to allow the Apple devices to function on the corporate network. These people trusted Microsoft, knew nothing about Apple and were suspicious of Apple.


There are many network services, which were historically not well documented that need to be allowed or things will break and in unexpected and unexplainable ways. I speak from experience, working in a Fortune 100 environment with ridiculous security and I had to fight with the Network Security staffers constantly to unblock Apple traffic. We had to whitelist all the Apple network connections. They tried to block the App Store and that blocked macOS security updates as a side effect. They were routing traffic through Zscaler, a packet inspection proxy. That broke Push Notifications which are critical when sending Configuration Profiles to corporate owned and managed Macs to lockdown and secure the devices.


Here's a full list of things that need to be allowed on any network where Apple devices are functioning. Blocking any of these communications will cause problems and some of those problems may manifest in entirely unexpected and unusual ways.


Use Apple products on enterprise networks - Apple Support


Thankfully, Apple published the support document above and they've been keeping it up-to-date. It's been invaluable to use as a reference when speaking with network security professionals. The mask.icloud.com Private Relay entries are new. If you wish to monitor and block traffic then you should keep this document handy to reference and to see any updates / changes as Apple upgrades macOS.


It's not just Apple, we had to unblock a lot of Microsoft, Amazon, and Google things as well. Most of the big tech companies have adopted Zero Trust methodologies and are using the most advanced technology available. The traffic is heavily encrypted. For example when routing over a proxy such as Zscaler it's using pinned certificates meaning the Zscaler proxy is acting as a man-in-the-middle so it can brute force break TLS / SSL encryption and inspect the packets. Big companies would consider that a cyber attack. This is something many corporations are deploying. Apple, Microsoft and others detect the certificate pinning / chaining and drop the traffic with zero response. They just blackhole the traffic, no errors, etc. This breaks Push Notifications and all sorts of critical functions on Apple devices. All the other Big Tech companies do the same. It's a best practice methodology. All of these Big Tech companies are under constant cyber attacks including nationstate cyber warfare attacks. Apple takes user privacy very seriously, far more seriously than all the other companies.


It's entirely within your purview to block whatever network traffic you wish. But know that if you do that with Apple traffic, various things will break. You may seek assistance with those broken things. You must then communicate that you are indeed blocking Apple network traffic. Because the first thing that needs to happen is you need to unblock that network traffic.



Dec 7, 2022 5:04 PM in response to welshguru

Never try to manually disable Apple servers. There is no way to tell what they are used for or what the results will be if the system encounters an unexpected response.


For this server, Apple could be checking it to determine if iCloud Private Relay could be enabled. The Apple Support link that James Brickley provided listed that domain as one Apple uses to determine if iCloud Private could be enabled. But you shouldn't just block it. Apple was pretty specific about what those requests expect to see. There is no way to tell for sure what your home router is going to do. This is the kind of thing that could start causing mysterious 1 minute timeouts on every network request after some future OS update. I'm not saying that will happen. But if you start building your own internet routing tables, you need to be prepared for all eventual consequences. The easy solution is to just don't block Apple.

Dec 8, 2022 5:30 AM in response to welshguru

welshguru wrote:

However, to be perfectly honest, your response tone does not sit that well with me....and it may be that you hadn't intended it to be but it reads as a threat. --- Do it the Apple way or ELSE!!!!

A threat? Just what do you imagine I’m going to do to you for blocking Apple servers? Send IT ninjas into your house to crawl across the ceiling undetected and then glue down all the tab keys on your keyboards?


My recommendations for using Apple products are the same as my recommendations for using anyone else’s products. If you want to use them, then use them as designed. Don’t try to hack it up on your own. Do you think you are more knowledgeable about network protocols than the Apple engineers who designed the system? I’ll spare you the suspense - you’re not.

It is not my intention to get philosophical in this response, but I do not live (not yet anyway) in a totalitarian state, if I make a decision I do not want to do something as I feel it is not right for my way of life that that's my decision. If Apple has decided to use servers that are directly linked with their Private Relay service to verify Private Relay access then, in my opinion, they are WRONG, there are many other less contentious ways to verify if I use the Private Relay service or not.

At this point, I have to ask what else are they doing on these servers. Are you confident you know?

I have been a loyal user of Apple products for over 30 years + but there have been times recently when i start to think ... has this company Lost Their Way ..... their corporate ethos is changing..... has changed......

Apologies.... if i seemed to go "over the top a little" BUT

Over the top a little? Totalitarian states? You’re on your fourth trip around, friend.


If, out of everything you’ve seen in the world by now, Apple is the one you’ve decided is unworthy of trust, then you’re beyond redemption. So why use their products? Find some other company you trust and use their products instead. But don’t hack them up. Nobody like that. Support techs won’t give you the time of day once you start hacking up their products.


I don’t know Apple’s philosophy, but I have zero tolerance for hackers. There are plenty of great customers in the world. I make sure that my products either don’t work at all or don’t work well for hackers. I don’t need or want their business.

Why do my devices access mask.icloud.com

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.