Sunday, May 15, 2022

How to leave Google Apps / G Suite / Google Workspace

UPDATE: As of early May 2022 Google has relented and will allow continued personal use of legacy G Suite domains. You need to login to your domain and then use this URL. (The option is described, a bit obscurely, in a support page).

<background>
It's hard to remember now, but there was a time that geeks had some affection for both Google and Apple (but, TBH, never Microsoft). Those were the glory days my friend.

This year's bitter resentment is brought to you by Google ending free Google Apps services. Back in the glory days Dreamhost bundled these with domains, I picked up 7-9 of them. Two of these Google App domains have been heavily used by my family. They are the core of a wide range of daily things we do, including email addresses association with numerous logins, credentials, passwords, and so on. (But not with Google OAUTH identity services, that is not supported for Google Apps email addresses.)

A few months ago, in early 2022, Google told us that these services, once as permanent as gmail (*cough*, they're coming for you), would become quite expensive. For us the costs to maintain our current setup would be hundreds to thousands of dollars a year. Shortly after this announcement we were told that there *might* be a reprieve, that non-business services would continue. This false-hope was never officially withdrawn, but in May 2022 it has been replaced by a bizarre offer to maybe continue but, like, without email or domain?

Google's very limited online guidance does not review how to exit Google Suite. In email communications they mention a 'suspended state' but do not describe what that means.

So now I have to spend several lovely days in May sitting at my computer trying to salvage our digital identities. We will clearly have to pay for at least one of our domains - principles be damned. Charges begin Aug 1, 2022. </background>

The following is a rough guide to what I will do. Much of this requires knowledge from decades ago that I'm having to refresh.

Considerations and discoveries

  1. It's difficult to move IMAP emails between services. IMAP emails can be copied to a local store. In mail. app I've had success dragging and dropping emails from one IMAP inbox to another, but I believe this is fragile and unreliable. You can also copy, see this iCloud example.
  2. Local store email is barely supported any more. Mail.app, for example, 
  3. My domains are managed by Dreamhost which does provide some classic web services though fewer than it once did.
  4. Domain based email forwarding is fragile -- many services including google will reject it. See DKIM notes below.
  5. Modern email is both essential and a river of spam and Google has good spam filtering (though it was better once)
  6. The knowledge of how to manage DNS settings is more esoteric now than it once was, and Google Search no longer works.
  7. My Dreamhost DNS and mail forwarding has lots of old detritus. That's on me!

References related to closing Google Workspace accounts

  1. Microsoft on switching to Office 365 - cancel subscription
  2. Fastmail also has switching options, but price not much less that Google Workspace
  3. Google has not provided any migration guidance.
  4. You close your account by canceling the subscription: https://admin.google.com/ac/billing/subscriptions/ then deleting the account (see below).

References for migrating to Dreamhost email services

  1. Dreamhost email client configuration
  2. The Dreamhost custom MX config panel has 'uses Gmail' management links that take you to Google admin (so not terribly useful but at least can tell what to change.
  3. Dreamhost used to support both a mailbox and a forwarding action but you can't do that any more (still works for old settings). Dreamhost uses Roundcube Webmail but has not enabled forwarding in that app. You can use forwarding directly from a domain but I think Google treats emails forwarded this way as spam. (At one time we were supposed to have had quite large storage caps with Dreamhost, but I think email overwhelmed them. Similar to the days our Gmail storage was to be unlimited.)
  4. A comment on this post mentioned imap sync for moving email: "For transferring IMAP email, imapsync works well. There's a free version you can download and run on your computer (or on your hosting provider if you have ssh access). It's well documented and relatively easy to get your head around, and is fast and reliable. I’ve not got any affiliation, but someone pointed me to it a couple of years ago, and I’ve since used imapsync to migrate email hosts for a small organisation. Highly recommended."

References for migrating to Apple iCloud+ email

Apple supports custom domains with iCloud+ email including family sharing.
  1. You can assign up to 5 domains to a family group and for each domain each member can have up to 3 email addresses.
  2. Apple will instruct on how to do DNS settings (there's a bug in the quotes apparently) - there's also a tech note on DNS settings.
  3. Useful twitter stream on migration to iCloud
  4. Detailed twitter thread on migration - Google takeout mbox, import into Mail, then drag from local to iCloud.

My steps to closing an essentially unused account where I didn't worry about forwarding

  1. Go to Google admin console for account.
  2. Review how many users exist. (typically one)
  3. For that user review email to see if there's anything important, sites, docs, etc. Don't forget google  voice!
  4. From Google Admin account cancel your subscription. Now pay close attention so you don't miss the next step - delete your account (https://admin.google.com/ac/companyprofile/accountmanagement)
When you choose to delete account you see:
Now return to Dreamhost
  1. Go to DNS for domain and delete the Google CNAME records
  2. Go Custom MX controls and Choose "make me regular email". It may take hours for this to work.
  3. At this point Dreamhost enables webmail. But I wonder if this actually blocks email forwarding even if you set that up! (The lack of warning doesn't give me a happy feeling about Dreamhost TBH.) So disable webmail. Dreamhost also has a control panel for email forwarding that I think is a disabled feature.) - NEED TO TEST MORE HERE
  4. Go to Manage Email and set up a forwarding account as needed. This can take a while. Apple picked up the DNS changes within about 15-30 minutes, but Google took 1-2h. (I wonder if DNS propagation in general works as well as it once did.)
  5. Enable DKIM if not already enabled.

Carbon Copy Cloner won't create sparse bundle disk image (grayed out) - Mojave

On Mojave as of May 2022 CCC v 5.whatever wouldn't create a sparse bundle disk image for me when I selected new disk image as destination. The 'action button' was grayed out. 

I switched from the non-admin account I've long used with CCC to an admin account and I was able to do it.

I was able to create disk images using Disk Utility from the non-admin account.

I don't have time or energy to debug further, but if you run into this issue try an admin account.

PS. Once upon a time CCC would just create a disk image if the task referenced one but none was found on the target drive. That's no longer an option, if you are setting up a new drive modern tasks will require the disk image to exist. It's hard to get the 'right' image manually, so you really want CCC to create it for you.

Also, by the way, and unrelated to above, you need to use AFP if you're doing network CCC backup to a sparse bundle disk image.

Tuesday, April 12, 2022

Universal Clipboard (Handoff, Continuity) not working - Mojave and Monterey, regenerating the authentication token/password

 Recently I've had two issues:

  1. Mojave Universal Clipboard stopped working between Mojave and iOS 15.4.1
  2. Mojave notes iCloud synced but always showed a spinning activity icon
I found that I could make Universal Clipboard work again by creating or editing a note on my iPhone or on Mojave. Once that synced then UC worked until I rebooted.

If Universal Clipboard isn't working first reboot your devices and confirm connection to WiFi with Bluetooth enabled. Then try toggling Handoff off/on on both devices. Then try:
  1. Changing my Mojave location DNS settings from Cloudflare (1.1.1.1) to Google (8.8.8.8). (Based on this post)
  2. Toggling Notes iCloud off then on again (restores notes)
Now the spinning is gone, and UC seems to be working.

Update 5/15/2022: UC is back to not working unless I create a note that's synced between iOS and Mojave. Notes doesn't show the skinny activity icon. So this is an open problem.

Update 8/30/2023

Continuity has worked since May 2022 on my Mojave machine, but I'm now switching to a 2023 M2 Air running Monterey. And, of course, the Universal Clipboard didn't work again.

A few hours later my devices notified me that iCloud services would not be available until I reauthenticated. That tedious and annoying process requires entering the iCloud and device passwords; I think it creates a new token/password behind the scenes. After going through this continuity worked again. Signing in and out of iCloud is a common workaround for Continuity issues, I suspect it speeds up regeneration of the new token/password.

It would be nice if Apple improved this process.

PS. Typical things to check when it doesn't work: bluetooth on, devices on same WiFi, etc.

Sunday, March 13, 2022

When iCloud Keychain stops working (No more Safari passwords) - Mojave

I'm buying tickets for an event and suddenly there's no password autocomplete in Mojave Safari. Safari Preferences Passwords shows 3-4 entries, but my Apple passwords shows on my iOS devices and my Monterey Air. It's just Mojave that has lost all its iCloud/keychain access.

A good reminder that if you want to use Apple Passwords as a 1Password replacement you need to export a static backup (and this must be automated). The Cloud is where data goes to die.

A found a relevant 2016 Apple Discussion post which would be Mojave era. So I wonder if it's a Mojave bug. The fix there was from "Linc Davis" a "Level 10" with 209K points [1]

Please take these steps to resynchronize the iCloud keychain. Your keychain on iCloud and your other Apple devices won't be affected. Take Step 2 only if Step 1 doesn't solve the problem.
Step 1
Back up all data.
Open the iCloud pane in System Preferences and uncheck the Keychain box. You'll be prompted to delete the local iCloud keychain. Confirm—the data will remain on the servers. Then re-check the box. Follow one of the procedures described in this support article to set up iCloud Keychain on an additional device. Test.
Step 2
If you still have problems, uncheck the Keychain box again and continue.
Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination  command-C: 
~/Library/Keychains
In the Finder, select
          Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return.
A folder named "Keychains" should open. Inside it is a subfolder with a long name similar to (but not the same as) this:
           421DE5CA-D745-3AC1-91B0-CE5FC0ABA128
The above is only an example; yours will have a different name of the same general form. Drag the subfolder (not the Keychains folder) to the Trash.
Restart the computer, empty the Trash, and re-enable iCloud Keychain.

Toggling Keychain off and on didn't seem to do anything so I figured I'd check in the morning. Before I checked though I did review my passwords in Monterey. For *reasons* (this happens way too often) I had to reenter my iCloud credentials there but I was also asked the usual iCloud keychain questions -- provide passcodes for my other machines.

Then I looked at my Mojave machine and Safari had my passwords again.

Maybe the fix was toggling Keychain and waiting a bit, but I'm suspicious that something happened somewhere in iCloud that required me to do the iCloud Keychain authentication dance from a Mac -- and Mojave couldn't do it.

Again, if you use Apple Passwords as your sole repository you need a non-iCloud backup.

- fn -

[1] No profile info, has participated in 97K threads. Either insane or an Apple staff pseudonym.


Sunday, March 06, 2022

What happens when you have an Apple ID without an email address and you change it? (And much more about Apple ID hell.)

I'll provide some back story below, but it's tedious and a bit ranty so I'll put the most useful stuff up front.

For *reasons* (see below) I have had an Apple ID associated with iTunes, App Store, physical Apple Store, hardware and other purchases for about 20 years. For other *reasons* almost lost to memory the username has not been a valid email address for most of those years. Until recently it had an associated email address it would forward to but Apple changed things sometime in the past two years and that stopped working.

I'm simplifying.

We will call this Apple ID username "bob@mac.com". I will use alice@icloud.com and dan@me.com for my new Store Apple ID ("Media & Purchases") and my longstanding iCloud Apple ID respectively.

Once bob@mac.com stopped forwarding I no longer received notifications related to Apple Discussions or emails related to charges. Since bob@mac.com was the store Apple ID for my family (this was the practice in early iTunes days) our children (now adult) used it for purchases. Simplifying a lot and omitting family details the lack of email meant no monthly statements -- so I didn't spot a scam subscription - among other things.

I knew I had to fix this but I dreaded the side-effects. I'd already tried undoing the shared store Apple ID and ran into disaster; I had to reverse that attempt. I had to fix the Apple ID invalid email problem first.

Before Apple broke forwarding for the Apple ID "bob@mac.com" I had used "alice@icloud.com" as a forwarding address. Although there was no clue in the Apple ID online configuration tool, I knew alice@icloud.com was still entangled with bob@mac.com (see below, this post goes on for a long time but still omits much).

Ok, so far? I gets a bit simpler then you can skip the back story.

Anyhow ... when Apple broke forwarding they seem to have introduced the ability to change an Apple ID userid - such as bob@mac.com. I believe, though I can't find any documentation, that the visible username with the form of an email address (ex: bob@mac.com) is an alias for an unchanging hidden identifier (maybe a GUID). 

After some thought I decided the cleanest approach would be to change my Store Apple ID visible username from bob@mac.com to alice@icloud.com (I knew the two were entangled, see below). It's easy to make this change from appleid.apple.com. When I did this I was not asked to confirm that alice@icloud.com was a valid email address I owned. All I got was an email sent to to alice@icloud.com saying the change had been made.

After I made the change I found the following. I expect other changes as Apple's different systems synchronize and update (I will update this as I learn more, I expect to learn of problems from family members later today):

  1. I cannot login to the Apple ID or anywhere using bob@mac.com but the two factor notification dialog still says bob@mac.com (this may change).
  2. I think I may have more control over Apple ID two-factor, I can add/remove trusted devices, remove from account, and I can add a second trusted phone number. I still can't add a backup email address; that is available on some other Apple IDs I have
  3. Apple Discussions is intact. When I login with alice@icloud.com I show as "member since June 23, 2003".
  4. Mail sent to bob@mac.com still fails, there's no redirect.
  5.  iTunes on Mojave: asks me to sign in and displays new alice@icloud.com. Says session expired, asks again. Purchase history intact.
  6. Media & Purchases on iPhone showed new iCloud address and I had no trouble with updating apps.
In addition, Messages in my personal dan@me.com iCloud stopped working! It turns out "Messages" has legacy associations with the old Apple Store ID used with iMessage before Apple implemented iCloud. I got this error message

Messages in iCloud not available as iCloud and iMessage accounts do not match. (Messages in iCloud is not available because iCloud and iMessage accounts are different.)

There's a fix here but it's not the one I needed. When I looked at Messages on my iPhone it showed only my Phone number, the Apple IDs were all absent. When I tried to enter an Apple ID it showed my store Apple ID; I chose "use other Apple ID" and entered my personal iCloud Apple ID. That worked and it immediately restored all my send/receive message list. I could then reenable messages in iCloud.

It didn't fully work on Mojave iMessages though. I reenabled using iCloud Messages in preferences there and about an hour or two later it seemed to start working (though uploading messages to iCloud is still ongoing.)

That concludes the current record of changes to date. So far it has been less of a problem than anticipated, but it's early days. I will add other issues as they emerge. Then I can return to the herculean tasks of moving family members off of a shared Media & Purchases account.

Below are details for the benefit of someone searching who finds this post. They are related older items that I will summarize in outline.

----------- additional details ---------------

As noted above years ago I had alice@icloud.com as forwarding email for the Apple ID bob@mac.com. The address bob@mac.com had no associated email because of complex changes Apple made in migrating from free iTools to not-free .Mac to MobileMe. [1][2]

When I finally realized I wasn't getting Apple media purchase statements for bob@mac.com I began investigating what had happened to the old alice@icloud.com iCloud account. I found it was deactivated. I was able to reenable it. That's when things got weird. Remember (if you read above) that there was no longer anything I the Apple ID settings for bob@mac.com that showed alice@icloud.com.

Once I reenabled alice@icloud.com with a new password I found that:

  • Both alice@icloud.com and bob@mac.com worked as usernames for the same bob@mac.com Apple ID.
  • The password for the bob@mac.com Apple ID had changed to match the alice@icloud.com password. [This actually took a day to propagate to iTunes purchases]
  • Both alice@icloud.com and bob@mac.com showed the same iCloud services (mail, etc).
  • bob@mac.com was still not a valid email address. 
fn -

[1] https://en.wikipedia.org/wiki/MobileMe#.Mac

Originally launched on January 5, 2000, as iTools, a free collection of Internet-based services for Mac OS 9 users, Apple relaunched it as .Mac on July 17, 2002, when it became a paid subscription service primarily designed for Mac OS X users. Apple relaunched the service again as MobileMe on July 9, 2008, now targeting Mac OS X, Microsoft Windows, iPhone, and iPod Touch users.

On February 24, 2011, Apple discontinued offering MobileMe at its retail stores, and later from resellers.[2] New subscriptions were also stopped. On October 12, 2011, Apple launched iCloud to replace MobileMe for new users, with current users having access until June 30, 2012, when the service was to cease.

... The original collection of Internet software and services now known as iCloud was first called iTools, released on January 5, 2000, and made available free of charge for Mac users.

Services offered by iTools included the first availability of @mac.com email addresses, which could only be accessed through an email client (e.g. the Mail app); iCards, a free greeting card service; iReview, a collection of reviews of popular web sites; HomePage, a free web page publishing service; the first version of iDisk, an online data storage system; and KidSafe, a directory of family-friendly web sites.

.Mac[edit]
As costs rose, most particularly due to iDisk storage space, the wide demand for @mac.com email accounts, and increasing support needs, iTools was renamed .Mac on July 17, 2002, as a subscription-based suite of services with a dedicated technical support team.[25]

... Existing iTools accounts were transitioned to .Mac accounts during a free trial period that ended on September 30, 2002. This move generated a mixed reaction among Mac users, some believing .Mac was overpriced...

[2] eWorld https://en.wikipedia.org/wiki/EWorld

. Yesterday the password for App Store was different from password for Apple ID but today they seem to be same. I think they are two different systems that update every few hours...

 · Feb 19

Today it appears there is a single Apple ID with two usernames and one password. One username has iCloud services but is nowhere displayed in Apple ID information. twitter.com/jgordonshare/s…

... If you change a phone's Store ID to match the phone's iCloud ID  you cannot update all their apps with their iCloud ID password. You need to use the old Store ID password. Even when family sharing is in play...

... I have a hunch that Apple has an internal ID for users separate from the username (email form) displayed with their Apple IDs and Store IDs and iCloud IDs and that is what they use in FairPlay. 

Saturday, March 05, 2022

The AT&T / Apple eSIM activation fee scam: $30 "discount" and a $30 activation fee

This is what you see when you go to buy an iPhone from Apple these days and pay full price:


You can choose "Connect to a carrier now" or "Connect on your own later". In this case they are the same price. 

If you choose "Connect on your own later  there's no additional fee. You swap the SIM card from your old phone and go.

If you choose "Connect to a carrier now" you will get an unlocked phone but it has an eSIM. It will also be "activated"; when that happens the eSIM is enabled and the old SIM card is disabled. Carriers charge a fee for activation. For AT&T it's $30.

So in this cases you pay $1,100 for the iPhone and there's a hidden fee of $30 from AT&T if you go the eSIM route. (I suspect if you switch a phone from SIM to eSIM you will also be charged $30.)

Sometimes Apple may choose to list the "Connect to a carrier now" with a "carrier discount" of $30. In this case they'll display the cost of the phone with the discount applied; the "Connect on your own later" will be $30 more. But if you choose the cheaper option you will get charged the $30 from your carrier. So Apple is .... lying about the price. Apple probably gets a kickback from the carrier,

Just choose "Connect on your own later" and pay the real price up front.

Twitter version:

AT&T's various fees, including this one.

Update 9/11/2022: For a semester in Italy we converted my daughter's physical SIM to an eSIM using the iOS convert to eSIM feature. Our next bill will tell us if there was a fee associated with the conversion.

Friday, February 25, 2022

Impressions of the Eero 6

In retrospect my AirPort Extreme was probably flaky for a while. It's hard to diagnose router failure issues, but my son complained his iPad Zwift app was disconnecting. I was getting corrupted Synology Time Machine backups after years of good results. Then the router started to power down spontaneously. It was 6 years old and the power supply had failed.

We bought an Amazon Eero 6.

Before I talk about the various issues and surprises, let me see this is one of the more fun purchases I've made in a while. It's a huge pain to move all our various devices over to the new primary and "Guest" (where untrustworthy hardware connects) networks, but it's delightful to see 5 WiFi bars everywhere. Including the MyQ garage opener -- which is at least 50 feet from our home. (That's how we open the garage door when it's less than 15F and the external battery powered device doesn't work.) I have one device by the Comcast router, one on the middle floor towards the garage, and one basically hidden beneath the ground floor serving the basement and side patio.

Why did I buy the Eero?

  1. Microsoft doesn't make a router, so the least evil tech giant was unavailable.
  2. Apple doesn't make a router, so my very Evil master was unavailable.
  3. That left Google, Amazon and the small ones (Linksys) who may not last very long and thus can't keep the patches coming.
  4. I read that Eero does a good job of updating its devices.
  5. Google is maximal Evil. I'm in the midst of a long painful divorce from Google Apps and Google Drive and I really don't want anything more from Google.
  6. Amazon could get me a Eero 6 threesome within 8 hours of ordering it. It came at 6am. I felt the fangs of my Prime Parasite dig deeper into my core.
What were the surprises?
  • Some older equipment will not connect to an Eero 6. The problem seems to be that the Eero has one SSID with two frequencies; my old AirPort had separate 2.4 and 5 GHz SSIDs. Devices that can only handle 2.4GHz may not work. We ran into two problems [see update below]:
    1. SONY Playstation 4 (SONY's link no longer works of course): Go to Settings > Network > Setup Internet Connection > Use Wi-Fi > Easy. Select the SSID (wifi network name) but don't choose it! Now press the Options button on the controller. Select the 2.4GHz band. (When I tried 5GHz I got an obscure error message.)
    2. Samsung television: It simply won't connect. Samsung has some tips I've not explored, I could try updating the firmware. Google found some Reddit discussions but that site crashed at the moment. (This TV is behaving a bit oddly, so there may be other issues.)
  • The Eero 6 has two ethernet ports on the base unit. It's hard to tell from Eero's dreadful web site but I believe the Eero 6 Pro has ports on peripheral nodes too. I needed one for the Synology NAS and one to the Comcast modem. Given that not all devices work with the Eero it would be nice to have parts on each station -- I could then hardware devices that don't work with Eero wifi.
  • The Eeros are smaller than I expected.
  • The Eero app crashes every time I try to assign a device to a profile. I suspect it can't handle the ethernet address swapping of modern iPhones. It's amazing that's not fixed.
  • If you want to use the parental control features on iOS devices you need to turn off the ethernet swapping. This will make it easier for vendors to track your use however.
  • Amazon tries to upsell subscriptions to services including a security package. This is really annoying and it keeps doing it even after initial decline. Be careful not to accidentally subscribe to anything. You don't get filtering or website controls without the extra monthly fee, other routers provide those for free (but they usually don't work well or at all with modern connectivity).
The easiest way to swap routers is to keep the network names and passwords the same. I couldn't do that for reasons, so I get the tedium of reconnecting very old devices to WiFi.

Update 2/27/2022: Pause 5 GHz to allow older devices to connect

I read an Amazon review saying there was a way to pause 5G to allow older devices to connect! I haven't tried on the TV yet. It's an obscure feature:

Settings -> Troubleshooting -> My Device won't connect -> My device is 2.4 GHz only -> Temporarily pause 5 GHz.

There are some other features buried in troubleshooting, including Health Check.