Sunday, March 13, 2022

When iCloud Keychain stops working (No more Safari passwords) - Mojave

I'm buying tickets for an event and suddenly there's no password autocomplete in Mojave Safari. Safari Preferences Passwords shows 3-4 entries, but my Apple passwords shows on my iOS devices and my Monterey Air. It's just Mojave that has lost all its iCloud/keychain access.

A good reminder that if you want to use Apple Passwords as a 1Password replacement you need to export a static backup (and this must be automated). The Cloud is where data goes to die.

A found a relevant 2016 Apple Discussion post which would be Mojave era. So I wonder if it's a Mojave bug. The fix there was from "Linc Davis" a "Level 10" with 209K points [1]

Please take these steps to resynchronize the iCloud keychain. Your keychain on iCloud and your other Apple devices won't be affected. Take Step 2 only if Step 1 doesn't solve the problem.
Step 1
Back up all data.
Open the iCloud pane in System Preferences and uncheck the Keychain box. You'll be prompted to delete the local iCloud keychain. Confirm—the data will remain on the servers. Then re-check the box. Follow one of the procedures described in this support article to set up iCloud Keychain on an additional device. Test.
Step 2
If you still have problems, uncheck the Keychain box again and continue.
Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination  command-C: 
~/Library/Keychains
In the Finder, select
          Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return.
A folder named "Keychains" should open. Inside it is a subfolder with a long name similar to (but not the same as) this:
           421DE5CA-D745-3AC1-91B0-CE5FC0ABA128
The above is only an example; yours will have a different name of the same general form. Drag the subfolder (not the Keychains folder) to the Trash.
Restart the computer, empty the Trash, and re-enable iCloud Keychain.

Toggling Keychain off and on didn't seem to do anything so I figured I'd check in the morning. Before I checked though I did review my passwords in Monterey. For *reasons* (this happens way too often) I had to reenter my iCloud credentials there but I was also asked the usual iCloud keychain questions -- provide passcodes for my other machines.

Then I looked at my Mojave machine and Safari had my passwords again.

Maybe the fix was toggling Keychain and waiting a bit, but I'm suspicious that something happened somewhere in iCloud that required me to do the iCloud Keychain authentication dance from a Mac -- and Mojave couldn't do it.

Again, if you use Apple Passwords as your sole repository you need a non-iCloud backup.

- fn -

[1] No profile info, has participated in 97K threads. Either insane or an Apple staff pseudonym.


Sunday, March 06, 2022

What happens when you have an Apple ID without an email address and you change it? (And much more about Apple ID hell.)

I'll provide some back story below, but it's tedious and a bit ranty so I'll put the most useful stuff up front.

For *reasons* (see below) I have had an Apple ID associated with iTunes, App Store, physical Apple Store, hardware and other purchases for about 20 years. For other *reasons* almost lost to memory the username has not been a valid email address for most of those years. Until recently it had an associated email address it would forward to but Apple changed things sometime in the past two years and that stopped working.

I'm simplifying.

We will call this Apple ID username "bob@mac.com". I will use alice@icloud.com and dan@me.com for my new Store Apple ID ("Media & Purchases") and my longstanding iCloud Apple ID respectively.

Once bob@mac.com stopped forwarding I no longer received notifications related to Apple Discussions or emails related to charges. Since bob@mac.com was the store Apple ID for my family (this was the practice in early iTunes days) our children (now adult) used it for purchases. Simplifying a lot and omitting family details the lack of email meant no monthly statements -- so I didn't spot a scam subscription - among other things.

I knew I had to fix this but I dreaded the side-effects. I'd already tried undoing the shared store Apple ID and ran into disaster; I had to reverse that attempt. I had to fix the Apple ID invalid email problem first.

Before Apple broke forwarding for the Apple ID "bob@mac.com" I had used "alice@icloud.com" as a forwarding address. Although there was no clue in the Apple ID online configuration tool, I knew alice@icloud.com was still entangled with bob@mac.com (see below, this post goes on for a long time but still omits much).

Ok, so far? I gets a bit simpler then you can skip the back story.

Anyhow ... when Apple broke forwarding they seem to have introduced the ability to change an Apple ID userid - such as bob@mac.com. I believe, though I can't find any documentation, that the visible username with the form of an email address (ex: bob@mac.com) is an alias for an unchanging hidden identifier (maybe a GUID). 

After some thought I decided the cleanest approach would be to change my Store Apple ID visible username from bob@mac.com to alice@icloud.com (I knew the two were entangled, see below). It's easy to make this change from appleid.apple.com. When I did this I was not asked to confirm that alice@icloud.com was a valid email address I owned. All I got was an email sent to to alice@icloud.com saying the change had been made.

After I made the change I found the following. I expect other changes as Apple's different systems synchronize and update (I will update this as I learn more, I expect to learn of problems from family members later today):

  1. I cannot login to the Apple ID or anywhere using bob@mac.com but the two factor notification dialog still says bob@mac.com (this may change).
  2. I think I may have more control over Apple ID two-factor, I can add/remove trusted devices, remove from account, and I can add a second trusted phone number. I still can't add a backup email address; that is available on some other Apple IDs I have
  3. Apple Discussions is intact. When I login with alice@icloud.com I show as "member since June 23, 2003".
  4. Mail sent to bob@mac.com still fails, there's no redirect.
  5.  iTunes on Mojave: asks me to sign in and displays new alice@icloud.com. Says session expired, asks again. Purchase history intact.
  6. Media & Purchases on iPhone showed new iCloud address and I had no trouble with updating apps.
In addition, Messages in my personal dan@me.com iCloud stopped working! It turns out "Messages" has legacy associations with the old Apple Store ID used with iMessage before Apple implemented iCloud. I got this error message

Messages in iCloud not available as iCloud and iMessage accounts do not match. (Messages in iCloud is not available because iCloud and iMessage accounts are different.)

There's a fix here but it's not the one I needed. When I looked at Messages on my iPhone it showed only my Phone number, the Apple IDs were all absent. When I tried to enter an Apple ID it showed my store Apple ID; I chose "use other Apple ID" and entered my personal iCloud Apple ID. That worked and it immediately restored all my send/receive message list. I could then reenable messages in iCloud.

It didn't fully work on Mojave iMessages though. I reenabled using iCloud Messages in preferences there and about an hour or two later it seemed to start working (though uploading messages to iCloud is still ongoing.)

That concludes the current record of changes to date. So far it has been less of a problem than anticipated, but it's early days. I will add other issues as they emerge. Then I can return to the herculean tasks of moving family members off of a shared Media & Purchases account.

Below are details for the benefit of someone searching who finds this post. They are related older items that I will summarize in outline.

----------- additional details ---------------

As noted above years ago I had alice@icloud.com as forwarding email for the Apple ID bob@mac.com. The address bob@mac.com had no associated email because of complex changes Apple made in migrating from free iTools to not-free .Mac to MobileMe. [1][2]

When I finally realized I wasn't getting Apple media purchase statements for bob@mac.com I began investigating what had happened to the old alice@icloud.com iCloud account. I found it was deactivated. I was able to reenable it. That's when things got weird. Remember (if you read above) that there was no longer anything I the Apple ID settings for bob@mac.com that showed alice@icloud.com.

Once I reenabled alice@icloud.com with a new password I found that:

  • Both alice@icloud.com and bob@mac.com worked as usernames for the same bob@mac.com Apple ID.
  • The password for the bob@mac.com Apple ID had changed to match the alice@icloud.com password. [This actually took a day to propagate to iTunes purchases]
  • Both alice@icloud.com and bob@mac.com showed the same iCloud services (mail, etc).
  • bob@mac.com was still not a valid email address. 
fn -

[1] https://en.wikipedia.org/wiki/MobileMe#.Mac

Originally launched on January 5, 2000, as iTools, a free collection of Internet-based services for Mac OS 9 users, Apple relaunched it as .Mac on July 17, 2002, when it became a paid subscription service primarily designed for Mac OS X users. Apple relaunched the service again as MobileMe on July 9, 2008, now targeting Mac OS X, Microsoft Windows, iPhone, and iPod Touch users.

On February 24, 2011, Apple discontinued offering MobileMe at its retail stores, and later from resellers.[2] New subscriptions were also stopped. On October 12, 2011, Apple launched iCloud to replace MobileMe for new users, with current users having access until June 30, 2012, when the service was to cease.

... The original collection of Internet software and services now known as iCloud was first called iTools, released on January 5, 2000, and made available free of charge for Mac users.

Services offered by iTools included the first availability of @mac.com email addresses, which could only be accessed through an email client (e.g. the Mail app); iCards, a free greeting card service; iReview, a collection of reviews of popular web sites; HomePage, a free web page publishing service; the first version of iDisk, an online data storage system; and KidSafe, a directory of family-friendly web sites.

.Mac[edit]
As costs rose, most particularly due to iDisk storage space, the wide demand for @mac.com email accounts, and increasing support needs, iTools was renamed .Mac on July 17, 2002, as a subscription-based suite of services with a dedicated technical support team.[25]

... Existing iTools accounts were transitioned to .Mac accounts during a free trial period that ended on September 30, 2002. This move generated a mixed reaction among Mac users, some believing .Mac was overpriced...

[2] eWorld https://en.wikipedia.org/wiki/EWorld

. Yesterday the password for App Store was different from password for Apple ID but today they seem to be same. I think they are two different systems that update every few hours...

 · Feb 19

Today it appears there is a single Apple ID with two usernames and one password. One username has iCloud services but is nowhere displayed in Apple ID information. twitter.com/jgordonshare/s…

... If you change a phone's Store ID to match the phone's iCloud ID  you cannot update all their apps with their iCloud ID password. You need to use the old Store ID password. Even when family sharing is in play...

... I have a hunch that Apple has an internal ID for users separate from the username (email form) displayed with their Apple IDs and Store IDs and iCloud IDs and that is what they use in FairPlay. 

Saturday, March 05, 2022

The AT&T / Apple eSIM activation fee scam: $30 "discount" and a $30 activation fee

This is what you see when you go to buy an iPhone from Apple these days and pay full price:


You can choose "Connect to a carrier now" or "Connect on your own later". In this case they are the same price. 

If you choose "Connect on your own later  there's no additional fee. You swap the SIM card from your old phone and go.

If you choose "Connect to a carrier now" you will get an unlocked phone but it has an eSIM. It will also be "activated"; when that happens the eSIM is enabled and the old SIM card is disabled. Carriers charge a fee for activation. For AT&T it's $30.

So in this cases you pay $1,100 for the iPhone and there's a hidden fee of $30 from AT&T if you go the eSIM route. (I suspect if you switch a phone from SIM to eSIM you will also be charged $30.)

Sometimes Apple may choose to list the "Connect to a carrier now" with a "carrier discount" of $30. In this case they'll display the cost of the phone with the discount applied; the "Connect on your own later" will be $30 more. But if you choose the cheaper option you will get charged the $30 from your carrier. So Apple is .... lying about the price. Apple probably gets a kickback from the carrier,

Just choose "Connect on your own later" and pay the real price up front.

Twitter version:

AT&T's various fees, including this one.

Update 9/11/2022: For a semester in Italy we converted my daughter's physical SIM to an eSIM using the iOS convert to eSIM feature. Our next bill will tell us if there was a fee associated with the conversion.