Unmanaged iOS devices can not satisfy the phishing resistance policy requirement when iCloud Private Relay is enabled.

NOTE: This issue was fixed as of iOS 18 release and above. This article will only apply to iOS 17 release and below.

• Okta Verify
• iOS
• Safari

If iOS Unmanaged Phishing Resistance is specified in the authentication policy, iOS users must disable iCloud Private Relay before authenticating. This issue applies only to Safari and native apps using Safari authentication view controllers; Chrome and Firefox are unaffected.
 

1. Disable iCloud Private Relay before authenticating.
2. Re-enable it after authentication is complete.
   
   

Workaround

The following steps can be used as a workaround to keep the iCloud Private Relay on when authenticating inside Safari. They must be done each time a new tab is used to authenticate in Safari. 

1. Open a new tab in Safari.
2. Tab the reader button Aa.
3. Click on Show IP Address.
4. Click Continue on the privacy dialog.

  

For native apps that use Safari-based authentication views (for example, Slack), the user will need to do the following:

1. Navigate to Settings > iCloud > Private Relay.
2. Turn off iCloud Private Relay (for one day is fine).
3. Execute the authentication flow in the native app.