Apple's Family: The many surprises of creating an Apple ID with age 13 or under

(You can skip the rant to get to the tech details)

<rant>I frequently berate Apple for the radioactive-feces-infested-dumpster-fire that they’ve built out of Family Sharing and Parental Controls / Screen Time / Restrictions [1] … but my latest experience has added a note of sympathy for the engineers who offend Tim Cook and are HR assigned to work on this prior to leaving Apple.

Apple has built something insanely complicated. The intersection of user interfaces, regional rules and restrictions, content licensing, DRM, functional requirements, iOS, macOS, iCloud, sync, multiple OS versions … heck, there probably time zones in there too. At this point they might as well give up and throw a neural network at it.

Whatever your day job, be grateful this isn’t what you work on.

Things are almost as bad on the consumer side. There’s a reason I seem to be the only person alive trying to make remote Screen Time work. (It’s a book project, I don’t have a choice.) With some effort I’ve come up with practical recommendations for caregivers (example) — but they assume the software actually functions. In practice I have run into a wide range of bugs and weirdness, particularly since iOS 13 was released.<rant>

Among the many complications Apple contends with into are rules about how many devices and how many users can be a part of a Family for the purposes of both DRM management and remote Screen Time. These are poorly documented, but as best I can tell the limit is 5 family members and somewhere around 10 devices (it’s not clear how multi-user accounts on macOS are treated or Apple TV). Our family has five members so we’re pretty much at the limit and I think we’re at the absolute device limit as well.

I say “think” because it’s not clear that there are error messages, I think things simply break.

So the baseline situation is pretty bad, even before one runs into bugs with handing down devices between family members.

I made things worse though. For a book project I added a test account — sphone4all@icloud.com. That pushed us up to six family members and probably hit or exceeded our device limit. Since my test phone is an iPhone 6 [2] it can’t upgrade to iOS 13 and is no longer useful for the book project. So I decided to try to remove it.

That’s where my next set of problems began. I’d make the mistake of creating the book account with an “age” less than 13. Ages are important in Apple’s Screen Time world. Basically:

Age 18 or more: independence, controls stop working, can purchase ad lib, can be Organizer. (Basically at age 18 you need to remove children from Family.)

Age 13: non-vulnerable status but subject to controls, cannot be Organizer. Age 13-18 is the range for Screen Time and content sharing. If you are the caregiver for a vulnerable adult (ex: cognitive disability) and need Screen Time support you need to periodically adjust their birthdate so they are over 13 and under 18. (We need legislation so Apple supports cognitive disabilities they way they support visual disabilities.)

Age 12 or less: vulnerable status. See below for the special rules.

I’d blundered by creating an iCloud ID for a “child” account with a current age of < 13. These vulnerable user accounts are special:

• They cannot be deleted by users. Only Apple can remove them. They can only be shifted between Family Organizers (supports divorce, parental death remarriage, etc). If a child should die, the grieving parents will need to work with Apple support.
• The birthdates cannot be changed. (Of course.)
• Since they cannot be deleted the Organizer iCloud ID they are associated with cannot become a non-Family ID.
• Since the Organizer ID must stay a Family ID the payment method cannot be removed from it.

That last bullet point is important. It’s a bit weird, but Apple documents how to create an Apple ID that doesn’t have a payment method. You can use it to buy free apps and tunes.

You can’t, however, turn that Apple ID into a family organizer:

If you're the family organizer for a Family Sharing group and want to share purchases with your family, you're required to have at least one payment method on file. A payment method is also required to set up accounts for children.

If you have an Apple ID like that, and you try to make it a Family Organizer in macOS Mojave iCloud despite the warning, you’ll get this helpful error message:

“There was an unexpected error”. Yeah, Apple was serious about that “requires a credit card” warning, they just didn’t code the error handler response for those who ignored it. I figured given the kludgy workaround Apple documented that the warning was obsolete. Wrong.

Why does Family Sharing require a payment method? I suspect Apple’s hacked together back ends can’t prevent some purchases even when there’s no payment method — and Apple doesn't want to get stuck with the tab. Another possibility is that it’s needed as part of Organizer identity tracing in case a vulnerable child family member is at risk.

So, what do you do when you have too many kids and you need to dump one that’s under 13?

The only recourse, short of phoning Apple support, is create another full Apple ID (age over 18), make it a Family Organizer, and transfer the sub-13 to that “Organizer”. You need hardware to create a full Apple ID, but if you have a Mac you can do it just by adding a system user. I did that to upgrade a limited Apple ID I’d created long ago to a full Apple ID. I then tried to use this fake parent/Organizer without a payment method, which is how I got the “unexpected error”.

After I added a real payment method and confirmed iTunes could see the account change I tried to again make that Apple ID the Organizer for a new family. This took a while. At first the macOS Mojave iCloud Preference Pane would simply display a blank window. After about five minutes it worked. I presume a back end system got updated.

From there I hopped through the transfer process between the macOS account for my new Organizer Apple ID and my iPhone that currently managed my faux 11yo. Some of the screens i saw are illustrative:

I got an error message during the process saying the request had expired, but it went through anyway. I think I got that errant error message because I backed up a screen to do a screenshot. Yeah, this stuff is fragile.

So it appears for now that I’ve moved my fake 11yo from my true Family to a new fake Family where it will sit for another 2 years. Then it will turn 13 and I can vaporize it (I’ve created a future task :-) and then I can remove the payment method for the fake Organizer.

Once I get my strength up I may try to contact Support about some of the other problems with our Family Screen Time, like that handed down device still stuck to my daughters account (or I can just wait until she’s 18 and exits).

Now I need some Scotch, but it’s still a bit early here ...

- fn-

[1] Extending the existing Family Sharing to enable remote Screen Time management was a fatal error.

[2] The iPhone 6 can’t move beyond iOS 12, but Apple is still supporting iOS 12 on it, and since iOS 12 is superior to 13 in several ways the 6 is arguably now a better phone than the 6s.

See also:

• Two new discoveries in iOS Screen Time (parental controls): Age 13 and Apple ID incompatible with Screen Time
• Screen Time old device bug: Dev used device ID as key, forgot Apple ID
• iOS 12: "family sharing" is still for children only -- ask to buy disabled at age 18 in US

Screen Time old device bug: Dev used device ID as key, forgot Apple ID

There’s a well known old-device bug with Screen Time. Once you’ve setup up Screen Time for a child’s device it will always show up under their Apple ID — even after you wipe the device.

So my daughter’s old iPhone 6 showed up under her Screen Time Apple ID — even after it had been wiped.

Today I changed the Apple ID for that device and enrolled it in Screen Time under a new Apple ID. Then I went to look at her Screen Time device list. Lo and behold — the old device was still there, but now its device name changed to match the device name it had when I reenrolled it with the new Apple ID.

So now one device shows twice in my remote Family Screen Time, once under my daughter’s device list, once under the new Apple ID.

I’ve read that Apple’s Screen Time was a “rush job”. Looks like the dev is doing Screen Time by storing a device identifier — maybe a Serial Number and the device name used at enrollment time. They should have used a combination of Apple ID and device identifier but they used device identifier alone.

Two new discoveries in iOS Screen Time (parental controls): Age 13 and Apple ID incompatible with Screen Time

A reputable Twitter source recently wrote that “Screen Time” was "a rush job".

It feels that way. As part of a book project I’ve spent way too much time experimenting with Screen Time. It needs a top to bottom rewrite. Also needs an API so other vendors can extend what Apple offers. 

Anyway, I’ve learned two new things about Screen Time — two special ages and a hint about why one iPhone could not be enrolled in remote Screen Time.

First the ages. US Screen Time has two special ages: 13 and 18. We know about 18, but the 13 is new to me. 

If a Family Member's Apple ID birthdate means their current age is over 18 then remote screen time blocks are turned off. It’s an 18th birthday gift from Apple! This is a problem for special needs adults — chronologically 18 but very vulnerable. The workaround for a special needs adult is to set their AppleID birthdate so they are 14 (write down the birthdate you used, you may need it).

Note I wrote 14, not, say, 10. That’s because 13 is another special age. If a Family Organizer creates an Apple ID birthdate such that a family member’s age is under 13 they will see, after it’s been created, the message "Children under 13 cannot be removed from Family Sharing.” Not only can they not be removed, their birthdate cannot be changed either. You will need to call Apple Support to have changes made, and you may need to work with a supervisor.  Meanwhile any devices with that Apple ID will count against your sharing cap.

What else did I learn?

I learned that some Apple IDs won’t work with Screen Time. It’s not clear why; I assume it’s a obscure bug somewhere in Apple’s creaky identity management infrastructure. When I set up a test phone for my book project I used an old Apple ID of mine. Without going into the convoluted history, that Apple ID is descended from an old mac.com/MobileMe email account and it’s all way too complex to describe. In any case, even though I'd changed the birthdate so age was 14, remote Screen Time settings didn’t “stick”. I’d enable them, they’d flip back to off. I changed the device Apple ID to a fresh one created from my Family Organizer account (which is how I discovered the 13 yo bit) and now it works.

Since my test iPhone doesn’t have a SIM card I wondered if that was part of my remote Screen Time problem. It wasn’t — my setup worked fine. Interestingly when I set the Apple ID this way both FaceTime and iMessage also worked without a SIM card — no ‘waiting for activation’ issues.

Only Apple can provide family mobile device management for iOS

Update 10/24/2018: After writing this, and only by experimentation, I’ve discovered that Apple actually provides extensive remote control options for family members with an “Apple age” under 18. It’s imperfect and there’s no browser interface, but it is comparable to Google's Family Link.

—

Over on my book project blog I recently reviewed Google’s Family Link solution for mobile device management of children and dependent devices (“parental controls”). I reflected on my experience with third party solutions for iOS devices:

… I’ve found problems with all of the solutions I’ve tested. Qustodio’s VPN can’t handle encrypted connections, MMGuardian has several killer flaws, and their competition didn’t  even meet my minimal test standards …

I think there are four interlocking reasons that make this a “mission impossible” from anyone but Apple:

1. Apple’s mobile device management model is very difficult to implement — even for leading corporate partners [1].
2. It’s non-trivial development to build something like scheduled app access control on top of Apple’s suite of iOS restrictions. This isn’t something schools and business need, so it has to be supported by the family market.
3. Very few people will pay for this service. It’s a lot of work for a niche market.
4. Any vendor looking at the home market knows that Apple could eliminate their business at any time with no warning. That’s what Google did with Family Link.

Only Apple can do the equivalent of Google’s Family Link [2]. That may require governmental pressure. Until Apple does it parents of children and guardians of special needs adults will need physical access to iPhones to implement restrictions.

- fn -

[1] JAMF is the dominant vendor in the corporate and educational iOS MDM market. I recently took advantage of a “Daring Fireball reader” special offer for a free 3 device JAMF account. When I enrolled a test device I discovered that annual certificate renewal disconnects enrolled devices (unless you have a dedicated corporate Apple ID) and I learned that full access to Apple’s suite of iOS restrictions requires either Apple’s “PreStage purchase program” or use of Apple Configurator (I think this is in flux with iOS 11 and 12).
[2] If Apple does add MDM to iCloud, I hope they think about vulnerable adults. Google’s “age of consent” (13yo in US) opt-out and notification approach is a workable alternative to disabling use of Family MDM for adults.

iOS 12 Family Sharing: Purchase Sharing supports changing Apple ID and UI could support future multiple Apple IDs.

One of Apple’s “original sins” is the proliferation of Apple IDs and the inability to merge or manage them. I have four that I know of with cryptic and fungible relationships between Apple ID and product ownership. (The worst bugs in the software world are data model bugs.)

In iOS 12 Family Sharing there’s now a setting for Purchase Sharing with an associated Apple ID. Mine is set to my Apple Store ID which is historically distinct from my iCloud ID (many old timers have this unfixable issue). If you tap on this Apple ID it rings up a dialog that allows this to be changed (there’s a bug here — tapping on it doesn’t always work. I had to leave the screen and return to it to enable tap). When I tapped it switched the default to my iCloud Apple ID.

I believe this is a new control. It will be interesting to see what happens when I migrate other family devices that use this iTunes Store ID for purchasing.

At the moment only one Apple ID can be used, but this UI could support multiple Apple IDs. The screen also displays a payment method that cannot be changed, it’s presumably defined by Apple ID.

This is something to watch.

PS. The ten year history of this mess is one reason I recommend Spotify over Apple Music for families.

See also:

• Move your Apple product records from one Apple ID to another Apple ID 11/2014
• How to delete your iCloud account and Apple ID 6/2017 (not)
• iCloud Family Sharing storage: What happens to Alice’s photos when Bob drops her from the Family? 10/2017. Wonder if this has changed.
• Apple’s Apple ID fiasco is getting worse — declining support for Apple Store ID that is not iCloud ID 11/2017 Then it seemed to reverse. I don’t know where Apple is going with this.
• Apple has a new problem with DRM and device management 3/2018 This will be interesting to retest.
• Converting from shared store ID to Family Sharing - and what didn’t work 4/2018. That was a fiasco - largely because family sharing only works for children.
• Apple ID Hell: Apple’s identity mismanagement - back in 5/2012
• Apple’s messed up Apple ID system: what are they smoking?! - 7/2008. Ten years ago.
• My Apple purchase records jumped from true AppleID to one I've never used. This is what I think happened. 7/2012. I think they were missing a ‘foreign key’ between two or more database systems.
• Apple's identity and account system is screwed up. Again. 10/2008
• Apple ID associated purchase records have jumped again: partly back to my old Dev account 7/2014

iOS 12 Parental Controls / Restrictions / Screen Time: Parental Controls (Passcode restricted) is not always compatible with "Share Across Devices"

Experimenting with Screen Time I enabled a passcode on my personal iPad after I’d enabled “Share Across Devices” [1]. I then found I could disable it without reentering the passcode. Which kind of defeats the purpose of a parental control passcode.

Then I turned it on again, and this time I was asked something like: “Is this iPad for you or your child?” [2]. Once I chose child I could no longer remove the passcode without entering it.

“Share Across Devices” then turned itself off.

When I turned “Share Across Devices” back on then I had to reenter my Screen Time Passcode. After than Screen Time Passcode was disabled.

Maybe this isn’t exactly a bug, but it certainly is awkward. I wonder if “Share Across Devices” uses iCloud ID or iTunes/Store ID.

Screen Time for family is enabled through the “Family Sharing” screen.

- fn -

[1] I think Share Across Devices Requires Apple’s two-factor authentication, which seems to rely on SIM-hack-friendly justly scorned phone number authentication. Yay Apple.

[2] Remember when iOS was going to allow multiple accounts on a single iPad? Android did that for their now defunct tablets.

iOS 12: It's now possible to remove/change Restriction / Screen Time passcode without removing restrictions

Prior to iOS 12 if you’d set a restriction passcode the only way to change it was to remove restrictions — which deleted things like blacklists and whitelists. With iOS 12 there’s a dialog for changing or removing the passcode. My favorite iOS 12 feature so far.

iOS 12: "family sharing" is still for children only -- ask to buy disabled at age 18 in US

The “Share purchases on iPad with family members” chapter of my iOS 12 iPad user guide tells me Family Sharing is still limited to children, and still not suited for use with special needs adults.

The problem is that “Ask to Buy” is available only for 18 and under. Since all purchases go to the “Family Organizer” Ask to Buy is the only way for the Organizer to control what family members purchase intentionally or accidentally. Since it’s turned off at age 18 “Family Sharing” is effectively for parents (who presumably share expenses) and children (who can have Ask to Buy).

This means that Family Sharing is not helpful for special needs dependents (guardianship status).

This is unchanged from iOS 11.  I’m not surprised, Apple doesn’t want Family Sharing to be widely adopted beyond the target group.

The state of iOS parental mobile device management is bad

I recently reviewed Qustodio and found it unusable because the mandatory VPN is not compatible with modern encrypted connections (https).

After that I revisited MMGuardian. Things there are almost as bad. They haven’t implemented password security on their MDM profile; the vendor claims Apple doesn’t support the functions they rely on with a locked profile.

I also learned that MMGuardian’s primary app control, which is to hide all non-default apps, also deletes their folder and icon arrangements. So when they are restored they are no longer in their original locations.

MMGuardian can’t report on device usage, probably because it doesn’t have a VPN option.

Lastly, while MMGuardian can hide Safari, that’s a binary setting. It can’t schedule Safari to be active or disabled the way it can schedule other apps. 

In my 2016 review Qustodio and MMGuardian were the only candidates to meet basic requirements. As of 2018 there are no longer any useable iOS parental control applications.

So now we wait to see if Jana Partners and the California State Teachers Retirement System can push Tim Cook to add remote MDM to iCloud. I doubt they’ll succeed. Next it’s up to the EU.

Update: Apple introduced a Family page and branded it as doing something in the general direction of supporting vulnerable users. That’s not a positive sign.