<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Okta "403 Forbidden" Error With Apple iCloud Relay Proxy And Enhanced Dynamic Network Zone
May 5, 2026
Okta Classic Engine
Okta Identity Engine
Network Zones
Overview

Okta generates a 403 Forbidden error for users with the Apple iCloud Relay Proxy enabled when an Enhanced Dynamic Network Zone blocks all anonymizers. Deactivating the default enhanced dynamic zone and creating an exception for the iCloud Relay Proxy resolves this issue.

When an Enhanced Dynamic Network Zone blocks the ALL_ANONYMIZERS category, users with the Apple iCloud Relay Proxy enabled receive the following error:

 

403 Forbidden

 

Applies To
  • Okta Identity Engine (OIE)
  • Okta Classic Engine
  • Enhanced Dynamic Network Zone
  • Apple iCloud Private Relay Proxy
Cause

Okta blocks the ALL_ANONYMIZERS category, which includes the APPLE_ICLOUD_RELAY_PROXY category. This causes the clients to meet the criteria for blocking by the Enhanced Dynamic Network Zone condition.

Solution

How is the default enhanced dynamic zone deactivated?

Navigate to the network settings in the Okta Admin Console and deactivate the default enhanced dynamic zone.

  1. In the Okta Admin Console, go to Security > Networks.
  2. Navigate to the DefaultEnhancedDynamicZone.
    DefaultEnhancedDynamicZone
  3. Click Active, then click Inactive to deactivate the zone.
    DefaultEnhancedDynamicZone

How is an exception created for the iCloud Relay Proxy?

Add a new enhanced dynamic zone in the Okta Admin Console and configure it to block all IP service categories except the Apple iCloud Relay Proxy.

  1. In the Okta Admin Console, go to Security > Networks.
  2. Select Add zone > Enhanced Dynamic Zone.
    Networks
  3. Enter a Zone name.
  4. Select Block access from IPs matching conditions to block the IP service category, locations, and Autonomous System Numbers (ASNs) in the zone.
    Add Enhanced Dynamic Zone
  5. Select All IP service categories except and enter APPLE_ICLOUD_RELAY_PROXY.
    Add Enhanced Dynamic Zone
    • Include locations: The zone includes the locations selected in the next step. If the option remains as None, the dynamic zone includes all locations.
    • All locations except: The zone excludes the locations selected in the next step. The zone includes all other locations. In the Location field, enter the country, state, or region, if applicable. Click Add Another to add more locations.
  6. In the Internet Service Provider (ISP) autonomous system numbers (ASNs) field, enter the ASNs to include in the zone.
  7. Click Save.
  8. Set the network zone to Active.

Related References

Recommended content

Still looking for help?
Loading
Okta "403 Forbidden" Error With Apple iCloud Relay Proxy And Enhanced Dynamic Network Zone