How I moved my daughters iOS Notes from school to personal iCloud account

Please don’t put data into iOS Notes. Really, it’s quite horrid [1]

If you do you may find it’s stuck there. We ran into this when my daughter’s school iPad had to be wiped and we needed to rescue Notes that were only stored on her iPad (school iCloud account doesn’t support Notes, neither does school Google Apps).

I did this:

1. Used AirDrop to move notes one at a time from her iPad to my iPhone 6 (her 4s doesn’t support AirDrop).
2. Since my iPhone 6 is configured to use iCloud, each time a note arrived via AirDrop it went via iCloud to Notes.app on Mavericks [2]
3. On Mavericks the notes appeared in my iCloud account. I added my daughters Google Account to my Mavericks User account. I could then select ALL notes (yay) and drag and drop them to the Google account.
4. Then I created an OS X User account and associated it with her personal iCloud Account and added her personal Google Account. Then I did the drag and drop from her Google to her iCloud. 

I did something similar with her school Contacts. Interestingly the account drag and drop behaves differently — Notes are moved, but Contacts are copied.

 

- fn -

[1] I took a look at the folder where Apple stores Notes.app data: ~/Library/Containers/com.apple.Notes/Data/Library/Notes. (Yes, the organization is bizarre). The data is in NotesV2.storedata-wal. I inspected the binary file in Mavericks [2] and found it contains text of Notes I deleted long ago. So if you had sensitive data in Notes.app deleting it won’t remove it from your Mac. It seems the file is never purged.

More — in Mavericks, it only looks like you can drag and drop notes to the desktop. It doesn’t actually work.

More — Notes can sort of hold images and rich text, in some Apple OS but not in others. Definitely not in Google IMAP.

More — Notes was implemented unsung an oddball IMAP hack. It’s like nothing else.

More — Like Contacts Notes can have Groups / Folders in OS X, but in iOS you can’t do anything with these.

There’s still more…

[2] Yeah, I’m still on Mavericks. Yosemite has … issues. I’m waiting for a fix for the crazy network problem.

iCloud Family Sharing: you can mix old style and new style sharing, but there's at least one bug

My family does old school iOS media sharing.

Everyone has their own Apple ID for iCloud, but we all use my App Store ID [1]. So we can all share media, apps and the like.

Modern iCloud Family Sharing has advantages though, and Apple is already making old school sharing harder. 

Which leads to a question.

Say I configure Family Sharing for the 5 of us. [2] Can I mix-and-match old and new family sharing? If #2’s App Store ID is set to my current App Store ID, will he still be able to do old-school sharing?

I think Apple frowns on changing App Store IDs, there may be a limit…

- fn -

[1] Which is different from my iCloud Apple ID because of “.Mac". Don’t think about it too much.

[2] Max of 6 per family, which was once not an unusually large family.

Update 4/16/15 - Reports from app.net

… You can change Apple ID's, download an app and change right back. I do this for apps that I paid for IAP’s with an old account before Family Sharing…

… we do both … although family sharing has not become relevant yet, the old way of sharing apps is more convenient…

When I setup Family Sharing I found that my personal iCloud account was the “Organizer” account, but after entering those credentials my App Store Apple ID was the default for the purchase account. So Apple keeps those two separate.

I did run into a problem — Apple doesn’t provide purchase controls for adults; they didn’t think of special needs or guardianship. Happily, if I leave my old shared credentials as iTunes and App Store old rules apply — the Family Member is asked for my pw to make a purchase. I think if I switched the iTunes and App Store credentials to the user’s iCloud credentials they’d be asked for their Password at time of purchase — but that still requires my help, the kids don’t know their Apple ID passwords yet. So this problem has a workaround…

Thus far the best part of Family Sharing is iOS 8.3 “Find My iPhone”. It now lists everyone’s devices — and several devices that are gone from this earth.

Update 4/18/15: Not working quite as expected.

To recap, the kids have their own iCloud accounts, but the App Store/iTunes credentials are my .mac credentials, which are not my iCloud credentials.

Yeah, this is problematic. We need a way to merge Apple IDs.

In this configuration when they try to buy something I need to enter the .mac credentials. Even when I do that, however, they get a notice that the transaction needs to be approved. That’s fine, but the approval request never gets generates a notification against my Organizer iCloud account. I have an OS X user account bound to the .mac credentials, but that doesn’t get a notification either. So for now I’ve disabled Ask to Buy.

iOS 8.3 took away one of my favorite parental controls

With iOS 8.3 Apple made an undocumented change that will make a few kids happy.

No, not the post-update dialog that will lead many parents to unwittingly enable 15 minute authentication lifespans for purchases. Apple documented that feature. Here’s where you undo any mistakes by they way:

The real change is that users no longer need to enter the App Store account password to reinstall any app that’s been previously purchased with that account on any device. There’s no setting to revert back to the old behavior of managing a reinstall very much like an initial installation (respect password settings as above).

Why does this matter?

Well, let’s assume you install YouTube on the KidPhone and late find some highly educational porn. In the old days you could just delete YouTube and be done — assuming your user doesn’t know the App Store account password. Now users can simply download it again.

Now imagine the problem if you do old school App Store/iTunes credential sharing like we do — we each have our own iCloud accounts, but our FairPlay DRMd material is all associated with my App Store credentials. Yeah, everything can be installed. It’s a good thing I’m not into S&M apps.

I don’t know how this works with Family Sharing, the change is too new to see much commentary. For old-school families like ours there are 4 options based on this screen …

Your options are:

Install Apps	Deleting Apps	Result
Off	On	App Store disappears so can’t install or update. You can’t update from iTunes either, so this setting is a pain in the butt. You need to go through the restrictions dialog to do app updates. User can delete apps which is convenient.
On	Off	App.net@ronnie suggested this one. User can download anything, but they can’t hide contraband. So if they install forbidden apps they get banished to “Install Apps Off” which is painful for everyone.
Off	Off	As option 1, but can’t remove apps. I can imagine limited use cases.
On	On	The default.

For now I’m going with Install On and Delete Off, with the warning that forbidden fruit will lead to App Store removal.

I’d love to see a fix from Apple but it’s going to take a lot of complaining. I’m not holding my breath.

How to upgrade to Yosemite Aperture when migrating from Mavericks

Via Macintouch:

Applications

… if you’re upgrading from Mavericks to Yosemite, the previous versions of Aperture (3.5.1) and iPhoto (9.5.1) for Mavericks won’t run at all on Yosemite, and you can no longer update them from the Updates tab of the App Store - because they've been removed from the store.

The only way to obtain the Yosemite versions of Aperture (3.6) and iPhoto (9.6.1) is to delete the old versions and then re-download the full applications from the Purchases tab of the App Store."

I guess I’d better hurry up on my Yosemite migration, but at least there’s still a way to do this.

Fortunately I think it’s fairly easy to “steal” Aperture, which, in this case, is probably legitimate.

I have Aperture on both my laptop and my desktop. I’d rather upgrade laptop to Yosemite first, but that will take Aperture there to 3.6. I suspect 3.51 (Mavericks) can’t import 3.6 Libraries. Interesting times.

Update: I tested this on a Mavericks machine I just updated to Yosemite. Even though the “Purchases” list shows Aperture with an “update” button, the update doesn’t work. You do have to delete and redownload. I wonder if this is actually a bug.

Sadly, while it’s still possible to download Aperture, there’s no way to download iPhoto for Yosemite, and iPhoto for Mavericks won’t work. Turns out you can download iPhoto the same way. Delete it then Install from purchased.

iOS and OS X Reminders can be shared among family members

We need a way to remind #1 of certain tasks he has trouble remembering. 

Yeah, a lot of kids have trouble remembering things, but #1 has a very different mind. Some things are hard for him to hold on to.

Thinking about how to do this I dimly saw, somewhere in the cluttered and drafty attic of my memory, something about shared reminder lists in iOS.

I remembered correctly …

iCloud: Share a reminder list

You can share a reminder list with other iCloud users. You might want to do this, for example, to keep all the members of a sports team apprised of what needs to be done for the next game. As the owner of a shared list, only you can add and delete list participants.

Participants in the shared reminder list can view and edit the list (mark items as complete, add items, and delete items), and see who else is sharing the list using these apps: iCloud Reminders, Reminders on an iOS device, Reminders on a Mac, and Microsoft Outlook on a Windows computer.

Outlook? Really? I wonder if that’s true. This is old stuff.

Old enough that it works on Mavericks as well as iOS and iCloud/web. I created a shared Reminder list named after #1 that includes me, Emily, #1’s personal iCloud address and #1’s school/iPad iCloud address. Any of us can interact with reminders.

It was pretty easy to setup. Despite the reference to email in the documentation I was able to accept invitations by using Emily and #1’s iCloud/Web Reminder app. (Though, for some reason, on #1’s 8.3 4s I did have to accept the email invitation. Maybe just a sync issue.)

I suspect we’ll all get alarms, I don’t see a way to target a reminder/alarm to a specific person. 

This will be quite useful.

Google password works on Gmail but nowhere else? Congratulations. You're enrolled in Google Advanced Security.

Ugh. File this on under #FirstMilleniumComputingRIP or #YosemiteRequired or #iOSForEveryone or #aWatchFuture.

A friend got an email a few weeks ago from Google, warning her that some had tried logging into her account from Galati Romania and somewhere in Kyrgyzstan. I didn’t see the original email, but I gather Google recommended she change her password. I don’t know if Google said anything about other consequences. The implication was that Google blocked those accesses [1], much as your credit card company routinely blocks the Moscow charges you never hear about.

By the way, if this happens to you, walk through the Gmail security checklist.

I don’t know if Google mentioned anything in the email about additional security measures, but what she noticed was that she couldn’t use Gmail on her home computer. It said “password incorrect” though she was using the right password.

It took me 30-40 minutes to figure out what was going on. I created a new user account to confirm it wasn’t anything on her Mac running OS X Lion [2]. Then, guessing that Google had enrolled her in some new enhanced security program, I went looking around Google’s security settings and I found an “Access for less secure apps” setting [4]

I also found this notice …

and I could see where our legitimate logons had been blocked (but marking those as legitimate did nothing) …

I can’t find Access to Less Secure Apps controls on my own Google accounts [3]; I think it’s automatically enabled after an account hack or if you click the “Secure your account” link in “Notifications and Alerts” or in the “Devices & activity” above. (Maybe this was mentioned in the email from Google? That would be nice.)

If Access for less secure apps is on, then this article applies:

Allowing less secure apps to access your account - Accounts Help

Google may block sign in attempts from some apps or devices that do not use modern security standards. Since these apps and devices are easier to break into, blocking them helps keep your account safer.

Some examples of apps that do not support the latest security standards include:

The Mail app on your iPhone or iPad with iOS 6 or below
The Mail app on your Windows phone preceding the 8.1 release
Some Desktop mail clients like Microsoft Outlook and Mozilla Thunderbird …

… 

To help keep your account secure, we may block these less secure apps from accessing your account, and you’ll see a “Password incorrect” error when trying to sign in. If this is the case, you have two options:

Upgrade to a more secure app that uses the most up to date security measures. All Google products, like Gmail, use the latest security measures.

Go to Allow less secure apps and choose “Allow” to let less secure apps access your Google account. We don’t recommend this option because it may make it easier for someone to gain access to your account…

Yeah, all you get is a “password incorrect” error. Which is wrong of course, your password is fine. Problem is, Mail.app for OS X isn’t designed to say “Google doesn’t like me”. It tries to connect, gets rejected, and renders this as “password incorrect”.

Once I figured out the problem I found Google’s April 2014 security blog announcement:

Google Online Security Blog: New Security Measures Will Affect Older (non-OAuth 2.0) Applications

… beginning in the second half of 2014, we’ll start gradually increasing the security checks performed when users log in to Google. These additional checks will ensure that only the intended user has access to their account, whether through a browser, device or application. These changes will affect any application that sends a username and/or password to Google.

To better protect your users, we recommend you upgrade all of your applications to OAuth 2.0. If you choose not to do so, your users will be required to take extra steps in order to keep accessing your applications.

You do know what version of OAuth OS X Mail.app uses, don’t you? Oh, wait, does Mail.app even use OAuth?! It appears so as of 10.0.3 (Yosemite); I suspect Google considers any OS X app (Mail, Calendar, Contacts) prior to Yosemite to be less secure.

There’s a bit more useful information in this April 2014 ghacks.net article. I’m sure you read that one regularly to keep your Google services working smoothly! As noted in the article, you can enable Access for less secure apps [5]. That took care of my friend’s problem.

Sigh.

My friend asked me what regular people do. My answers was, unfortunately, they don’t/can’t. The writing has been on the wall for a few years — civilians should not own “computers”. They should a single iOS device [6] and do everything through Apple [7]. This kind of thing is only going to get worse.

- fn -

[1] But what about the accesses Google might not have blocked? Google Account security now lets you see what devices have signed in from where over the past 28 days as well as review your security notifications. Between those and reviewing your Account Permissions you can get a rough idea if an unsophisticated attacker got by Google’s secondary defenses.

[2] I also have a Lion machine the kids use a bit. It’s no longer being updated of course, and I should probably retire it.

[3] I checked both my 2FA and non-2FA Google Apps/Google accounts and didn’t see it on any of them.

[4] First I went through her access history and authorized a number of them. Turns out that’s pointless, Google just provides that to keep us confused. 

[5] Or enable 2FA. Google 2FA is less of a PITA than it once was, but it’s not ready for civilian use. Too many ways to go wrong, especially when a device is stolen.

[6] I don’t think Android is a good choice. Sorry. The single best choice for most is probably an iPhone 6+. There’s an unmet need for an flip-phone-like compact device that provides simple phone services to a companion iPad. Maybe Apple Watch version 3 will do that.

[7] if Apple doesn’t do it, then give up.

 

H2O Wireless - getting a nano SIM for your upgraded phone - and keeping your old H2O number.

H2O Wireless is a rock bottom ultra-cheap AT&T MVNO. We use it for the 3 kids and their iPhones, with very minimal data services (Find Friends, email, Find My Phone — everything else is more locked down than even Emily and I).

 

Child #2 costs us about $40 a year - the minimum to keep his account open. He doesn’t talk or text much and is almost always on WiFi. He plays games. #1 costs about $10 a month — he does SMS, iMessage, and a few other apps. His data usage is primarily Apple’s utterly mysterious “iTunes Accounts”.

 

#3 runs through $10-20/month — she might end up on our AT&T plan. Lots of texting.

 

Our total child cellular service bill with H2O is about $25-$30/month. Hard to beat for 3 kids. In theory there are no data services with the H2O per minute plan, but we installed the H2O Profile and we get “4G” data. (Though on #2’s i5 if I enable LTE the tower boots us off the network)

 

Of course there’s a downside to the low end of the network. Although H2O’s web site has improved significantly over the past few years, service can be tricky to get. Some things are hard.

 

Things like … getting a Nano SIM so my son could go from a dying 4 to a used 5 [2].

 

The first time I called H2O Support (1-800-643-4926) I was told I could use the number transfer request screen and transfer the number from H2O to H2O, providing a fresh SIM number and an IMEI. Warning: this does not work (at least, not entirely, and not for us).

 

On a second call I was told that only H2O reps can do the transfer. You have to buy a fresh H2O Nano SIM and call them with the “ActFast” code. They will then try to activate the phone with the new SIM. Sometimes it works, but for some numbers/SIMs it doesn’t. (Life at the low end.)

 

In our case I ordered an H2O “Smart SIM” on Amazon for 0.01 [3]. I called support with the SIM in the phone; surprisingly there was no wait. The support person was able to activate the phone, interestingly he didn’t need the IMEI. The initial signal was very weak, he told me to “dial”  ##21# — that supposedly requests service from the tower. It did seem to boost the signal.

 

I’d already installed the H2O profile, but I deleted the old one and reinstalled. I found he could get “4G” data (not bad), but when I tried to enable LTE the tower cut us off. (H2O says per-minute plans get no data, so I can’t complain.)

 

After the transition the web site says #2’s balance is intact. Which is pretty good, because after years of paying for the number with minimal use he has quite a nice balance.

[1] not backed up by the way, so you need to reinstall if you do a restore

[2] I actually cut down his old Mini-SIM to nano-size and it worked, but I’ve never been able to get data on his SIM. So I wanted a fresh Nano.

[3] I’ve ordered several Amazon SIMs. The first time I did it I assumed it was a scam. It doesn’t seem to be, I think the sellers get money from H2O and the like every time a SIM is activated. They’re $15 from the H2O site.