iOS App Update hangs without an error message in infinite download: a general approach

Apple's FairPlay DRM management is notoriously fragile. It can be confused by family sharing, Screen Time controls, payment method changes, and, heaven forfend, mixed Apple IDs on a device.

Once Apple's DRM gets confused there's often no user accessible error message (PS. This is a bug [1]). The app just hangs. So when I realized my (manual) App Store updates were not completing I was not completely surprised. Recently I had:

1. Changed payment methods. I made my Apple Card's award balance (1-2% transaction) the default payment method (so it always gets emptied)
2. Enabled Screen Time account change restrictions to mitigate the harm of Apple's biggest current security issue.

I fixed the problem in the usual way (see Apple's article on this as well):

1. [Switch to manual update if you've been using automatic]
2. Verify Apple ID payment methods look correct
3. Turn off Screen Time [Apple doesn't mention this.]
4. Restart phone (power off/on)
5. Download a new free app from App Store [An old method, still useful]
6. Verify I can now update one of the pending apps.
7. Update All
8. Turn Screen Time back on.
9. [Turn auto update back on if you like that.]

-- 

[1] Failure to generate a user notification of a failed interaction is, of course, a bug. Regardless of whether there's a bug in the interaction processing (which there is, so that's another one).

iPhone Recovery Key attack vector kills your iCloud access: Workarounds pending an Apple fix including Apple ID protection

Someone who has your iPhone passcode can lock you out of your Apple iCloud and Apple ID services -- as well as take control of your iPhone and have access to all passwords stored in Apple's Password Manager (iCloud Keychain).

This can happen when someone steals your phone and obtains your passcode by the simple measure of threatening to kill you. Or they might see you enter your passcode or surreptitiously record entry. In bars drugs can be used to facilitate the process. This is often done as part of "borrowing a phone" for an "emergency call". (Never let anyone you don't trust with your life and wealth touch your phone. If it's an emergency make the call for them but ensure they don't record your passcode and don't let go of the phone.)

Once the thief has your phone and passcode they can change the victim's Apple ID password. This prevents the victim from locking the iPhone. The victim could still do the Apple ID password recovery process, so to get more time with the phone the thief can set a Recovery Key. If a Recovery Key exists they can change it. Setting a Recovery Key this way disables Apple ID password recovery. This gives the thief an unlimited time with the phone. It also locks the user out of all their Apple ID associated services and products including video, music, personal photos, personal documents, family sharing, other Apple devices, and the like. From the thief's perspective the Apple ID lock out is merely a side-effect. They may even feel a tiny qualm of sympathy for their victim. They do it to prevent iPhone lockout.

This is an Apple design problem. They need to fix it. Basically the iPhone passcode has far too much power -- especially since it has to be tapped in far too frequently and thus relatively easy to enter. Secondarily the benefits of the Recovery Key are limited to a few people and the with this technique in common use the risks dwarf the benefits. Apple should disable creation of new Recovery Keys immediately while they come up with a better fix.

TidBITS has one of the best descriptions of the problem following a somewhat confused WSJ article. I suggest also reading TidBITs preceding article on the problems with iCloud Keychain.

I was aware of most of these issues, but the Recovery Key hack is new to me. Again, if an attacker has control of your iPhone they can change your Apple ID password, locking you out of your photos, documents, Apple services, Apple media you've purchased, subscriptions, software, and more. At this point you can ordinarily reset your Apple ID password [1] through a tedious series of authentication steps or with the help of a previously specified Recovery Contact [2]. However, if you have set a Recovery Key you can't use these methods. You have to know the Recovery Key. If a thief sets or changes the Apple ID Recovery Key to prevent locking of the stolen iPhone you are truly screwed. Once you set the Recovery Key yourself Apple no longer stores it [3]; they can't recover your Apple ID even if they wanted to.

Apple has to fix several things here. It's insane that a six digit iPhone passcode allows access to all of the iCloud Keychain (Apple Password Manager) and setting up a Recovery Key. The power and risk of the Recovery Key is a separate problem and creation of new Recovery Keys should be disabled until there's a better fix.

In the meantime we've taken two steps on our our iPhones:

1. Emily and I set each other up as Recovery Contacts to facilitate doing an Apple ID password reset in the absence of an Apple Device.
2. Follow the recommendation of TidBITS to use Apple's Screen Time feature to prevent Account Changes. This requires setting a separate 4 digit ScreenTime code (PIN). When you do this Apple seems to require entry of Apple ID credentials that can be used to reset the ScreenTime PIN, but if you tap "cancel" you can continue without this step. That means an attacker can't use the Apple ID credentials they've stolen to unlock the account settings; they can't change an Apple ID password and they can't set a Recovery Key. (I think this can trigger an Apple Bug with App Updates and mixed Apple ID - see this article.)

I have not yet deleted all of my iCloud Keychain entries. I will go through mine and delete a few key ones. Apple really and truly needs to secure iCloud Keychain with an optional separate credential [4].

I do NOT recommend setting a Recovery Key.  An attacker with your iPhone passcode can change it anyway, and you won't be able to use Apple's standard Apple ID password recovery method.

- fn- 

[1] One time I tried to use login with Apple on a calendar service provider (Stanza). Apple evidently decided that was a bad idea and instantly locked my Apple ID. I had to follow the password recovering steps. If I'd set a Recovery Key and did not know the Key I'd have lost access to my Apple ID content (photos, etc) for all time.

[2] Setup a recovery contact NOW.

[3] I presume that when you do a standard password reset, or a Recovery Contact does a password reset for you, that behind the scenes Apple is using the Recovery Key they keep.

Apple's App Store Apple Account balance: updated due to transition to Apple Cash

Update 5/1/2023 - a few months after writing this I realized Apple is in the midst of a very poorly documented multi-year transition.

There are currently two "gift cards" - Apple Gift Card (AGC) and App Store & iTunes (ASIGC) gift card.  The AGC used to be only useful for buying things at Apple Stores (or online equivalent) but sometime in the past few years the AGC could be used to to buy apps and media. 

The ASIGC works as below. Apple's check balance advice remains incorrect; the balance displayed in the App Store UI is not updated reliably. However, I don't think the ASIGC is long for this world. Which probably explains why Apple hasn't fixed the balance display or the use of the old term "iTunes".

The AGC can be purchased through a web interface - https://www.apple.com/shop/buy-giftcard/giftcard. When I bought it for my son using his iCloud email the balance showed on his phone wallet as Apple Cash. The Apple Cash balance also shows under his Account as did the prior ASIGC balance, but in a different location inserted at the top of the screen (it doesn't show there on my iPhone!).

The Apple Cash account is also used to hold purchase rebates (1-2%) from an Apple Card. I see my Apple Card balance there. I use the payment method selection control; my first payment method is Apple Cash, the second is Apple Card. When I view my son's payment methods at appleid.apple.com I see Apple ID (that is in fact holding his Apple Cash balance) and the fallback payment is "Apple Cash", but it's MY Apple Cash not his. (In fact there's a 3rd payment method --after these two charges roll over to me via my Apple Card, but the current UI can only show two.)

Note the weirdness here. In the case of a non-organizer family member the Apple Cash balance shows up here labeled Apple ID rather than Apple Cash!

I have found charges do go first against this "Apple ID" (his Apple Cash) then against my Apple Cash (currently $41.71). Incidentally, note if you can connect to a non-child family member's appleid you can see their balance and they can see the family organizer's cash balance.

If my son were a minor I'd have more options to manage Apple Cash. As it is this is a big improvement on a few months ago (below). It's obvious that in the US at least the ASIGC is obsolete and Apple will transition to the AGC. They still have a ways to go; they have added a savings account feature to Apple Card; I wonder if they'll add one to Apple Cash.

--------- original post

Apple's "Apple Account" holds cash that can be used to purchase apps, media and subscriptions. Money is most often added to an Apple Account through App Store and  Gift Cards iTunes gift cards. Users can also directly add money to their personal Apple Account from a payment method, but there are few times that makes sense. If a user is a member of a "Family" then the money comes from the Family Organizer's payment method (usually this is a bad thing). If a Family Member purchases something it will come out of their Apple Account balance first then any residual charge will come out of the Family Organizer's payment method (not the Family Member's payment method).

Apple Accounts are poorly documented, especially when they intersect with Family Sharing. Sometimes the support documents are incorrect or incomplete. For example, the check balance article for Mac tells users to look below their name in the App Store app:

That doesn't work very well though. You can see the problem in this screenshot taken from my son's account

His account shows $150 as a balance, but that's wrong. If you click on Profile and drill down to this Accounts page (requires authentication) you will see the correct amount of $135.37. Evidently the amount displayed on the App Store screen is copied there from another system and there's a time lag. In my testing I've found that the lag is at least a day and I suspect it only updates when one checks the Apple Account (requires authentication). So, in reality, the Apple Account is the only way to know this number.

Apple doesn't mention this, but you can also get to this Accounts page (which has the accurate numbers) from iTunes/Music. You can't get to it from the web however; appleid.apple.com doesn't have this data. My guess is that Apple is still using their 20yo iTunes infrastructure for the "Apple Account" (authentication doesn't support Apple Passwords OR biometrics) and that the display in the App Store is a bit of a hack. 

The Apple Account is a legacy system that is much older than Family Sharing and doesn't support it very well. I'm guessing Apple has been trying to replace the iTunes backend for a years and that the version we see is in maintenance mode. Perhaps they will transition to the emerging Apple Pay infrastructure. For now we have to workaround the issues.

Family member not getting iCloud+ family subscription for 2TB storage - "Use Family Storage" in Settings (Family Sharing)

A family member was seeing only the default 5GB of storage. I prepared to the usual fixes like restart phone, upgrade iOS, leave and restore iCloud and, finally, remove from family and add back in.

Turned out the fix was much simpler as of iOS 16.3.

Settings:Apple ID: iCloud: Manage Account Storage: Use Family Storage.

After I selected this option they got access to our 2TB and the "Use Family Storage" option went away. Instead they had "Change Storage Plan". Tapping that gave the option to leave Family Storage.

Apple's docs mention something about an iMessage going to family members to give them the option to use Family Storage. I suspect that didn't get attention.

Once I'd fixed the problem I used the new keywords to search for Apple documentation. Google found nothing (though it's really bad now) on the Apple site except a post from 2 days ago. So this might be newish.

Update 1/17/2024 

In the 2024 version of iOS and macOS (Sonoma) a friend ran into a similar issue. The family organizer had purchased the 2TB plan but my friend was only seeing the 200GB he paid $1 a month for. This time we found an Apple support document on the problem. If someone is paying for anything beyond the default free storage they have to manually switching into the family plan and end their subscription. This is now found on an iPhone in the newish Settings:Family:Subscriptions.

1. Go to Settings > Family.
2. Tap Subscriptions.
3. Tap iCloud+.
4. Tap Use Family Storage.

Also, when updating this, I discovered a 2017 post I'd done where I ran into a similar problem. That might be worth a look too.

Family sharing screen time bug: a fix for ghost apps

I'm happy to say I actually fixed a bug in the buggiest apple product ever - family sharing screen time.

The "always allowed" app list showed "ghost apps" -- left over apps from old versions of iOS like Find Friend. They appeared with a generic icon.

Removing my son from the family then adding him back in removed the ghost apps.

One bug down, dozens remain.

Update: Nope, the fix was transitory. Ghost apps back again. Screen Time is such a cluster.

Update: Ok, this might be the real fix. His Apple ID had 3 associated devices -- and iPad, and iPhone and a macOS user account on an old machine running maybe Sierra.  I removed the obsolete macOS relationship from his Apple ID on the web site, but it had to be remove again on his iPad.

My advice for managing online credentials

I wrote this up for a book project on special needs iPhone users (Explorers), but it's also my recommendation for non-geek iPhone users. Credential management is definitely an unsolved problem ...

---

Every Explorer online identity involves, at the least, a “username” for the Explorer, a password and  either an iOS app name or a web address (URL). Most online identities also require an email address for communication, password resets and (alas) marketing. They may now require a mobile number and the answers to “secret questions”. All of this information makes up an online “credential”; but we often use the word “password” as a shorthand for the whole bundle

It’s hard to manage online credentials. I’m pretty technical, but I still find it a tough problem. Lots of people get locked out of their online services and need to do password resets or even start over with a new account. One day I think Apple will provide a full solution^[1], but to date they’ve been reluctant to take this on. 

The good news is that most Explorers can get by with maybe 10-30 credentials and they don’t need to know most of them (more on this below). The key is to use as few online services as possible. Remember, every online service is another credential to manage!

I’m going to suggest three-and-a-half ways a Guide can manage an Explorer’s credentials. Each has advantages and disadvantages. For all of them I have two strongly held recommendations about passwords:

1. Don’t reuse passwords for these important sites. If a password is captured (happens!) it becomes part of hacker libraries and will be applied to other Explorer accounts.
2. Don’t follow the usual advice to create long random passwords. You’ll go insane trying to tap them out on an iPhone when you can’t see the password characters. Instead combine random pronouncable words, letters and symbols that you can tap. The password should be at least 14 characters. Flip through a dictionary to pick words randomly. This is good enough. You aren’t protecting nuclear launch codes.

Option One: Pencil and Paper

You may remember being told not to write down credentials on paper. That’s like the old advice to treat back pain with bed rest. We were wrong when we said that. Writing credentials on paper and saving them with your home paperwork is super secure. That’s what hard core security geeks do.

This does require good handwriting, but it works for a small number of credentials assuming you follow my password advice. If you need the credentials when you travel you can take a photo and keep it with your personal iPhone photos (be careful not to share it though!).

You do need a backup! You could copy by hand and mail the copy to a trusted friend. In theory public photocopiers are not secure, so I’d say just take a photo and keep it in your iCloud photos (not shared).

Option Two: Use an iCloud Secure Note on a Guide’s iPhone

I recommend this for the passwords my Explorers manage for themselves. An iCloud Secure Note  is protected by both your iPhone’s unlock passcode and by a special Secure Note password. The iOS User Guide explains how to create a Secure Note.

An iCloud Secure Note is automatically backed up and you can review old versions of the note. It can also be shared with an Explorer who is able to manage their own credentials.

This method is less secure than paper and pencil but is also less work — and you can copy/paste passwords from the Note rather than type them on iPhone, Mac, or a web browser^[2].

The main risk of this method is accidentally deleting your credentials! Be sure to print out the Note periodically and store the paper copy at home. You can also restore a prior version but this is less reliable. Just print.

Option Three: Use 1Password or another reputable password manager

This is what most computer experts recommend, but true security experts are more cautious. When you use a password manager you are placing a great amount of trust in the vendor. There are so many ways a password manager vendor could steal credentials. Even if a vendor is honest and technically skilled, their products can be acquired by someone less scrupulous.

Of all password managers 1Password is most often recommended for the iPhone. It’s what I use, though I don’t use their Cloud service^[3]. The Cloud service is obligatory for most people though, and it costs about $40 a year.

If you’re just managing a few Explorer credentials Paper and Pencil is simpler than a password manager and definitely more secure. If you use a password manager for your own credentials then it may be a good place to store an Explorer’s credentials.

Option Three and a half: Use Apple’s semi-secret password manager

Apple would take over credential management for their customers. It hasn’t happened yet, but they have partial solutions. You can part of Apple’s solution it you have enabled Keychain in Settings:Apple ID:iCloud and you’ve accepted Safari’s offer to save web site passwords. Just say “Hey, Siri, show me my passwords”. You can also go to Settings:Passwords & Accounts: and tap on “Website & App Passwords”.

Another part of Apple’s solution is “Sign in with Apple”. Apple wants iOS apps to support this and there’s a way for web sites to use it as well. This method never shows a password, it works with Face ID or Touch ID^[4].

Both of these solutions are a work in progress. We will know Apple is serious if they create a separate App for managing credentials instead of hiding things away in Settings. Not all iOS apps store credentials in the keychain and “Sign in with Apple” is just beginning.

They are convenient for web sites and apps that aren’t important enough to be properly tracked. Just let the iPhone suggest a password and then forget about it. The iPhone will manage the password and if something goes wrong nothing much is lost.

These three-and-a-half options cover Guide management of Explorer credentials. In my next section I’ll go over which an Explorer will need to manage themselves and how to transition from Guide management to independent management.

---

[1] Apple has a partial solution for web sites but nothing for passwords entered in apps and elsewhere. Their longterm solution is called “Sign In with Apple” but it’s unclear if it will succeed or how serious Apple is about this.

[2] Browsers are not very secure though, so viewing readable passwords in a web browser is not ideal.

[3] 1Password still supports an old local storage method. It requires a very technical user to setup, it’s not well supported any more, and it’s not super reliable.

[4] Since Apple doesn’t support a guest/parent/Guide Face ID this could block Guide support for an app or site. More on this in the final chapter on political action!

Apple's Family: The many surprises of creating an Apple ID with age 13 or under

(You can skip the rant to get to the tech details)

<rant>I frequently berate Apple for the radioactive-feces-infested-dumpster-fire that they’ve built out of Family Sharing and Parental Controls / Screen Time / Restrictions [1] … but my latest experience has added a note of sympathy for the engineers who offend Tim Cook and are HR assigned to work on this prior to leaving Apple.

Apple has built something insanely complicated. The intersection of user interfaces, regional rules and restrictions, content licensing, DRM, functional requirements, iOS, macOS, iCloud, sync, multiple OS versions … heck, there probably time zones in there too. At this point they might as well give up and throw a neural network at it.

Whatever your day job, be grateful this isn’t what you work on.

Things are almost as bad on the consumer side. There’s a reason I seem to be the only person alive trying to make remote Screen Time work. (It’s a book project, I don’t have a choice.) With some effort I’ve come up with practical recommendations for caregivers (example) — but they assume the software actually functions. In practice I have run into a wide range of bugs and weirdness, particularly since iOS 13 was released.<rant>

Among the many complications Apple contends with into are rules about how many devices and how many users can be a part of a Family for the purposes of both DRM management and remote Screen Time. These are poorly documented, but as best I can tell the limit is 5 family members and somewhere around 10 devices (it’s not clear how multi-user accounts on macOS are treated or Apple TV). Our family has five members so we’re pretty much at the limit and I think we’re at the absolute device limit as well.

I say “think” because it’s not clear that there are error messages, I think things simply break.

So the baseline situation is pretty bad, even before one runs into bugs with handing down devices between family members.

I made things worse though. For a book project I added a test account — sphone4all@icloud.com. That pushed us up to six family members and probably hit or exceeded our device limit. Since my test phone is an iPhone 6 [2] it can’t upgrade to iOS 13 and is no longer useful for the book project. So I decided to try to remove it.

That’s where my next set of problems began. I’d make the mistake of creating the book account with an “age” less than 13. Ages are important in Apple’s Screen Time world. Basically:

Age 18 or more: independence, controls stop working, can purchase ad lib, can be Organizer. (Basically at age 18 you need to remove children from Family.)

Age 13: non-vulnerable status but subject to controls, cannot be Organizer. Age 13-18 is the range for Screen Time and content sharing. If you are the caregiver for a vulnerable adult (ex: cognitive disability) and need Screen Time support you need to periodically adjust their birthdate so they are over 13 and under 18. (We need legislation so Apple supports cognitive disabilities they way they support visual disabilities.)

Age 12 or less: vulnerable status. See below for the special rules.

I’d blundered by creating an iCloud ID for a “child” account with a current age of < 13. These vulnerable user accounts are special:

• They cannot be deleted by users. Only Apple can remove them. They can only be shifted between Family Organizers (supports divorce, parental death remarriage, etc). If a child should die, the grieving parents will need to work with Apple support.
• The birthdates cannot be changed. (Of course.)
• Since they cannot be deleted the Organizer iCloud ID they are associated with cannot become a non-Family ID.
• Since the Organizer ID must stay a Family ID the payment method cannot be removed from it.

That last bullet point is important. It’s a bit weird, but Apple documents how to create an Apple ID that doesn’t have a payment method. You can use it to buy free apps and tunes.

You can’t, however, turn that Apple ID into a family organizer:

If you're the family organizer for a Family Sharing group and want to share purchases with your family, you're required to have at least one payment method on file. A payment method is also required to set up accounts for children.

If you have an Apple ID like that, and you try to make it a Family Organizer in macOS Mojave iCloud despite the warning, you’ll get this helpful error message:

“There was an unexpected error”. Yeah, Apple was serious about that “requires a credit card” warning, they just didn’t code the error handler response for those who ignored it. I figured given the kludgy workaround Apple documented that the warning was obsolete. Wrong.

Why does Family Sharing require a payment method? I suspect Apple’s hacked together back ends can’t prevent some purchases even when there’s no payment method — and Apple doesn't want to get stuck with the tab. Another possibility is that it’s needed as part of Organizer identity tracing in case a vulnerable child family member is at risk.

So, what do you do when you have too many kids and you need to dump one that’s under 13?

The only recourse, short of phoning Apple support, is create another full Apple ID (age over 18), make it a Family Organizer, and transfer the sub-13 to that “Organizer”. You need hardware to create a full Apple ID, but if you have a Mac you can do it just by adding a system user. I did that to upgrade a limited Apple ID I’d created long ago to a full Apple ID. I then tried to use this fake parent/Organizer without a payment method, which is how I got the “unexpected error”.

After I added a real payment method and confirmed iTunes could see the account change I tried to again make that Apple ID the Organizer for a new family. This took a while. At first the macOS Mojave iCloud Preference Pane would simply display a blank window. After about five minutes it worked. I presume a back end system got updated.

From there I hopped through the transfer process between the macOS account for my new Organizer Apple ID and my iPhone that currently managed my faux 11yo. Some of the screens i saw are illustrative:

I got an error message during the process saying the request had expired, but it went through anyway. I think I got that errant error message because I backed up a screen to do a screenshot. Yeah, this stuff is fragile.

So it appears for now that I’ve moved my fake 11yo from my true Family to a new fake Family where it will sit for another 2 years. Then it will turn 13 and I can vaporize it (I’ve created a future task :-) and then I can remove the payment method for the fake Organizer.

Once I get my strength up I may try to contact Support about some of the other problems with our Family Screen Time, like that handed down device still stuck to my daughters account (or I can just wait until she’s 18 and exits).

Now I need some Scotch, but it’s still a bit early here ...

- fn-

[1] Extending the existing Family Sharing to enable remote Screen Time management was a fatal error.

[2] The iPhone 6 can’t move beyond iOS 12, but Apple is still supporting iOS 12 on it, and since iOS 12 is superior to 13 in several ways the 6 is arguably now a better phone than the 6s.

See also:

• Two new discoveries in iOS Screen Time (parental controls): Age 13 and Apple ID incompatible with Screen Time
• Screen Time old device bug: Dev used device ID as key, forgot Apple ID
• iOS 12: "family sharing" is still for children only -- ask to buy disabled at age 18 in US

Screen Time old device bug: Dev used device ID as key, forgot Apple ID

There’s a well known old-device bug with Screen Time. Once you’ve setup up Screen Time for a child’s device it will always show up under their Apple ID — even after you wipe the device.

So my daughter’s old iPhone 6 showed up under her Screen Time Apple ID — even after it had been wiped.

Today I changed the Apple ID for that device and enrolled it in Screen Time under a new Apple ID. Then I went to look at her Screen Time device list. Lo and behold — the old device was still there, but now its device name changed to match the device name it had when I reenrolled it with the new Apple ID.

So now one device shows twice in my remote Family Screen Time, once under my daughter’s device list, once under the new Apple ID.

I’ve read that Apple’s Screen Time was a “rush job”. Looks like the dev is doing Screen Time by storing a device identifier — maybe a Serial Number and the device name used at enrollment time. They should have used a combination of Apple ID and device identifier but they used device identifier alone.

Two new discoveries in iOS Screen Time (parental controls): Age 13 and Apple ID incompatible with Screen Time

A reputable Twitter source recently wrote that “Screen Time” was "a rush job".

It feels that way. As part of a book project I’ve spent way too much time experimenting with Screen Time. It needs a top to bottom rewrite. Also needs an API so other vendors can extend what Apple offers. 

Anyway, I’ve learned two new things about Screen Time — two special ages and a hint about why one iPhone could not be enrolled in remote Screen Time.

First the ages. US Screen Time has two special ages: 13 and 18. We know about 18, but the 13 is new to me. 

If a Family Member's Apple ID birthdate means their current age is over 18 then remote screen time blocks are turned off. It’s an 18th birthday gift from Apple! This is a problem for special needs adults — chronologically 18 but very vulnerable. The workaround for a special needs adult is to set their AppleID birthdate so they are 14 (write down the birthdate you used, you may need it).

Note I wrote 14, not, say, 10. That’s because 13 is another special age. If a Family Organizer creates an Apple ID birthdate such that a family member’s age is under 13 they will see, after it’s been created, the message "Children under 13 cannot be removed from Family Sharing.” Not only can they not be removed, their birthdate cannot be changed either. You will need to call Apple Support to have changes made, and you may need to work with a supervisor.  Meanwhile any devices with that Apple ID will count against your sharing cap.

What else did I learn?

I learned that some Apple IDs won’t work with Screen Time. It’s not clear why; I assume it’s a obscure bug somewhere in Apple’s creaky identity management infrastructure. When I set up a test phone for my book project I used an old Apple ID of mine. Without going into the convoluted history, that Apple ID is descended from an old mac.com/MobileMe email account and it’s all way too complex to describe. In any case, even though I'd changed the birthdate so age was 14, remote Screen Time settings didn’t “stick”. I’d enable them, they’d flip back to off. I changed the device Apple ID to a fresh one created from my Family Organizer account (which is how I discovered the 13 yo bit) and now it works.

Since my test iPhone doesn’t have a SIM card I wondered if that was part of my remote Screen Time problem. It wasn’t — my setup worked fine. Interestingly when I set the Apple ID this way both FaceTime and iMessage also worked without a SIM card — no ‘waiting for activation’ issues.

Only Apple can provide family mobile device management for iOS

Update 10/24/2018: After writing this, and only by experimentation, I’ve discovered that Apple actually provides extensive remote control options for family members with an “Apple age” under 18. It’s imperfect and there’s no browser interface, but it is comparable to Google's Family Link.

—

Over on my book project blog I recently reviewed Google’s Family Link solution for mobile device management of children and dependent devices (“parental controls”). I reflected on my experience with third party solutions for iOS devices:

… I’ve found problems with all of the solutions I’ve tested. Qustodio’s VPN can’t handle encrypted connections, MMGuardian has several killer flaws, and their competition didn’t  even meet my minimal test standards …

I think there are four interlocking reasons that make this a “mission impossible” from anyone but Apple:

1. Apple’s mobile device management model is very difficult to implement — even for leading corporate partners [1].
2. It’s non-trivial development to build something like scheduled app access control on top of Apple’s suite of iOS restrictions. This isn’t something schools and business need, so it has to be supported by the family market.
3. Very few people will pay for this service. It’s a lot of work for a niche market.
4. Any vendor looking at the home market knows that Apple could eliminate their business at any time with no warning. That’s what Google did with Family Link.

Only Apple can do the equivalent of Google’s Family Link [2]. That may require governmental pressure. Until Apple does it parents of children and guardians of special needs adults will need physical access to iPhones to implement restrictions.

- fn -

[1] JAMF is the dominant vendor in the corporate and educational iOS MDM market. I recently took advantage of a “Daring Fireball reader” special offer for a free 3 device JAMF account. When I enrolled a test device I discovered that annual certificate renewal disconnects enrolled devices (unless you have a dedicated corporate Apple ID) and I learned that full access to Apple’s suite of iOS restrictions requires either Apple’s “PreStage purchase program” or use of Apple Configurator (I think this is in flux with iOS 11 and 12).
[2] If Apple does add MDM to iCloud, I hope they think about vulnerable adults. Google’s “age of consent” (13yo in US) opt-out and notification approach is a workable alternative to disabling use of Family MDM for adults.

iOS 12 Family Sharing: Purchase Sharing supports changing Apple ID and UI could support future multiple Apple IDs.

One of Apple’s “original sins” is the proliferation of Apple IDs and the inability to merge or manage them. I have four that I know of with cryptic and fungible relationships between Apple ID and product ownership. (The worst bugs in the software world are data model bugs.)

In iOS 12 Family Sharing there’s now a setting for Purchase Sharing with an associated Apple ID. Mine is set to my Apple Store ID which is historically distinct from my iCloud ID (many old timers have this unfixable issue). If you tap on this Apple ID it rings up a dialog that allows this to be changed (there’s a bug here — tapping on it doesn’t always work. I had to leave the screen and return to it to enable tap). When I tapped it switched the default to my iCloud Apple ID.

I believe this is a new control. It will be interesting to see what happens when I migrate other family devices that use this iTunes Store ID for purchasing.

At the moment only one Apple ID can be used, but this UI could support multiple Apple IDs. The screen also displays a payment method that cannot be changed, it’s presumably defined by Apple ID.

This is something to watch.

PS. The ten year history of this mess is one reason I recommend Spotify over Apple Music for families.

See also:

• Move your Apple product records from one Apple ID to another Apple ID 11/2014
• How to delete your iCloud account and Apple ID 6/2017 (not)
• iCloud Family Sharing storage: What happens to Alice’s photos when Bob drops her from the Family? 10/2017. Wonder if this has changed.
• Apple’s Apple ID fiasco is getting worse — declining support for Apple Store ID that is not iCloud ID 11/2017 Then it seemed to reverse. I don’t know where Apple is going with this.
• Apple has a new problem with DRM and device management 3/2018 This will be interesting to retest.
• Converting from shared store ID to Family Sharing - and what didn’t work 4/2018. That was a fiasco - largely because family sharing only works for children.
• Apple ID Hell: Apple’s identity mismanagement - back in 5/2012
• Apple’s messed up Apple ID system: what are they smoking?! - 7/2008. Ten years ago.
• My Apple purchase records jumped from true AppleID to one I've never used. This is what I think happened. 7/2012. I think they were missing a ‘foreign key’ between two or more database systems.
• Apple's identity and account system is screwed up. Again. 10/2008
• Apple ID associated purchase records have jumped again: partly back to my old Dev account 7/2014

iOS 12 Parental Controls / Restrictions / Screen Time: Parental Controls (Passcode restricted) is not always compatible with "Share Across Devices"

Experimenting with Screen Time I enabled a passcode on my personal iPad after I’d enabled “Share Across Devices” [1]. I then found I could disable it without reentering the passcode. Which kind of defeats the purpose of a parental control passcode.

Then I turned it on again, and this time I was asked something like: “Is this iPad for you or your child?” [2]. Once I chose child I could no longer remove the passcode without entering it.

“Share Across Devices” then turned itself off.

When I turned “Share Across Devices” back on then I had to reenter my Screen Time Passcode. After than Screen Time Passcode was disabled.

Maybe this isn’t exactly a bug, but it certainly is awkward. I wonder if “Share Across Devices” uses iCloud ID or iTunes/Store ID.

Screen Time for family is enabled through the “Family Sharing” screen.

- fn -

[1] I think Share Across Devices Requires Apple’s two-factor authentication, which seems to rely on SIM-hack-friendly justly scorned phone number authentication. Yay Apple.

[2] Remember when iOS was going to allow multiple accounts on a single iPad? Android did that for their now defunct tablets.

iOS 12: It's now possible to remove/change Restriction / Screen Time passcode without removing restrictions

Prior to iOS 12 if you’d set a restriction passcode the only way to change it was to remove restrictions — which deleted things like blacklists and whitelists. With iOS 12 there’s a dialog for changing or removing the passcode. My favorite iOS 12 feature so far.

iOS 12: "family sharing" is still for children only -- ask to buy disabled at age 18 in US

The “Share purchases on iPad with family members” chapter of my iOS 12 iPad user guide tells me Family Sharing is still limited to children, and still not suited for use with special needs adults.

The problem is that “Ask to Buy” is available only for 18 and under. Since all purchases go to the “Family Organizer” Ask to Buy is the only way for the Organizer to control what family members purchase intentionally or accidentally. Since it’s turned off at age 18 “Family Sharing” is effectively for parents (who presumably share expenses) and children (who can have Ask to Buy).

This means that Family Sharing is not helpful for special needs dependents (guardianship status).

This is unchanged from iOS 11.  I’m not surprised, Apple doesn’t want Family Sharing to be widely adopted beyond the target group.

Converting from shared store ID to Family Sharing - and what didn't work

Maybe this worked. Or not. See update.

Our five family members have long shared one store Apple ID. We’ve done this before there was Family Sharing. I put off switching to Family Sharing as I figured it would take Apple 3-4 years to get it working.

With iOS 11.3 Apple broke a longstanding purchase behavior. My son’s iPhone no longer required a password for purchases, only his fingerprint. There might be a fix, but I decided instead to move him to Family Sharing. (There is a fix, see below.)

The story went something like this [1]:

• I have an iCloud Apple ID (john.___@icloud.com) and a different Store Apple ID (j____@mac.com) — because I’m old. He has an iCloud Apple ID (sam.___@icloud.com) and my store Apple ID.
• In my iCloud Apple ID he is a family member. 
• I removed my Store Apple ID from his phone and added his iCloud Apple ID.
• I sent $15 to his iCloud Apple ID from my App Store account.

So far he still can access our movies and apps. Now he will make his own purchases that will be associated with his Apple ID. When he runs through his $15 he’ll give me cash and I’ll send more money. Eventually I do need to get a debit or managed credit card on his phone but we’ll start with cash. Alas, it doesn’t work that way. See update.

After the change I checked the (this is broken) two places Apple currently tracks devices associated with an Apple ID

• appleid.apple.com/account/manage: showed 7 devices including an old iPhone my son used to have that I’d previously removed. This also showed on his iPhone Apple ID view. I removed it from both places and it has not returned.
• iTunes Manage Devices showed 8 devices, but not my son’s current iPhone. This, in contrast to past testing, is correct while the appleid.apple.com list is incomplete. It’s interesting that moving my son’s phone to Family Sharing means I’m no longer at my 10 item device limit (if that rule still applies!)

- fn -

[1] He is, incidentally, a special needs adult. I’d have liked to be able to use Apple Ask to Buy for him but that’s not available for an adult. (I wish Apple considered special needs as a disability — they have great support for visual and auditory needs, but not for cognitive.)

Update 4/19/2018

• Seeing purchase histories is really clunky. You can see what apps a family member has purchased by launching App Store.app, logging out and then logging in as the family member. To see both tunes and apps you go to Apps & iTunes in Settings (yeah, this is crazy). You have to log in as the family member — I got the ancient iOS 1.0 un/pw dialog that shows up when you get to a part of iOS that desperately needs a replacement. It did work, but seriously ugly.

Update 4/20/2018

• Subscriptions aren’t Family shareable. So that’s a significant bummer; several of his apps are subscription based. All is not lost though, At Bat.app presented my Store Apple ID username and accepted the password. In-App purchases aren’t Family shareable either — which is bad news for Omni Group. Apple has a list of what’s not shared.

Update 4/28/2018 - what I wish I’d known

My son ran up a $70 bill on a $15 credit — all on my account — because “Any time a family member makes a new purchase, it’s billed directly to the family organizer’s account”. It doesn’t work the way I thought it did. If a family member is under 18 you can activate Ask to Buy, but not for someone over 18.

Family sharing is clearly designed to only work for children. It’s a poor match for a couple that wants to keep separate finances and it’s unsuited to adult children.

I found that the 11.3 update bug didn’t truly break the ability to require an iCloud password for purchases. It only bypassed the requirement to enter the iCloud password to enable Touch ID. I went into Touch ID & Passcode and turned off “USE TOUCH ID FOR … iTunes & App Store”. 

He doesn’t know his iCloud password (so he can’t lose it in a phishing attack!), so this meant he again needed us to enter a password into his iPhone to make purchases. Obviously, Ask to Buy would be far better. If Apple wanted to support users with cognitive disabilities …well, this blog accepts comments. I’d be glad to advise.

We didn’t want to have to memorize another password, so I changed his iCloud password to match my App Store & iTunes password.

The state of iOS parental mobile device management is bad

I recently reviewed Qustodio and found it unusable because the mandatory VPN is not compatible with modern encrypted connections (https).

After that I revisited MMGuardian. Things there are almost as bad. They haven’t implemented password security on their MDM profile; the vendor claims Apple doesn’t support the functions they rely on with a locked profile.

I also learned that MMGuardian’s primary app control, which is to hide all non-default apps, also deletes their folder and icon arrangements. So when they are restored they are no longer in their original locations.

MMGuardian can’t report on device usage, probably because it doesn’t have a VPN option.

Lastly, while MMGuardian can hide Safari, that’s a binary setting. It can’t schedule Safari to be active or disabled the way it can schedule other apps. 

In my 2016 review Qustodio and MMGuardian were the only candidates to meet basic requirements. As of 2018 there are no longer any useable iOS parental control applications.

So now we wait to see if Jana Partners and the California State Teachers Retirement System can push Tim Cook to add remote MDM to iCloud. I doubt they’ll succeed. Next it’s up to the EU.

Update: Apple introduced a Family page and branded it as doing something in the general direction of supporting vulnerable users. That’s not a positive sign.

Qustodio parental control software for iOS is obsolete.

I did a review of Qustodio’s parental control product for iOS on my special needs blog. It wasn’t a positive review. The product routes all traffic through their VPN — and the VPN can’t handle SSL traffic. That might have been acceptable in 2010, but it won’t work today.

I’m feeling grumpy about the time I spent finding this out — not to mention the $10/month subscription I paid for. The lost time was the bigger deal though. The reviews I’d read led me to think the base product worked, so I spent time checking out other features.

Qustodio must know about the SSL issues, but they’re continuing to sell the service. That’s not nice.

Mobile device management and Apple Classroom for home

Contrary to Ziff-Davis (ok, it was 2013) there are several vendors who provide MDM solutions for home use. MMGuardian and Qustudio are two of them.

I wonder though if it’s possible to cobble something together at home that would work with Apple Classroom. OS X server ($20) includes Profile Manager, Apple’s MDM manager (support). Joshua Jung has written a nice tutorial on getting Profile Manger working. In theory Apple Classroom should be able to work with this …

Anyone try it?

Android restriction (parental control) solutions: Screen Time and MMGuardian advance to next step

For my book project I searched my moto E test phone (Android 5.1) user guide for “child” and “restriction” and “parental”.  I found “products are not toys and may be hazardous to small children”.

Ooookaaay. That’s not too encouraging. My iPhone User Guide has an extensive discussion of restriction options.

Next I tried “restricted profiles” (Android 4.3 and later). Oops. They’re only for tablets, not phones. So it was time to look for 3rd party options [1].

Google found me some lousy references and two useful ones: Five parental control apps for Android devices - Pocket-lint and 10 Android Parental Control Apps - Yoursphere for Parents [2].

From these I picked up MMGuardian, Funamo, AppLock, Kids Place, Screen Time, Net Nanny, Norton Family and a few others. Between the set of these Android, for a technically sophisticated user, can have advantages over built-in iOS restrictions (iOS security models limit the value vendors can add). 

I’m most interested in products that work for teens and/or adults with atypical minds, so that eliminated a few options. Next I looked for good quality companion web sites with clear pricing — that criterial took out both Norton Family and the (not-really-free) AppLock.

I ended up with four options:

• MMGuardian: app usage, time use, texts including driving. $35/year. iOS solution from same vendor.
• Screen Time: $48/year
• Net Nanny: browser restrictions, remote access. $60/year - primary focus on browser control.
• Funamo: $20 one time purchase.

Funamo is the value option, with a more limited and geekier web site than the competition. For my target users I think more support is needed. Net Nanny has the highest pricing, which may reflect longer tenure. MMGuardian and ScreenTime seem (hey, information is limited!) to have a good balance of price and value.

ScreenTime and MMGuardian both have well done blogs with working RSS feeds. ScreenTime is Android only, MMGuardian has an iOS product too. Both have a 14 day free trial. ScreenTime has 7,600 Play Store reviews, MMGuardian has 1,200. Both have well documented uninstall procedures[3]. They are well balanced competitors.

I’m going to have to test both of them — since MMGuardian also has an iOS product I’ll start there.

- fn -

[1] Android reminds me so much of Windows; only geeks can truly use it. Why hasn’t Google bundled even minimal functionality into their OS? The sort-of-free AppLock has 3.3 million reviews. There is a need.

[2] There’s something broken in the info-sphere. Exactly two useful reviews?!

See also:

• MMGuardian - Review of an iPhone parental control and usage monitoring service 5/2016
• MMGuardian - review of an Android parental control and usage monitoring application 5/2016

iOS 8.3 took away one of my favorite parental controls

With iOS 8.3 Apple made an undocumented change that will make a few kids happy.

No, not the post-update dialog that will lead many parents to unwittingly enable 15 minute authentication lifespans for purchases. Apple documented that feature. Here’s where you undo any mistakes by they way:

The real change is that users no longer need to enter the App Store account password to reinstall any app that’s been previously purchased with that account on any device. There’s no setting to revert back to the old behavior of managing a reinstall very much like an initial installation (respect password settings as above).

Why does this matter?

Well, let’s assume you install YouTube on the KidPhone and late find some highly educational porn. In the old days you could just delete YouTube and be done — assuming your user doesn’t know the App Store account password. Now users can simply download it again.

Now imagine the problem if you do old school App Store/iTunes credential sharing like we do — we each have our own iCloud accounts, but our FairPlay DRMd material is all associated with my App Store credentials. Yeah, everything can be installed. It’s a good thing I’m not into S&M apps.

I don’t know how this works with Family Sharing, the change is too new to see much commentary. For old-school families like ours there are 4 options based on this screen …

Your options are:

Install Apps	Deleting Apps	Result
Off	On	App Store disappears so can’t install or update. You can’t update from iTunes either, so this setting is a pain in the butt. You need to go through the restrictions dialog to do app updates. User can delete apps which is convenient.
On	Off	App.net@ronnie suggested this one. User can download anything, but they can’t hide contraband. So if they install forbidden apps they get banished to “Install Apps Off” which is painful for everyone.
Off	Off	As option 1, but can’t remove apps. I can imagine limited use cases.
On	On	The default.

For now I’m going with Install On and Delete Off, with the warning that forbidden fruit will lead to App Store removal.

I’d love to see a fix from Apple but it’s going to take a lot of complaining. I’m not holding my breath.