When an Enhanced Dynamic Network Zone is configured to block ALL_ANONYMIZERS, users with Apple iCloud Relay Proxy enabled will receive the following error:

403 Forbidden

• Enhanced Dynamic Network Zone
• iCloud Private Relay Proxy

Okta is blocking ALL_ANONYMIZERS, which includes APPLE_ICLOUD_RELAY_PROXY, causing the clients to meet the criteria to be blocked by the Enhanced Dynamic Network Zone condition.

Deactivate the DefaultEnhancedDynamicZone

1. In the Admin Console, go to Security > Networks.
2. Navigate to the DefaultEnhancedDynamicZone.

3. Click Active, then click Inactive to deactivate the zone.

Create an Exception for the iCloud Relay Proxy

1. In the Admin Console, go to Security > Networks.
2. Select Add zone > Enhanced Dynamic Zone.  

3. Enter a Zone name.

4. Select Block access from IPs matching conditions to block the IP service category, locations, and ASNs in the zone.

5. Select All IP service categories except and enter APPLE_ICLOUD_RELAY_PROXY.

• • Include locations: The locations selected in the next step are included in the zone.
    • If the option is left as None, then all locations are considered to be within this dynamic zone.
  • All locations except: The locations selected in the next step are excluded from the zone. All other locations are included.
    • In the Location field, enter the country, state, or region, if applicable.
    • Click Add Another to add more locations.  

6. In the ISP autonomous system numbers (ASNs) field, enter the ASNs that must be included in the zone.
7. Click Save.

9. Set the network zone to Active.

Related References

• Create an enhanced dynamic zone
• 403 Access Forbidden on Okta Login from iOS Mobile Devices