Showing posts sorted by date for query parental controls. Sort by relevance Show all posts
Showing posts sorted by date for query parental controls. Sort by relevance Show all posts

Friday, February 25, 2022

Impressions of the Eero 6

In retrospect my AirPort Extreme was probably flaky for a while. It's hard to diagnose router failure issues, but my son complained his iPad Zwift app was disconnecting. I was getting corrupted Synology Time Machine backups after years of good results. Then the router started to power down spontaneously. It was 6 years old and the power supply had failed.

We bought an Amazon Eero 6.

Before I talk about the various issues and surprises, let me see this is one of the more fun purchases I've made in a while. It's a huge pain to move all our various devices over to the new primary and "Guest" (where untrustworthy hardware connects) networks, but it's delightful to see 5 WiFi bars everywhere. Including the MyQ garage opener -- which is at least 50 feet from our home. (That's how we open the garage door when it's less than 15F and the external battery powered device doesn't work.) I have one device by the Comcast router, one on the middle floor towards the garage, and one basically hidden beneath the ground floor serving the basement and side patio.

Why did I buy the Eero?

  1. Microsoft doesn't make a router, so the least evil tech giant was unavailable.
  2. Apple doesn't make a router, so my very Evil master was unavailable.
  3. That left Google, Amazon and the small ones (Linksys) who may not last very long and thus can't keep the patches coming.
  4. I read that Eero does a good job of updating its devices.
  5. Google is maximal Evil. I'm in the midst of a long painful divorce from Google Apps and Google Drive and I really don't want anything more from Google.
  6. Amazon could get me a Eero 6 threesome within 8 hours of ordering it. It came at 6am. I felt the fangs of my Prime Parasite dig deeper into my core.
What were the surprises?
  • Some older equipment will not connect to an Eero 6. The problem seems to be that the Eero has one SSID with two frequencies; my old AirPort had separate 2.4 and 5 GHz SSIDs. Devices that can only handle 2.4GHz may not work. We ran into two problems [see update below]:
    1. SONY Playstation 4 (SONY's link no longer works of course): Go to Settings > Network > Setup Internet Connection > Use Wi-Fi > Easy. Select the SSID (wifi network name) but don't choose it! Now press the Options button on the controller. Select the 2.4GHz band. (When I tried 5GHz I got an obscure error message.)
    2. Samsung television: It simply won't connect. Samsung has some tips I've not explored, I could try updating the firmware. Google found some Reddit discussions but that site crashed at the moment. (This TV is behaving a bit oddly, so there may be other issues.)
  • The Eero 6 has two ethernet ports on the base unit. It's hard to tell from Eero's dreadful web site but I believe the Eero 6 Pro has ports on peripheral nodes too. I needed one for the Synology NAS and one to the Comcast modem. Given that not all devices work with the Eero it would be nice to have parts on each station -- I could then hardware devices that don't work with Eero wifi.
  • The Eeros are smaller than I expected.
  • The Eero app crashes every time I try to assign a device to a profile. I suspect it can't handle the ethernet address swapping of modern iPhones. It's amazing that's not fixed.
  • If you want to use the parental control features on iOS devices you need to turn off the ethernet swapping. This will make it easier for vendors to track your use however.
  • Amazon tries to upsell subscriptions to services including a security package. This is really annoying and it keeps doing it even after initial decline. Be careful not to accidentally subscribe to anything. You don't get filtering or website controls without the extra monthly fee, other routers provide those for free (but they usually don't work well or at all with modern connectivity).
The easiest way to swap routers is to keep the network names and passwords the same. I couldn't do that for reasons, so I get the tedium of reconnecting very old devices to WiFi.

Update 2/27/2022: Pause 5 GHz to allow older devices to connect

I read an Amazon review saying there was a way to pause 5G to allow older devices to connect! I haven't tried on the TV yet. It's an obscure feature:

Settings -> Troubleshooting -> My Device won't connect -> My device is 2.4 GHz only -> Temporarily pause 5 GHz.

There are some other features buried in troubleshooting, including Health Check.

Friday, April 02, 2021

The panicky M1 MacBook Air known as Crashy

Nine weeks ago I replaced Emily's 9yo 11" Air with a 2021 M1 Air. Shortly after we passed the return date I realized I'd made a bad decision. The M1 Air panicked so often that it's forever known to us as "Crashy" the M1 Air. On some days Emily would see a spontaneous restart several times a day.

I don't think it's a hardware problem; among other things it's passed repeated hardware tests.  I suspect using Migration Assistant to move from High Sierra didn't help, but I don't think that's all of it. There's something bizarre with residual parental controls on my son's account that I can't seem to clear -- but Apple's parental controls/Screen Time have been horked for my family for years across iOS and now macOS. I don't think that's all of it.

I think it's mostly a bug with Fast User Switching and maybe Chrome/Google Software. We know that Fast User Switching can kill Mail.app spotlight search until corespotlightd is restarted, so we know some defect is leaking across user sessions. We also know that Fast User Switching is disabled by default on Big Sur, which suggests Apple is worried about it. (Maybe the weird Screen Time behavior is playing a role.)

So after doing every possible fix short of wiping the drive and reinstalling data from backup I removed every trace of Chrome and Google software [1] and I turned off FUS. Since then we've had no more crashes.

Eventually I'm going to restore FUS. This is a multi-user machine and we want it to work properly. When I do that I'll make every user admin because Big Sur does not display a Panic report to non-admin users -- then look for a log report. If Crashy stays up then the finger points to Chrome.

I really wish we'd bought an Intel Air. The 2020 Intel Air was basically perfect.

[1] My son used Chrome, Emily is Safari only. After one crash Emily was asked if she wanted to restart Chrome -- but she wasn't using Chrome. Suspicious for more leakage across user sessions.

PS. At one point I saw a very long thread on Apple Discussions about M1's crashing. It vanished. Here's a shorter thread and another.

Update 4/19/2021: Removing Chrome and disabling Fast User Switching eliminated the panics. We are doing ok without both so we aren't doing further testing. I don't miss Chrome and Emily and my son don't mind logging out.

Update 6/18/2021: By Big Sur 11.4 Crashy was fixed. We're keeping the name however. Fast User Switching is on but I never did reinstall Chrome. We bought our M1 Air around Jan 20, 2021 and 11.4 came out 5/24/2021, so it took five months for Apple to fix the damned thing. Eclectic Company wrote an article about M1 instability under Big Sur.

Saturday, January 04, 2020

Apple's Family: The many surprises of creating an Apple ID with age 13 or under

(You can skip the rant to get to the tech details)

<rant>I frequently berate Apple for the radioactive-feces-infested-dumpster-fire that they’ve built out of Family Sharing and Parental Controls / Screen Time / Restrictions [1] … but my latest experience has added a note of sympathy for the engineers who offend Tim Cook and are HR assigned to work on this prior to leaving Apple.

Apple has built something insanely complicated. The intersection of user interfaces, regional rules and restrictions, content licensing, DRM, functional requirements, iOS, macOS, iCloud, sync, multiple OS versions … heck, there probably time zones in there too. At this point they might as well give up and throw a neural network at it.

Whatever your day job, be grateful this isn’t what you work on.

Things are almost as bad on the consumer side. There’s a reason I seem to be the only person alive trying to make remote Screen Time work. (It’s a book project, I don’t have a choice.) With some effort I’ve come up with practical recommendations for caregivers (example) — but they assume the software actually functions. In practice I have run into a wide range of bugs and weirdness, particularly since iOS 13 was released.<rant>

Among the many complications Apple contends with into are rules about how many devices and how many users can be a part of a Family for the purposes of both DRM management and remote Screen Time. These are poorly documented, but as best I can tell the limit is 5 family members and somewhere around 10 devices (it’s not clear how multi-user accounts on macOS are treated or Apple TV). Our family has five members so we’re pretty much at the limit and I think we’re at the absolute device limit as well.

I say “think” because it’s not clear that there are error messages, I think things simply break.

So the baseline situation is pretty bad, even before one runs into bugs with handing down devices between family members.

I made things worse though. For a book project I added a test account — sphone4all@icloud.com. That pushed us up to six family members and probably hit or exceeded our device limit. Since my test phone is an iPhone 6 [2] it can’t upgrade to iOS 13 and is no longer useful for the book project. So I decided to try to remove it.

That’s where my next set of problems began. I’d make the mistake of creating the book account with an “age” less than 13. Ages are important in Apple’s Screen Time world. Basically:

Age 18 or more: independence, controls stop working, can purchase ad lib, can be Organizer. (Basically at age 18 you need to remove children from Family.)

Age 13: non-vulnerable status but subject to controls, cannot be Organizer. Age 13-18 is the range for Screen Time and content sharing. If you are the caregiver for a vulnerable adult (ex: cognitive disability) and need Screen Time support you need to periodically adjust their birthdate so they are over 13 and under 18. (We need legislation so Apple supports cognitive disabilities they way they support visual disabilities.)

Age 12 or less: vulnerable status. See below for the special rules.

I’d blundered by creating an iCloud ID for a “child” account with a current age of < 13. These vulnerable user accounts are special:

  • They cannot be deleted by users. Only Apple can remove them. They can only be shifted between Family Organizers (supports divorce, parental death remarriage, etc). If a child should die, the grieving parents will need to work with Apple support.
  • The birthdates cannot be changed. (Of course.)
  • Since they cannot be deleted the Organizer iCloud ID they are associated with cannot become a non-Family ID.
  • Since the Organizer ID must stay a Family ID the payment method cannot be removed from it.

That last bullet point is important. It’s a bit weird, but Apple documents how to create an Apple ID that doesn’t have a payment method. You can use it to buy free apps and tunes.

You can’t, however, turn that Apple ID into a family organizer:

If you're the family organizer for a Family Sharing group and want to share purchases with your family, you're required to have at least one payment method on file. A payment method is also required to set up accounts for children.

If you have an Apple ID like that, and you try to make it a Family Organizer in macOS Mojave iCloud despite the warning, you’ll get this helpful error message:


“There was an unexpected error”. Yeah, Apple was serious about that “requires a credit card” warning, they just didn’t code the error handler response for those who ignored it. I figured given the kludgy workaround Apple documented that the warning was obsolete. Wrong.

Why does Family Sharing require a payment method? I suspect Apple’s hacked together back ends can’t prevent some purchases even when there’s no payment method — and Apple doesn't want to get stuck with the tab. Another possibility is that it’s needed as part of Organizer identity tracing in case a vulnerable child family member is at risk.

So, what do you do when you have too many kids and you need to dump one that’s under 13?

The only recourse, short of phoning Apple support, is create another full Apple ID (age over 18), make it a Family Organizer, and transfer the sub-13 to that “Organizer”. You need hardware to create a full Apple ID, but if you have a Mac you can do it just by adding a system user. I did that to upgrade a limited Apple ID I’d created long ago to a full Apple ID. I then tried to use this fake parent/Organizer without a payment method, which is how I got the “unexpected error”.

After I added a real payment method and confirmed iTunes could see the account change I tried to again make that Apple ID the Organizer for a new family. This took a while. At first the macOS Mojave iCloud Preference Pane would simply display a blank window. After about five minutes it worked. I presume a back end system got updated.

From there I hopped through the transfer process between the macOS account for my new Organizer Apple ID and my iPhone that currently managed my faux 11yo. Some of the screens i saw are illustrative:

I got an error message during the process saying the request had expired, but it went through anyway. I think I got that errant error message because I backed up a screen to do a screenshot. Yeah, this stuff is fragile.

So it appears for now that I’ve moved my fake 11yo from my true Family to a new fake Family where it will sit for another 2 years. Then it will turn 13 and I can vaporize it (I’ve created a future task :-) and then I can remove the payment method for the fake Organizer.

Once I get my strength up I may try to contact Support about some of the other problems with our Family Screen Time, like that handed down device still stuck to my daughters account (or I can just wait until she’s 18 and exits).

Now I need some Scotch, but it’s still a bit early here ...

- fn-

[1] Extending the existing Family Sharing to enable remote Screen Time management was a fatal error.

[2] The iPhone 6 can’t move beyond iOS 12, but Apple is still supporting iOS 12 on it, and since iOS 12 is superior to 13 in several ways the 6 is arguably now a better phone than the 6s.

See also:

Saturday, December 21, 2019

Share Sheet crash in iOS 13.3 - try removing apps that have associated share sheet actions

I upgraded from iOS 12 to 13.3. Most things worked (Parental Controls/Screen Time may be more broken, but it’s always broken), but I had one significant bug.

If I opened a .docx (Word) file in Mail.app it would display in the docx viewer as expected. If I then tapped the share sheet icon the viewer would crash.

David Yeh found a workaround — do a long press on the document and then use the share sheet from that popup screen. Another contributor suggested removing and restoring the mail account, that didn’t work for me.

Today I found a fix for my case. I deleted two utilities: Pinner (last updated 2y ago) and Opener (frequently updated) then restarted my phone. That removed their associated share sheet action apps.

Now the share sheet works for me.

I’ll reinstall Opener if I find I miss it. Pushpin.app was updated relatively recently so I’ll use that instead of Pinner (really, I only use the Pushpin app action).

Saturday, May 11, 2019

Two new discoveries in iOS Screen Time (parental controls): Age 13 and Apple ID incompatible with Screen Time

A reputable Twitter source recently wrote that “Screen Time” was "a rush job".

It feels that way. As part of a book project I’ve spent way too much time experimenting with Screen Time. It needs a top to bottom rewrite. Also needs an API so other vendors can extend what Apple offers. 

Anyway, I’ve learned two new things about Screen Time — two special ages and a hint about why one iPhone could not be enrolled in remote Screen Time.

First the ages. US Screen Time has two special ages: 13 and 18. We know about 18, but the 13 is new to me. 

If a Family Member's Apple ID birthdate means their current age is over 18 then remote screen time blocks are turned off. It’s an 18th birthday gift from Apple! This is a problem for special needs adults — chronologically 18 but very vulnerable. The workaround for a special needs adult is to set their AppleID birthdate so they are 14 (write down the birthdate you used, you may need it).

Note I wrote 14, not, say, 10. That’s because 13 is another special age. If a Family Organizer creates an Apple ID birthdate such that a family member’s age is under 13 they will see, after it’s been created, the message "Children under 13 cannot be removed from Family Sharing.” Not only can they not be removed, their birthdate cannot be changed either. You will need to call Apple Support to have changes made, and you may need to work with a supervisor.  Meanwhile any devices with that Apple ID will count against your sharing cap.

What else did I learn?

I learned that some Apple IDs won’t work with Screen Time. It’s not clear why; I assume it’s a obscure bug somewhere in Apple’s creaky identity management infrastructure. When I set up a test phone for my book project I used an old Apple ID of mine. Without going into the convoluted history, that Apple ID is descended from an old mac.com/MobileMe email account and it’s all way too complex to describe. In any case, even though I'd changed the birthdate so age was 14, remote Screen Time settings didn’t “stick”. I’d enable them, they’d flip back to off. I changed the device Apple ID to a fresh one created from my Family Organizer account (which is how I discovered the 13 yo bit) and now it works.

Since my test iPhone doesn’t have a SIM card I wondered if that was part of my remote Screen Time problem. It wasn’t — my setup worked fine. Interestingly when I set the Apple ID this way both FaceTime and iMessage also worked without a SIM card — no ‘waiting for activation’ issues.

Saturday, October 06, 2018

Only Apple can provide family mobile device management for iOS

Update 10/24/2018: After writing this, and only by experimentation, I’ve discovered that Apple actually provides extensive remote control options for family members with an “Apple age” under 18. It’s imperfect and there’s no browser interface, but it is comparable to Google's Family Link.

Over on my book project blog I recently reviewed Google’s Family Link solution for mobile device management of children and dependent devices (“parental controls”). I reflected on my experience with third party solutions for iOS devices:

… I’ve found problems with all of the solutions I’ve tested. Qustodio’s VPN can’t handle encrypted connectionsMMGuardian has several killer flaws, and their competition didn’t  even meet my minimal test standards …

I think there are four interlocking reasons that make this a “mission impossible” from anyone but Apple:

  1. Apple’s mobile device management model is very difficult to implement — even for leading corporate partners [1].
  2. It’s non-trivial development to build something like scheduled app access control on top of Apple’s suite of iOS restrictions. This isn’t something schools and business need, so it has to be supported by the family market.
  3. Very few people will pay for this service. It’s a lot of work for a niche market.
  4. Any vendor looking at the home market knows that Apple could eliminate their business at any time with no warning. That’s what Google did with Family Link.

Only Apple can do the equivalent of Google’s Family Link [2]. That may require governmental pressure. Until Apple does it parents of children and guardians of special needs adults will need physical access to iPhones to implement restrictions.

- fn -

[1] JAMF is the dominant vendor in the corporate and educational iOS MDM market. I recently took advantage of a “Daring Fireball reader” special offer for a free 3 device JAMF account. When I enrolled a test device I discovered that annual certificate renewal disconnects enrolled devices (unless you have a dedicated corporate Apple ID) and I learned that full access to Apple’s suite of iOS restrictions requires either Apple’s “PreStage purchase program” or use of Apple Configurator (I think this is in flux with iOS 11 and 12).
[2] If Apple does add MDM to iCloud, I hope they think about vulnerable adults. Google’s “age of consent” (13yo in US) opt-out and notification approach is a workable alternative to disabling use of Family MDM for adults.

Wednesday, September 19, 2018

iOS 12 Parental Controls / Restrictions / Screen Time: Parental Controls (Passcode restricted) is not always compatible with "Share Across Devices"

Experimenting with Screen Time I enabled a passcode on my personal iPad after I’d enabled “Share Across Devices” [1]. I then found I could disable it without reentering the passcode. Which kind of defeats the purpose of a parental control passcode.

Then I turned it on again, and this time I was asked something like: “Is this iPad for you or your child?” [2]. Once I chose child I could no longer remove the passcode without entering it.

“Share Across Devices” then turned itself off.

When I turned “Share Across Devices” back on then I had to reenter my Screen Time Passcode. After than Screen Time Passcode was disabled.

Maybe this isn’t exactly a bug, but it certainly is awkward. I wonder if “Share Across Devices” uses iCloud ID or iTunes/Store ID.

Screen Time for family is enabled through the “Family Sharing” screen.

- fn -

[1] I think Share Across Devices Requires Apple’s two-factor authentication, which seems to rely on SIM-hack-friendly justly scorned phone number authentication. Yay Apple.

[2] Remember when iOS was going to allow multiple accounts on a single iPad? Android did that for their now defunct tablets.

Sunday, July 24, 2016

FileVault 2's Undying Guest User bug - the El Capitan edition.

Today’s post-El Capitan update bug is a ghostly Guest User account that appears only on restarting a El Capitan Mac with FileVault 2 enabled and Guest User disabled in System Preferences:Users and Find My Mac enabled. The configuration for this pre-decryption login is running out of the UEFI EFI system partition. The one thing this Guest User can do is run Safari; the primary partition remains encrypted. There are no Parental Control options (that’s a problem).

I’ve read claims that this a feature. Some misguided Apple engineer thought it would be a good idea — a kind of Honey Pot that would tempt a thief to go online and thus trigger Find My Mac.[1] It becomes a problem with kids who have issues with internet abuse; they get an open browser.

My own suspicion is that this is a partly-implemented undocumented “feature” that is buggy because it was never tested. Maybe it was partly pulled from the release. Not only does it appear unpredictably it has other associated problems. If you enable the Guest account in System Preferences there’s sometimes an option to  enable Parental Controls and sometimes not. Even when there is an option to enable Parental Controls it doesn’t actually work. I’m also unable to get a true Guest account to work — even when I don’t see the “safari only” warning in system preferences the Guest Account never decrypts the primary partition.

There may be more than one bug involved — perhaps something related to failure of new computer / upgrade to notify EFI infrastructure of a preference change. I suspect it’s the worst kind of bug — an undocumented feature that was partly pulled from a release and lurks in code.

It’s not new to El Capitan, it’s been happening intermittently since Lion. It may be more frequent in El Capitan.  I updated two FileVault 2 machines from Yosemite to El Capitan and only one has the ghost account. 

I reviewed 3 options on apple.stackexchange.com [2] dating as far back as Lion with updates for 10.11.

The fix that worked for me was edited as recently as 6/2016. Basically you turn off Guest Account and Find My Mac in System Preferences. Then you disable System Integrity Protection so you can “touch” a System EFI resource, that forces and EFI update, then reenable SIP. When I did that System Preferences had Guest Account enabled again, even though it wasn’t showing up. I disabled Guest Account and enabled Find My Mac and the ghost seems to have been exorcised.
 
I think reinstalling El Capitan from Combo Update would have worked too — it also forces an EFI refresh [3]. I wonder if one could even have used the reinstall operating system feature in the Recovery mode.
 
- fn -

[1] This has been seen as far back as Lion and there’s a good description in this Yosemite article in FileVault 2.

Ten Things You Might Not Know About FileVault 2 | Der Flounder - Dec 2014 ( - Yosemite)

One unusual feature of FileVault 2 is that sometimes a Guest User icon will appear at the pre-boot login screen.

Figure_4-Guest_account_appearing_at_the_FileVault_2_pre-boot_login_screen

When you log in as that guest user, you don’t get access to your hard drive. The only thing you get access to is Safari and a network connection. Quitting out of Safari will return you to the FileVault 2 pre-boot login screen.

Figure_5-Guest_account_restarting_to_Safari-only_mode

Figure_6-Guest_accounts_Safari-only_access

To my knowledge, Apple has never commented specifically about this guest user but it appears the guest user is an anti-theft measure. The guest user’s appearance at the pre-boot login screen is a feature tied to signing into iCloud and enabling the Find My Mac option.

Figure_7-Enabling_the_Find_My_Mac_option_in_System_Preferences_iCloud_preference_pane

One consequence of logging into the guest user is that, as soon as the Mac gets a network connection, it will immediately connect back to Apple and report its location information.

Figure_8-Computers_location_displayed_on_iClouds_Find_My_iPhone_website

If you don’t sign in with iCloud and then enable Find My Mac from that machine, the Guest User icon will not appear on the FileVault pre-boot login screen. That said, mobile device management solutions that track a machine’s location may also trigger the Guest User icon to appear.

[2] Apple has killed Apple Discussions with their latest update.

[3] Despite waiting a long time to do my El Capitan upgrade I ran into an unexpected behavior with an updated installer that wasn’t actually updated. So my main machine went to 10.11.2. I wonder if I’d actually gone to 10.11.5 if this problem would have shown up. It seems to be related to a bug with EFI partition updates.

Wednesday, August 26, 2015

Parental Controls? Home VPN? Turn abandoned PC into Sophos firewall for free home use.

Via app.net@remus I’ve learned that Sophos has a free for non-commercial (max 50 IP) home edition product:

Free Firewall: Home Edition for the Sophos UTM Firewall

Our Free Home Use Firewall is a fully equipped software version of the Sophos UTM firewall, available at no cost for home users – no strings attached. It features full Network, Web, Mail and Web Application Security with VPN functionality and protects up to 50 IP addresses.

The Sophos UTM Free Home Use firewall contains its own operating system and will overwrite all data on the computer during the installation process. Therefore, a separate, dedicated computer is needed, which will change into a fully functional security appliance. Just right for the spare PC you have sitting in the corner!

… Use Web Filtering to stop sites from infecting you with viruses and spyware, keep your kids from surfing to bad sites, and get full reporting on the activity in your home…

… Dial in using Roadwarrior VPN access to securely use Remote Desktop, transfer files, and even print, from anywhere in the world, even from your iPhone...

The usual installation is on an old PC, but it can be used "within a virtual machine … Virtual appliance can be run directly in any VMware vSphere Edition”. From a quick read however an old PC with two network cards is more practical.

One should proceed with caution however - the download page has a bad link to a “Sophos Community” support forum; the real forum is hidden away at an astaro.org url. I assume this product was acquired from astaro. There is activity on the forum, but you need to be prepared for some pain to make this work.

Other VPN alternatives mentioned in that app.net thread: OpenVPN (easier to setup than OS X Server VPN) and, of course, Synology NAS. I think you’d only want to try this product for the web filtering and monitoring features.

Monday, April 13, 2015

iOS 8.3 took away one of my favorite parental controls

With iOS 8.3 Apple made an undocumented change that will make a few kids happy.

No, not the post-update dialog that will lead many parents to unwittingly enable 15 minute authentication lifespans for purchases. Apple documented that feature. Here’s where you undo any mistakes by they way:

Image1

The real change is that users no longer need to enter the App Store account password to reinstall any app that’s been previously purchased with that account on any device. There’s no setting to revert back to the old behavior of managing a reinstall very much like an initial installation (respect password settings as above).

Why does this matter?

Well, let’s assume you install YouTube on the KidPhone and late find some highly educational porn. In the old days you could just delete YouTube and be done — assuming your user doesn’t know the App Store account password. Now users can simply download it again.

Now imagine the problem if you do old school App Store/iTunes credential sharing like we do — we each have our own iCloud accounts, but our FairPlay DRMd material is all associated with my App Store credentials. Yeah, everything can be installed. It’s a good thing I’m not into S&M apps.

I don’t know how this works with Family Sharing, the change is too new to see much commentary. For old-school families like ours there are 4 options based on this screen …

Image2

Your options are:

Install AppsDeleting AppsResult
Off On App Store disappears so can’t install or update. You can’t update from iTunes either, so this setting is a pain in the butt. You need to go through the restrictions dialog to do app updates. User can delete apps which is convenient.
On Off App.net@ronnie suggested this one. User can download anything, but they can’t hide contraband. So if they install forbidden apps they get banished to “Install Apps Off” which is painful for everyone.
Off Off As option 1, but can’t remove apps. I can imagine limited use cases.
On On The default.

For now I’m going with Install On and Delete Off, with the warning that forbidden fruit will lead to App Store removal.

I’d love to see a fix from Apple but it’s going to take a lot of complaining. I’m not holding my breath.

Saturday, April 05, 2014

iOS 7.1 movies (video) sync from iCloud but not iTunes - a bug and a fix

The afternoon that we were leaving for holiday I discovered that I couldn’t use iTunes to sync a movie (or a video Podcast) to my daughter’s iPhone 4S. [1] Sync was normal for all other devices but on her iPhone we got stuck at the agonizing “Waiting for changes to be applied” prompt [3]. If I waited 15 minutes or so the sync “completed” without an error message, but no movies were transferred. When I inspected the iPhone contents from iTunes I saw ghostly outlines of the movies I was trying to transfer.

I could download our movies from iCloud directly to the phone, but that’s fairly slow. iTunes sync is faster. Our flight was delayed long enough for me to try many  things including

  • sync of non-DRMd home video (didn’t work)
  • turn off all sync for movies then sync then remove media then try one movie
  • Parental Controls toggle including age range check
  • restarts of iOS and OS X
  • PhoneView inspection of the file system (iOS CloudAssets directory was empty post iOS 7.1 fix for the Other Data cache bug.)
  • Sign out and sign in to App Store from iOS and OS X iTunes.
  • Looked for anything in Console.app related to iTunes (nothing)
  • Backing up, wiping (“restore” to default) iPhone, then restoring it 
I gave up and made do with iCloud download, but @gaelicwizard suggested
Could try initiating a sync with a different computer and letting it overwrite the link with this one. Then, back again. That would clear any caches...

That worked. The key here is that when you sync an iOS device to a different iTunes instance you lose all of your media, but you don’t lose anything else. You don’t lose Apps or App data or iCloud data, etc [2]. If you’re old enough to remember the iPod you can see that when the iTunes is treating the iPhone as though it were an iPod. I did this:

  1. Backup iPhone on Primary iTunes. (iTunesP)
  2. Switched to the admin account on my Mac and launched iTunes there (iTunesA). 
  3. Selected a single short movie to sync (and nothing else). iTunes warned me all media (but only media) would be wiped from my iPhone. (Note difference from the usual “restore” and “restore from backup” behavior.)
  4. The movie synched normally.
  5. Switched back to iTunesP. Did same thing, again iTunes warned me all media would be removed. The moved synched normally.
  6. Turned on sync for Music, TV, Photo, etc. iTunes remembered all of the prior settings so this went quickly.
I suspect this is a new 7.1 bug possibly related to the fix for the Other Data cache bug. Apple clearly wants to end media synchronization from the desktop, so we can expect more bugs like this in the future. 
 
Three thoughts on items that might be related to this bug…
  • We downloaded the (great) movie Frozen from iCloud to our Apple TV very early in its release cycle. There was odd behavior when I later downloaded a copy to iTunes; the new download had a slightly different file size and iTunes seemed to think they were different movies. I can’t remember how I fixed that … (probably deleted and redownloaded)
  • Since wiping the phone and restoring from backup didn’t fix the problem, it’s likely related to something that’s backed up.
  • Even after I synchronized the iPhone with my admin account iTunes instance, I still saw the ghostly outlines of the movies I’d been unable to sync previously. 

 - fn - 

[1] This was a week ago, and I can’t recall if TV shows were behaving normally. I think they were, which is extra weird so maybe I’m remembering incorrectly.

[2] Pre-iCloud days I used to sync Calendar/Contacts for my wife on one iTunes account, and media on a different iTunes account.  In the iPod era Apple was worried about using iPods to share media between iTunes instances — something that seems quaint now. Today’s DRM infrastructure is much more robust.

[3] A common indicator of a sync problem. It’s so annoying that error details don’t appear in Console logs.

Sunday, March 02, 2014

Lion: prompted for lpadmin group when printer pauses (and Apple's permissions mess)

I didn't have a problem with Snow Leopard and my prior printer, but our elder MacBook (plastic, dual USB, no ML support) running Lion is having repeated problems with our Brother HL-6180DW. The printer keeps going into a paused state (sleep / wake bug?), and users are prompted to "Type the name and password of a user in the lpadmin group to allow...". Of course the kids don't know what to type -- and this is a very awkward prompt in any case. Something is broken.

Of course a lot of things are broken with OS X and printing - even in Mavericks. So this isn't a great surprise. It is annoying though.

There are lots of online tips on this mostly focusing on terminal commands for adding users to lpadmin manually or disabling printer queue password requirements. Sometimes they seem to work, sometimes not. [1]. 

The only Apple doc on this covers 10.5 (Leopard) to 10.6 (Snow Leopard). It's weirdly written, and suggests some intersection with parental controls  "Limit printer administration" (which makes sense). Then it talks about toggling admin privileges for the admin user, even though one assumes that only non-admin users would see the prompt.

FWIW even after I created a new admin account on the Lion machine OS X 10.7 wouldn't let me toggle admin status for my primary admin account. It merely said it couldn't. Seems there was something odd about that admin account. So I deleted it (my admin accounts are all disposable, I only use them for admin tasks). I'll see if fixing that makes any difference. If not I'll play around with toggling parental controls and exploring Workgroup Manager and those terminal commands.

- fn -

[1] If you don't like Terminal Commands took a look at Workgroup Manager. Lion’s Server Admin Tools includes Workgroup Manager, I used Workgroup Manager downloads to get the Mountain Lion version (see also). You need to select “Show System Records” to see the “system” users and groups (thank you Google).

In Mountain Lion the lpadmin group is _lpadmin and the Name is Print Administrators. All Administrators were members of lpadmin, and so was ONE of the FIVE non-admin accounts on that machine. Interestingly the ONLY non-admin member of lpadmin on my ML box has parental controls enabled. By Darwin, Apple made such a mess of permissions in OS X.

See also:

Update 4/5/2014

Most of the problems were with one user’s account. With Workgroup Manager I found he was NOT a member of Staff, but all other Lion user accounts were. He was a member of a Group that had the same name as his User Name, probably due to the horrid User/Group/Staff mess of 10.3 to 10.7. I deleted that Group and assigned him to Staff. I’ll see if that works.

There’s also a recent Brother printer driver update to try, and a firmware update. The latter requires Java, which is essentially obsolete on the Mac. I was able to perform the update using an old Lion machine. Shame on Brother for not supporting firmware updates via the web app. (They used to.)

Friday, September 20, 2013

iOS 7 fixes iOS parental controls webkit hole. Finally. (EXCEPT for Siri)

It's been exactly three years since I wrote Apple's iPhone parental controls are completely broken.

Sure, you could turn off Safari -- but there was no way to disable use of webkit embedded browsers. A lot of apps and games kids like, including encyclopedias, use links that bring up an embedded browser. From there it's often a few hops to Google and beyond.

I ranted about this in various places, but mine was a lonely voice. (One can imagine many reasons why most parents don't seem to be concerned about full web access with iOS devices, but, whatever the reason, there's clearly no clamor for a fix.)

Today, years after I gave up, Apple fixed parental controls in iOS 7. You can use Restrictions:websites:specific websites only to restrict both Safari and webkit access to urls. I believe the changes were made pretty deep in the iOS network stack, they seem to affect all browser use.

iOS comes preconfigured with a set of approved sites. The list is not simple to edit but they are all fine with me. You can add others.

There are bugs. Even preconfigured sites seem to sometimes require second authentication on attempted access. Still, it's a big, albeit very late, improvement.

IOS 7 is quite slow on the iPhone 4s two of the kids use, but this one feature is worth the sluggishness.

Update: In early testing #1 says he can't hack the current restrictions. It also seems to be far more useable than superficially similar site restrictions in OS X Mountain Lion; Mountain Lion's current mechanism has been completely broken. I wonder if some serious attention went into making this work.

Update 11/29/2013.

Siri: "Show me pictures of dogs". Shows dogs.

Siri: "Show me pictures of xxxx"....

You have to disable Siri, there are no parental controls there.

Friday, July 26, 2013

Review: Maxell AirStash WiFi media server: iTunes movies to iPhones for long car trips

The Maxell AirStash Wireless 8GB Flash Drive [1] is designed to stream movies to kid's handheld devices on long car rides [3]. It probably has other uses, such as backing up photos or serving music, but I think movies is what everyone buys it for. That's why we bought it -- so we could stream iTunes purchased FairPlay DRMd .mv4 movies and television episodes to our 3 kids devices.

So, did it work?

Yes, but, unfortunately, not very well. I was able to stream The Avengers (iTunes SD) to two devices fairly well, but once I added a third device watching the same movie the stream became unreliable. The device is supposed to be able to stream 3 movies at once, but perhaps they mean 3 different movies. Or, more likely, it can't really stream 3 SD resolution movies at once. I suspect it can stream 1 HD movie, 2 SD movies, or 3 movies ripped to iPhone screen resolution [4].

Since we have 3 kids, this isn't a great solution. We might still consider using it, but the SanDisk Connect 64GB Wireless Media Drive Streaming is supposed to be available in the next 1-2 weeks. It is less expensive, has much higher starting capacity [2], and claims to stream a movie to up to 5 clients (so probably 3). We've processed an Amazon return on the AirStash, but we may still keep it if we can't get the SanDisk in time for our trip.

Beyond the disappointing, but not surprising, performance issues I'll quickly list a few observations:
  • It's a bit bigger than it looks in the Amazon photos, it can fill a good portion of an adult hand. It fit the chargers in our van, but for some USB chargers you'll need a USB extension cable.
  • Although it has an internal battery, it's clearly designed to run off a car USB charger. The manual suggests leaving it in the charger.
  • It's a pain to turn on/off. I'd kill for a simple switch instead of these quirky push buttons that require a manual to use. The indicator light is worthless when the device is charging, I found I had to unplug it to know it's power state.
  • It takes about 15 seconds to boot up, so be patient waiting for WiFi to appear.
  • The AirStash is controlled by the (WebDav client) iOS AirStash+ app configure settings. You can use this to rename it and play media. FairPlay DRMd media is passed to Safari [5], Safari in turn passes it to iOS QuickTime player (videos.app). As long as the DRM on the movie matches the iTunes account on the iOS device then the movie will play. There are no chapter controls, you can often move through the movie timeline but not always. For a single user movies play well.
  • I was able to lock up iOS AirStash+ fairly easily and had to kill and restart it several times.
  • On initial use I was told a firmware update was available. The installation directions were poorly worded, and, again, it's hard to see the power/firmware update status light when the device is charging. It worked after some fiddly.
  • I don't think you can stream a movie when it's connected to a computer. I'm not positive, but it didn't seem to work in my testing. It's fine when connected to a power supply.
  • You can put movies directly on the FAT32 formatted SD card or plug in the AirStash and it will mount. You can use Folders to organize your media.
  • It comes with a plastic cap that doesn't fit on the end of the AirStash. So it will get lost pretty quickly.
  • When I typed 'airstash.net' into my desktop Safari while connected to the WiFi I did not get anything back. It's supposed to show the file system, can't say why that didn't work. I didn't pursue further since I won't use the device that way.
  • I didn't test how it behaves under prolonged load, but I'd be sure to keep this near a cooling vent in the car. Heat dissipation must be a challenge and prolonged overheating destroys devices like this.
  • I was able to use a 64GB SONY SD Card with the AirStash, but I had to reformat it to FAT32 on my Mac. [6]
See also:
- fn -
[1] The AirStash ships with an 8GB SD card, which is really only practical for testing. You can buy a 16GB version, but obviously that's a waste of money. Most will buy the 8GB AirStash then get a 64GB to 2TB SDXC card - but see [6].
[2] 64GB internal, plus external slot available.
[3] It is perhaps not obvious why one would want this. It's a pain to put movies on/off iPhones when traveling, this way we could take our video library with us.
[4] I suspect the ideal use case would be someone who (illegally) rents Amazon DVDs and rips them to iPhone resolution, building a compact library that is streamable with a relatively low powered device.
[5] Safari is disabled on our kids phones as a minimally effective parental control measure.
[6] SD cards above 32GB come exFAT formatted, and the AirStash won't read Microsoft's patented exFAT. Which is how I learned that whereas Windows machines won't format FAT32 above 32GB, Mountain Lion will happily do at least 64GB and the (Linux powered?) AirStash will read it.

Update: My Amazon review (A minimally edited copy of this one). I'm going to test streaming from my MacBook Air.

Update 7/27/13: Ok, forget the SanDisk: "SanDisk’s drives don’t work with video content you buy from Apple’s iTunes Store at all". So they didn't figure out the Safari workaround AirStash uses. Guess we'll try to make the AirStash work after all.

Update 8/26/2013: We used the AirStash daily for two weeks and it worked quite well. Note we ONLY have SD movies and a lot of what the kids stream is animated and uses much less processing and bandwidth. Also, it was in practice rare for all 3 to stream video at the same time. So, despite failing my 3 stream test, it worked in practice. Kids had no trouble with the necessarily awkward viewing via Safari.

The biggest problem is that the AirStash, with its protruding USB and big body, is an accident waiting to happen. One child stepped on it and partly broke the plastic body. It continued to work, only insert with a flexible USB extension cable and making a protective container from a plastic "tupperware" dish.

The biggest annoyance is the on/off switch switch. I'd love a simple on/off slider. It was often hard to tell if the device was running.

Update 3/27/2014: You can use the AirStash to move files between iOS devices - including ePub files. It shows up as an option in the iOS share list in many apps; from AirStash.app use the copy function to move to AirStash device. Firmware updates are scary; if you plug it into a Mac you need to Eject before update will commence. Really, when doing firmware updates, plug it into a plain charger.

Saturday, May 11, 2013

Parental Controls after OS X 10.8.2: EXC_CRASH and changes to https handling

The kids don't often use my Mountain Lion machines, so I only learned recently that Apple made some significant changes to Parental Controls with the 10.8.2 update. I don't rememberer seeing any documentation at the time and there's nothing in the release notes.

I found out about the changes when I opened the Parental Control Preference Pane on my main Mac. It crashed. I rebooted, it still crashed, and crashed ...

The crash message looked like this one one from last year (I'm on 10.8.3):

Mountain Lion Parental Control time...: Apple Support Communities

Process: System Preferences [2658]
Path: /Applications/System Preferences.app/Contents/MacOS/System Preferences
Identifier: com.apple.systempreferences
Version: 12.0 (12.0)
Build Info: SystemPrefsApp-232000000000000~22
Code Type: X86-64 (Native)
Parent Process: launchd [488]
User ID: 502

Crashed Thread: 0 Dispatch queue: com.apple.main-thread

Exception Type: EXC_CRASH (Code Signature Invalid)
Exception Codes: 0x0000000000000000, 0x0000000000000000

Application Specific Information:
com.apple.preferences.parentalcontrols v.400 (Kindersicherung)
objc[2658]: GC: forcing GC OFF because OBJC_DISABLE_GC is set

I was able get around the crash by turning off parental controls for the affected user from the the User Preference Pane. Then I could open and close the Parental Controls Preference Pane; after that I could reenable PCs for the affected account.

I assume the my old preferences were not compatible with the 10.8.2+ version of Parental Controls, and Apple's code didn't handle this very well. Old bug, not fixed. Disappointing, but there's a workaround.

Which leads to the obvious question -- what the heck did Apple change in 10.8.2 Parental Controls? For sure they didn't fix any of the longstanding defects -- like an execrable UI for log review.

The answer is in a 12 page Apple Discussion Thread, pointing to a mislabeled Apple KB article (it says it's 10.6, but it was revised June 2012 and the change came with 10.8.2). Apple changed how they handle https sites when "Try to limit access to adult websites automatically" is selected in Parental Controls.

You see, Apple's Parental Control infrastructure has never worked with SSL encrypted (https) sites [1]. So they have to decide what to do when someone tries to access an https site. Since the https site is effectively invisible, Apple can either decide to trust it completely or distrust it completely. Prior to 10.8.2 Apple's "automatic" limits erred on the side of universal trust. After 10.8.2 they err on the side of universal distrust (which has always been the "Allow access to only these websites" behavior).

So this isn't a bug introduced with 10.8.2, it's Apple being a bit more honest about how crappy OS X Parental Controls always have been. I wonder if the change was made to avoid litigation, or if the transition to all SSL net access made it impossible to keep the old pretense.

In theory an admin user an approve all the https access requests that come up when a user tries to reach one of those sites, but in practice that doesn't scale.

Bottom line: Parental Controls was born lousy, but with 10.8.2 Apple is at least being honest about how bad it really is. [2]

[1] See  OS X Parental Controls: The https bug and our family Google Apps services back in 2010. I think this is related to my employers ability to block dropbox, but inability to block Google Drive without also blocking Google Search.

[2] Parental Controls are no better on iOS by the way -- thanks to the webkit back door. (Bob Tedeschi wrote about this back in 2012.)

Saturday, February 23, 2013

Legal Gmail for kids under and over 13 with Dreamhost Google Apps or Google Apps for Business

In the US, Google Account owners must be over 13, in the Netherlands it's 16 [1]. It's common to lie to get accounts for younger kids, but this can cause an account lockout and 30 day deletion. [2]

So how do kids under 13 get personal email? All services have similar rules.

The exception, of course, is Google Apps for Education. They provide Google services, including calendar and email for children of all ages. The trick is that this group is excluded from Google's predatory business model [3]; the services are paid for and the school district assumes liability.

Is there something similar that's available outside of Education?

Well, there are Google Apps for Business (and on-profits) of course. I was unable to find any age requirements for businesses that buy Google Apps for Business, nor any requirement that the business had to be, you know, a real business. Google isolates business data from its ads and data mining so I expect US laws on protection of children from being packaged and sold do not apply

At $50/user a year though, Google Apps for Business is a bit dear for a family of 5 (though the phone support is no little thing).

Unfortunately Google Apps for Nonprofits is not an option; you really do have to be a legal nonprofit.

Six years ago our family grandfathered into Google Apps through the now-defunct free option, and those users have since acquired full range of Google Services [4]. Alas, that's not an option any longer.

I think the cheapest legal option is to sign up with a hosting service that provides Google Apps for your registered domain. I can personally recommend Dreamhost for this, based on my 6+ years of experience and the (unusual) fact that they handle Domain registration for their customers [5].

At approximately $100/year ($50 for first year or $97 for two years if you use my code [7]) Dreamhost's Google Apps service for a family of five is less than half the cost of Google Apps for Business -- albeit without phone support. On the other hand, Dreamhost also provides other web services including web hosting, Wordpress (ex. kateva.org/sh), web apps, etc [6].

There are other hosting services that provide Google Apps for potential family use, but Dreamhost is the one I know.

 - fn -

[1] YouTube has an 18+ requirement for some videos, and Google Wallet is 18+. I don't believe either one is practically enforcable on most devices; maybe on Android or Chromebook depending on parental controls.

[2] It is noteworthy that Google's requirements for reversing account lockout are much more robust than their account recovery options. This says something about the power of laws and what Google could do to manage identity if they were forced to. The effective workaround is that a parent authorizes a credit card transaction on their own account, thereby technically committing fraud and assuming liability. The liability assumption is what matters.

[3] It's not that Google is particularly evil, this outcome is an inevitable outcome of their business model. They can no more resist this outcome than a species can resist Natural Selection.

[4] Not G+ though. It was once 18+ and is now 13+ regardless of Google Apps.

[5] Most hosting services have another party handle domain registration, and many of those deliver poor service.

[6] Admittedly more of a specialized interest these days.

[7] Just enter KATEVA when asked for a registration code. I set it up so users get the maximal $50/97 discount; I get a kickback but I set my kickback to maximize the user discount. Dreamhost supports Google's mutlifactor authentication framework, so I authenticate using Authenticator.app on my iPhone.

Friday, September 07, 2012

Kindle Fire data plan - only beats iPad at the low end.

There are two interesting things about the Kindle Fire HD.

One is that it introduces parental controls to Android. It even includes OS X like scheduling controls that are missing from iOS 5. I don't know how well they work, but they can't be worse than Apple's feeble restriction system.

The other is the inexpensive $4/month 256MB data plan. That's only enough data for messaging, light email, downloading books (they are tiny!), and perhaps a bit of Facebook on occasion. But it's still a good rate - esp for AT&T. Even Ting, a Sprint MVNO, charges $3/month for only 100MB. The iPad 250MB data plans is $15!

Things are different though as you move to the 3GB mark: 

The Catch in Kindle’s Data Plan - Digits - WSJ: "Kindle users who know they’ll want more data will have to pay a lot more than $50 a year: $30 a month for 3 gigabytes or $50 for 5 gigabytes – plus a $36 activation fee (which isn’t charged with the Amazon promotional plan, but will apply to any upgrades)."

Not coincidentally, the iPad is $30 for 3GB on AT&T (LTE).

So it was only at the very low end that Amazon was able to extract a better deal from AT&T. Even so, Amazon got a better deal Apple - that's an achievement even if they're somehow paying AT&T for the honor.

So what's in it for AT&T? They must estimate that a significant number of Fire users will convert to the 30GB plan. 

We're all keen to see if Apple gets a similar deal ...

Wednesday, August 01, 2012

Nexus 7 - first impressions

I bought an 8GB Nexus 7 (Asus) primarily as an eBook reader. I didn't want a Kindle because I really don't want to be locked into Amazon's DRM, and the iPad 8" is still 3 months away.

Ok, so maybe the iPad Mini is only 8 weeks away. I admit, it's not a logical purchase. It's at least a look into the Android world, and I'm sure I can find a new owner in a few months.

First impressions:

  • In packaging and in look and feel it's a poor man's iPad. Instead of Apple's compact power supply, it comes with a mini-brick.
  • It's not gorilla glass, just scratch resistant. There's no slip case in the packaging. (Given Google's negative margin on this, a slip case might bankrupt them.)
  • There's no proprietary connector of course, just a micro-USB cable. It's not obvious which way is up, Apple would have embossed the top side of the connector to make that obvious.
  • If you use two-factor authentication authentication/2-step verification things are bit kludgy.
  • If you have multiple google accounts you need to decide which one gets to be "dominant" (others are currently somewhat second class citizens). Shades of my AppleID problems. The device defaults to the Gmail account used to purchase it, which happens to be my two-factor account. I ended up going with that. That's the account that gets contacts and son on.
  • In addition to the $25 app store credit it included one non-public domain book (Bourne Dominion) and one movie (Transformers, dark of the moon). Neither to my tastes, but nice touch.
  • It includes NFC and "Android Beam"
  • There's supposed to be a dynamic range issue with the display. It's not obvious to me yet, but I haven't looked at photos. 
  • You can select wallpapers from your Picasa web albums. The bundled wallpapers are pretty blah.
  • I got an update shortly after launching. No problems.
  • It includes GPS.
  • I like the range of unlock options. I'm trying face unlock for the heck of it. Is slick.
  • It supports encryption, but it's a 1 hour optional process.
  • You can download offline voice recognition support (!)
  • Backup is to the cloud of course.
  • The gesture controls are different from iOS, but there are similarities. I like the calendar interaction.
  • Most things seem stuck in portrait mode.
  • Text entry and editing is less sophisticated than iOS. Also, it doesn't seem to remember that I've disabled acoustic feedback.
  • You can enter multiple Google accounts, each account with a credit card gets $25 on the store. I have 3 accounts of my own, but this means the device supports multiple users.
    • I'm not quite sure how account switching works. After I entered two Google accounts I can switch between them from Gmail, but not from Contacts. I think my Contacts list may be  sum of all accounts?
    • Overall account management seems to be at the app level, and it's incomplete or rocky.
  • There's a set of Google apps, like Gmail, then there's also a Mail app.
  • The UI is a bit puzzling, but I'm used to iOS/Windows/Mac. I can't say the UI is particularly bad, I'm too familiar with the alternatives.
  • I'm surprised there's no Google Drive or Google Docs apps on startup.
  • Messenger creates a G+ account whether you want to or not. I stopped halfway through. Although I never confirmed Picasa integration I think some albums were converted, the old URLs still work but generate a redirect warning. Google can be a rough companion.
  • It fits a 1 quart baggy.
  • There are no parental controls. Not a surprise.

This is a real computer, and Asus is supposed to supply a keyboard/case combination. It will be interesting how much a future version with LTE support will cost.

The Nexus 7 isn't the $125 Barbie B-Smart Netbook I predicted. For one thing it's $75 more, though it does include a battery. For another it's far better value for the dollar. 

So I guess we've made it back into the price range of the 1982 Commodore 64 (cheaper, adjusting for inflation). The price collapse in computing has arrived later than expected, but it's here.

I suspect Apple will come in at $250 for the iPad Mini, whereas a week ago I'd have said $200.

See also:

Wednesday, July 25, 2012

Mountain Lion - my experience

I've never installed an OS on its debut. I generally wait 5-6 months for the .4 release.

This time was different. I really don't like Lion (Apple removed it rather quickly from the App Store, didn't they?). I also have a MacBook Air that I really don't rely on -- so I could sacrifice it.

Notes so far ...

  • I backed up the installer prior to installation. (I did the same thing for Lion. Glad I did since it's now gone from the App Store. I'll have it if someone needs it.)
  • In addition to the 4+GB installer there were GB or so of iWork and iLife and firmware updates to apply.
  • The Guest account was reenabled. I removed it.
  • I was able to add a keyboard shortcut of cmd-opt-S for Save As... (instead of cmd-opt-shift-S). It's good to have Save As back. I also changed Settings:General so I'm asked if I want to save changes on exit (I may change it back to default).
  • Unsurprisingly, my broken iCloud Contacts database (hundreds of replicated groups) is still broken. Contacts sucks less than it did though.
  • It doesn't feel any faster or slower than Lion.
  • I'd read Notational Velocity didn't work. Works fine for me. I run as a non-admin user fwiw. Sync to SimpleNote worked to. That's a relief.
  • There's supposed to be a LaunchBar bug with Contacts, but mine was fine. I have iCloud disabled so maybe that helps.
  • My Time Capsule backup was gone after the upgrade. Good thing I wasn't relying on it. When I ran TM it showed no backups. I used the option-click trick to get TM to validate my backup and now the backups are all accessible through Time Capsule. I think this may be related to the 7.6.1 firmware bug with older Time Capsules.
  • I enabled voice dictation; that's not automatic. (Lately it's working on my iPhone, but I doubt it works as well on the desktop. Unrelated to this, but Siri is actually working again.)
  • None of my apps were moved into an 'incompatible application folder'. This machine has always run Lion, so that's not surprising.
  • Chrome seems fine, I'd heard it had problems. Maybe Google fixed 'em. I had to make it my default browser again.
  • There are new Parental Controls for the Game Center. I didn't see any other changes there.
  • I think I'll like Messages. It does remind me though that I'm going to have to come up with some way to fix my broken iCloud account. I don't think Apple will be much help.
  • What's with Video Chat being in both Messages and FaceTime? Isn't that a bit odd?
  • I like the unification of App Store and system updates.
  • For kicks I tried using Google's m.google.com ActiveSync service as an Exchange Account. Didn't work - couldn't contact server.

Overall it feels like a less broken version of Lion. Maybe I'll upgrade my main machine in September rather than February.

Wednesday, March 28, 2012

The stolen (or lost) iPhone - choices

The day has come. Your iPhone has been stolen - or lost. That day came for my son; an old 3GS I'd given him was stolen last week. I didn't find much about what our choices were (see John Halamka - Replacing a Stolen iPhone for the best I found). Here I'll share all I learned; as of today I think this is the best resource on the net. One caveat -- your choices vary depending on your contract situation. In our case my son was about four months into a new contract [1] on our US AT&T family account.

What you can't do

  • You can't stop your AT&T monthly bill. You're under contract.
  • You may or may not be able to cancel Apple Care and perhaps get a prorated refund (up to Apple)
  • You can't get AT&T or Apple to disable the stolen phone, you can't prevent it from being resold.
  • You can't buy a refurbished iPhone from AT&T without a new contract. I don't think you can buy one from Apple at all.

Initial steps

You must choose between
  • going to AT&T and suspend wireless service, AT&T will treat phone as lost or stolen.
  • Leaving service in place and using Find My iPhone to track the phone. If the phone is locked the thief probably can't make a call.
  • Wiping the phone remotely from Find My iPhone.
In our case, for various reasons, we suspended service and wiped the phone. Now you may wish to report the stolen phone; you'll need to do this to make an insurance claim. It's generally not worth bothering with homeowner insurance [2], but do check your policy. We did report his stolen through the school. There are several ways to get the IMEI and serial number assuming you weren't wise enough to right it down:

Get a temporary phone and ask AT&T about options

If you don't have a GSM dumbphone in the closet a neighbor does. Bring it an AT&T store and they'll pop in a SIM card. They'll also let you know your options
  • Early termination fee to end contract: for us $325 less $10/month of service or $285. This has risen sharply over the past years, older contract costs may be much less.
  • Cost for a phone with a contract extension: for us $250 plus the contract cost of the phone ($0 for 8GB 3GS, $200 for 16GB 4S). This cost falls the further into your contract you are.

Consider your iPhone choices

A few months ago I predicted a growing supply ("glut") of used iPhones on the market as a result of carrier-locking and SMS pricing. I'm not seeing that in today's used iPhone market. For example, very few if any businesses sell used iPhones online. (Amazon has some listings, but they're strange. For example, they frequently don't specify carrier lock status.) On the other hand, many business happily buy iPhones, paying $150 for semi-working 3GS! As best I can tell there are several things going on:
  • There's still robust demand for unlocked iPhones overseas, and 3GS iPhones are easy to unlock.
  • Because of the cost of out-of-contract iPhones and their fragility [3] (esp. to water) there's a flourishing market in iPhone repair -- and thus for iPhone parts.
  • There are lot of stolen iPhones but they seem to cycle into the overseas and parts market even more than into the (riskier) resale market.
Here's the list of options that were initially available to us:
  • 16 GB 3GS from either eBay or Craigslist: $200-$220 but significant risk of stolen or defective device.
  • 16 GB 3GS from World of Wireless: not known, but if anyone has used devices for sale they might. Presumably higher price, but may have redress
  • 16 GB 4S from Apple, unlocked: $650. A reader (Martin) points out that a full-price device is a much better fit to insurance policies (credit card or other) than a subsidized device. It's treated like an insured laptop. If you can find a compatible service contract priced for subsidy-free phones and insurance coverage this is a very best option for a replacement or initial phone.
  • 8 GB 3GS from AT&T (new) with contract extension: $250 + $36 "upgrade fee" [5]
  • 16GB 4S from AT&T (new) with contract extension: $450 + $36 "upgrade fee"
  • 16GB 4S from AT&T (new with a new contract for me: $200 + $36 "upgrade fee" (but then I have to put off getting my iPhone 5! [4].
Subsequently I met with a more senior AT&T retail rep. In this case I mentioned (see below) that I was planning to buy out my son's contract; that might have inspired him but he struck me as a natural sales and retail guy. He added another option and some additional information:
  • Even though every new subsidized phone comes with a $36 service fee (smaller percentage of a $200 4S than of a 0$ 3GS), he can provide heavily discounted accessories (case?) to offset the fee.
  • As the primary line on a multi-iPhone family plan I can get an 'upgrade' more often than I realize. I thought I was eligible every 18 months, he said every year was more likely.
  • We could start up a new family line contract ($10/month + tax/fee, no data). There's a loophole by which he can get a subsidized iPhone on the new family line (no data) but activate it on my son's like (data). That would be cost competitive with extending his contract, but it would provide us an extra PlainPhone SIM and wouldn't extend his contract.

Consider your Network choices

This is where things get interesting. A few weeks ago I put an H2O Wireless voice and SMS only SIM into my youngest son's iPhone. He gets voice and SMS service for a total of about $90 (incl fees, taxes) over two years. That's compared to about about $770 (incl. fees, taxes) for my older son's contracted service. That's a rather big difference, especially since ...
  • Neither talks on the phone
  • They can use iMessage when on home Wifi (often)
  • They mostly text, and texting is costly on AT&T but cheap on H2O
  • I'd just as soon they not have data access outside the home, especially given the iPhone's fake parental controls. Those "colorful" YouTube videos can chew through a 200MB data plan pretty quickly. The only advantage of the data plan is Find My iPhone (not that helpful) and iMessage (but H2O texting is relatively cheap).
I'll have to pay $325 to buy out of my son's AT&T contract, but over the next two years I'd come out well ahead with H2O wireless - regardless of how I get a new/used iPhone. I've shared an iPhone replacement  calculation spreadsheet with the two year cost options. Note that the "new 3GS 8GB with contract extension is about the same cost as an unlocked brand new Apple 16GB iPhone 4S on H2O.

What we're doing

I'll think this over for a bit while my son uses an old PlainPhone. Reviewing the spreadsheet however, the H2O wireless (wifi data only) option looks very competitive over a two year cost cycle. If I take that route I'll either
  • buy a used 16GB 3GS (World of Wireless?)
  • get a 16GB 4S on my contract and defer my iPhone 5 (or, since my son will be up for a new contract now, get an iPhone 5 with a 2 yr contract on him in Nov/Dec).
  • buy him an iPod Touch and leave him with the PlainPhone.
[1] His contract came with a 4S, but that phone went to me. He got a rather less costly 3GS. He's on a family plan, so it's $15 data, $10 voice, about $2-3 in texting when iMessage isn't available (we save a lot of money by not having a texting plan).
[2] AMEX users may have some coverage of a lost iPhone, but not much. In this case the lost phone wasn't the one we got on contract.
[3] For about $200 Apple will repair just about any iPhone damage - at least for an in-contract phone. I don't know what the charge is for older iPhones, but it wouldn't surprise me if it was still $200 (plus tax).
[4] My wife's is phone eligible in May 2013, earlier if we pay a bit. So my iPhone 5 delay might be only a few months. This is one of the better options if we stayed with AT&T.
[5] In another sign of AT&T's desperation, they recently doubled their "upgrade fee" from $18 to $36. You can't avoid this fee by purchasing through Apple. If you are a valued customer AT&T will often provide some kind of credit or offset -- just ask before you pay.

Update 4/10/12:

In the end I traded a bike we wanted to sell for a friend's 3GS and we'll make the H2O transition and AT&T contract buy out at another time.

Since this post the carriers have announced a national registry for stolen devices. I'll enter our stolen phone into that registry when it comes out.

Also, I was reading about MAC addresses recently and wondered about recovering an iPhone by scanning for use of its MAC addresss. In Oct 2010 Steven Brannigan did that using an app called Ap-Finder to locate a device over WiFi --though the technique relied on knowing roughly where the phone was.

Lastly, if you save a screenshot of your iOS device's Settings:About screen (takes two shots) you can get the "Wi-Fi Address" (MAC address), Bluetooth, IMIE,and Serial Number. Note the SIM card stores the IMSI, so the SIM (subscriber identity module) card ties an IMIE to a Subscriber. I believe the ICCID identifies the SIM card. So in database jargon the "join" row is:

  • ICCID (SIM card) |  IMIE and/or MAC (device) | Phone number | Subscriber account