MacInTouch Amazon link...

Apple security and privacy

Channels
Apple, Security
They didn’t. They said it is incredibly risky for a third party app to have MDM on a customer’s device, for exactly the reasons that enterprises using MDM want it: because it gives them an extraordinary degree of access and control.
Tsai Blog said:
Apple Cracks Down on Screen Time Apps That Use MDM
It’s hard to believe that Apple only recently figured out that these very popular apps had been using MDM for years . . . There’s no evidence presented that any of these developers abused the power of MDM.
The apps being evicted were sold in Apple's store. They went through Apple's review process. Apple made money from their sale.

If a giant corporation is allowed by Apple to lock down and monitor iPhones assigned to employees, why shouldn't parents be allowed the same "powers" to protect their children? Wouldn't these "parental monitoring apps" have protected kids we recently learned were lured by Facebook and Google into side-loading really bad spyware?
 


Ric Ford

MacInTouch
Here's a different perspective on Apple blaming MDM for its third-party app shutdowns:
OurPact said:
There Used to Be An App For That
Apple Removed OurPact From the App Store. Here’s What You Need to Know.

On Saturday, April 27th, The New York Times exposed Apple’s systematic removal of screen time applications from the App Store.

Other major publications quickly picked up the story, leading Apple to share a public statement claiming these removals are justified on the grounds that parental control apps using MDM “put users’ privacy and security at risk.” An email from Phil Shiller, SVP Worldwide Marketing, also stated Apple’s position that these apps pose a risk to privacy.

Unfortunately, Apple’s statement is misleading and prevents a constructive conversation around the future of parental controls on iOS.

... Apple recently stated that its own MDM technology, used by millions, poses risks to user privacy and can be abused by hackers. This stands in contradiction to the fact that MDM technology was initially developed by Apple to ensure security of private data on remotely managed devices. Apple alone issues certificates to third parties to communicate with their MDM servers, and Apple themselves are responsible for sending all MDM commands to user devices.

We present here, point by point, Apple’s recent claims in defense of removing apps that use MDM, to be contrasted with quotes from their own MDM documentation....
 


Ric Ford

MacInTouch
The latest silent, invisible Apple security updates:
Eclectic Light Co. said:
Apple has pushed updates to both XProtect and MRT
Apple has pushed two updates overnight, to the ‘Yara’ data files used by XProtect, bringing its version number to 2103, dated 2 May 2019, and to its malware removal tool MRT, bringing it to version 1.41, also dated 2 May 2019.

This update to XProtect’s Yara definitions brings one addition, which Apple refers to as MACOS.6175e25. According to Patrick Wardle, this refers to malware with the ID com.techyutils.UnPack, which he thinks may be more generally known as OSX.AMCleaner, a Trojan which may have been around since late last year.

... I maintain lists of the current versions of security data files for Mojave on this page, High Sierra on this page, Sierra on this page, and El Capitan on this page.
 


... Gave my mom my old iPad about 6 months ago, mistakenly removed it from my Apple ID without setting it up for her. She gave it to grandkids to set up, and of course no one remembers the PIN they set. And I didn't think to try TouchID - though it was > 48 hours, since the darn thing was dead.

No problem, I'll completely erase and set it up from new! Nope: apparently they linked it to her Apple ID, and of course she can't remember the password.

No problem, we'll do a password reset: She's got a trusted phone number (but an Android device). Nope: too easy. Heaven forbid the virtually non-existent situation arises that somehow a text goes to some criminal who knows her Apple ID. Or that Apple sends an email to her email address (same as Apple ID).

No problem, we'll use my iPhone "Find Phone" and do an account restore! We follow Apple's directions, get a code sent to her phone... but we need to know the iPad PIN (that was the whole thing I was trying to get resolved anyway). So now we can't do anything for 12 days while the account is restored. And I'll have left, out of state by then.

I'm 100% for privacy, but at some point, this is high ridiculousness. It's making it almost impossible for me to ever sell her on expanding her Apple footprint (and mine, at this point).
 


Ric Ford

MacInTouch
Apple is apparently making changes to help protect against a nasty new attack vector:
Bleeping Computer said:
Apple Updates XProtect to Block 'Windows' Malware on Macs

Apple's XProtect security software has been silently updated to include signatures that detect Windows PE files and Windows executables that can run on Macs by utilizing the Mono .NET framework.

... In February, we reported that malware was spotted that utilize a Mac installer to execute Windows executables using the Mono C# framework. Mono is a cross-platform framework that allows C# programs to run on Windows, Macs, and Linux.

The discovered malware samples would extract a Windows executable named Installer.exe that utilizes the included Mono Mac libraries to run on Macs....
 


Apple is apparently making changes to help protect against a nasty new attack vector:
Yes, that was what XProtect version 2102 in mid-April was all about. No other changes to macOS were necessary to be able to detect that specific malware.

It should probably be noted that this was first discussed back in early February by ArsTechnica:
so it took Apple over two months to react.
 


I speculate that Apple has experienced a security breach that it has discovered but hasn't reported. My basis:

1. This morning, my iPhone 5S/iOS12 requested that I enter my password associated with my AppleID.

2. After doing so, it then said I needed to reset my password.

3. I declined, and was locked out -- no iCloud, iTunes, App Store, Apple TV, iPad, iPod, Mac, iPhone backup - nada.

4. My first thought was that my phone had been hacked, not my Apple ID.

5. Called Apple support and was told this was an indication that my account had been attacked. I said that my password was secure and unknown to anyone and asked when and where (IP address) login attempts had been made. I seldom use any Apple services and knew I had not logged in recently.

6. Apple said they could not help me or tell me about alleged login attempts until I changed my password.

7. Upon resetting my password, I was then told that no login attempts had been made for the last two weeks.

Conclusion: Something is rotten in Cupertino. A lot of churn for no known reason. I don't trust Apple one iota, because all the evidence suggests a problem on their end, not mine.
 


...
1. This morning, my iPhone 5S/iOS12 requested that I enter my password associated with my AppleID.
2. After doing so, it then said I needed to reset my password.
3. I declined, and was locked out -- no iCloud, iTunes, App Store, Apple TV, iPad, iPod, Mac, iPhone backup - nada.
...
I've had a couple of power outages recently. On restoration, my Apple TV 3d-Gen tries to auto reconnect to its App Store and iCloud functions. On my other devices (MacBook Pro, iPhone, iPad), I get a popup notification telling me a device (the Apple TV) is trying to log in with my Apple ID from location x, Allow? "Yes", I respond. Then, a 6-digit PIN appears, presumably from the Apple TV, to verify its login. Of course Apple TV 3G does not have the easy ability to respond to 2FA, so I have to go through the agonizing process of entering my complex password plus the 6-digit code (as a single entry) using the Apple TV remote and the alphanumeric grid, which takes a long time and is very easy to mess up. After a few failed tries but finally reestablishing the AppleTV's credentials, I then get messages on my other devices that I cannot use iCloud services on any of them until I re-log in on each with AppleID and password. So, a whole lot of wasted time following a simple, single "Allow" response for the AppleTV (which should have taken care of the whole thing).
 



Our sales manager came into my office this morning waving an iPad in the air. It seems his 2-y/o daughter had managed to 'disable' it by just madly tapping at the screen (over a period of time).

His panic was amplified because his wife - it's her iPad - had been taking all the photos of their kids with the iPad (3 kids under 2). Sadly, it appears it's never been connected to a computer nor been logged into a cloud account.

Now put aside the stupidity of not backing up the device, I'll put it down to the stress of managing a very young family, but I struggle to understand how a company can lock someone out of their own, legally obtained device and essentially delete their data.

This is her device, fully paid for and used in a way for which is was intended. As there was no attachment to an Apple ID, there was no risk of a breach of security for Apple, yet they still feel it OK to prevent access to their data.

Maybe it's just me, but I think that's unforgivable. Surely they could have a system through an Apple Store where you could go in, prove your identity and get your device unlocked.

I can go to a bank with suitable ID and borrow a million dollars, but it seems you can't get data off your own device if Apple deems you unworthy.

I wonder how Tim Cook or Jony Ive would feel if their laptops or phones were suddenly locked with no possible chance to retrieve anything?
 


Sadly, it appears it's never been connected to a computer nor been logged into a cloud account.
I was under the impression that, in order to activate an iPad without a computer, you must enter or create an Apple ID, and everything that I read just now seems to confirm that.
 


Saw today that JAMF, which I believe is the leading supplier of Mac / iOS management "solutions" to corporate and education, just announced new MDM features that seem remarkably similar to what the apps that were just evicted from the Apple Store were doing.
iTunes "App Store" said:
App Store Preview: Jamsoft Parent
Jamf School Parent empowers parents to manage their children's school-issued devices. Using the intuitive interface, you can restrict which apps your child can access on their device, receive notifications when your child arrives at school, and schedule homework time or bedtime by using a Recipe to allow or restrict certain apps.

Key features:
- Restrict and allow apps in real time (including games and social media)
- Restrict and allow device features (including the camera)
- See the device's last known location
- Create scheduled app restrictions for homework time, bedtime, and timeout
- Be notified when your child arrives at school

This app may use your location even when it isn't open, which can decrease battery life.
This is just a piece of a comprehensive set of products. More information at the Jamf
website.
 


I was under the impression that, in order to activate an iPad without a computer, you must enter or create an Apple ID, and everything that I read just now seems to confirm that.
In the pre-Christmas 2018 sales I picked up a set of 9.7" iPads. We use them with FaceTime across remote locations as a kind of intercom. Turns out, with the difficulty I've had with cross-OS remote desktop management, much support is possible if a remote user just aims the iPad camera at the troubled computer screen.

We set these up with a set of new Apple IDs we're not sharing and not publishing. We sure don't want family, friends, and strangers bursting into our "office intercom."

Hadn't paid much attention to the iPad on my desk, as I only use it for the intercom function. But today's discussion led me to open its settings, where I found to my surprise it was actively using iCloud Drive. The one photo I'd taken on the device when it was new is sitting there, as are contacts, iPad backups, Siri (I have Siri turned off as I don't want her listening to my phone calls in the office).

Even with "Location" Off, "Find my iPad" was On, though with a warning it couldn't find my iPad on a map without location services enabled. What wasn't clear: what else Find My iPad could do. To check, I logged into the iPad's iCloud account on my computer, clicked over to "Find" and learned it had the approximate location (from IP address, possibly from Apple having mapped the SSID of our office Wi-Fi?). I did have "Find" send a beep to the iPad, which worked.

The device's iCloud Drive (with the one photo uploaded) is storing 18 MB. The one "Live Photo" taken on the iPad seems to be 6 MB locally. If there's a way to find how large the iCloud version is, I'm not finding it. That leaves 10 MB on iCloud which doesn't show in the "online iCloud Drive." Doesn't seem like much, until contemplating a conversion table I found that says 10 MB will hold 5,000,000 "words."
 


I was under the impression that, in order to activate an iPad without a computer, you must enter or create an Apple ID, and everything that I read just now seems to confirm that.
I genuinely don't know - I don't currently own an iPad - I'm just going on what he told me.
 


Our sales manager came into my office this morning waving an iPad in the air. It seems his 2-y/o daughter had managed to 'disable' it by just madly tapping at the screen (over a period of time). His panic was amplified because his wife - it's her iPad - had been taking all the photos of their kids with the iPad (3 kids under 2). Sadly, it appears it's never been connected to a computer nor been logged into a cloud account.
I cannot personally vouch for this service, but the founder has been written up and they may be worth contacting:

 


Saw today that JAMF, which I believe is the leading supplier of Mac / iOS management "solutions" to corporate and education, just announced new MDM features that seem remarkably similar to what the apps that were just evicted from the Apple Store were doing.
This is just a piece of a comprehensive set of products. More information at the Jamf
website.
No, Jamf's offering is not like the parental apps just removed. Jamf's offering is marketed to school districts, not directly to the parents. It is designed to be used with institutionally (i.e. school)-owned devices. However, it appears to allows parents to have some control over the devices that are issued to the individual students, but since the devices are still owned by the district (presumably), Apple doesn't consider this a "security risk"

For the record, Apple's excuse for removing the parental apps is pure bunk. They blatantly lied in their press release and Schiller's statement. I have no problem with Apple not wanting companies to use MDM on personal devices, but don't lie about the security implications and malign the companies that used that method.
 


For the record, Apple's excuse for removing the parental apps is pure bunk. They blatantly lied in their press release and Schiller's statement. I have no problem with Apple not wanting companies to use MDM on personal devices, but don't lie about the security implications and malign the companies that used that method.
I don't fully understand [criticism] of Apple's position. It clearly wasn't enterprise use of MDM that was judged to “put users’ privacy and security at risk” but the third-party app developer's use of such methods.
 


I don't fully understand [criticism] of Apple's position. It clearly wasn't enterprise use of MDM that was judged to “put users’ privacy and security at risk” but the third-party app developer's use of such methods.
I think there are a couple of different issues here. First, I'm not aware of any evidence (or even claims) that the companies using Apple's MDM were using their access to violate the privacy of their customers. Apple is objecting on the basis of potential mis-use of data, not claims that it has been mis-used.

Then there's the question of whether the companies' customers understood the kind of access they were granting, and the potential for privacy violations if it's misused. Assuming the customers understand the issues and trust the company, shouldn't they have the option of allowing that access to get the features the apps provide? Apple is taking away that option.

Finally, this wouldn't be an issue if Apple allowed apps to access its Screen Time APIs. It currently doesn't, so competitors have few, if any, options other than MDM to implement similar features.
 


I don't fully understand [criticism] of Apple's position. It clearly wasn't enterprise use of MDM that was judged to “put users’ privacy and security at risk” but the third-party app developer's use of such methods.
But, that is the story that Apple is trying to sell here. That, somehow, by using the MDM protocol, these are risking user privacy. That is, quite frankly, a lie. For if it was the truth, then Apple's MDM system would be severally broken. Even Apple's won documentation disputes what Phil wrote in his email. From the document "Managing Devices & Corporate Data on iOS" [PDF],
MDM can see:
  • Device name
  • Phone number
  • Serial number
  • Model name and number
  • Capacity and space available
  • iOS version number
  • Installed apps
MDM cannot see personal data such as:
  • Personal or work mail, calendars, contacts SMS or iMessages
  • Safari browser history
  • FaceTime or phone call logs
  • Personal reminders and notes Frequency of app use
  • Device location
As someone who is certified in Jamf and worked with several other MDMs, I can confirm that the data that an MDM can see is not nearly as intrusive as Apple tried to imply. (In fact, I felt Apple even did a little fear mongering and implied that these apps were nefariously using the data, without providing any proof.)

From my standpoint, if I were a large enterprise customer utilizing MDM, I would ask Apple to clarify how the MDM can be a privacy risk when it is sold as a way to ensure data is managed and kept private.
 



Yes, you need an Apple ID to set it up. But you don't ever have to set it up with iCloud. The two are separate.
I wouldn't exactly call them separate, in that an Apple ID is needed to access iCloud, iTunes, Mac App Store, etc., although I do agree that one does not have to ever use iCloud.

But that wasn't really the point I was trying to make. I probably should have included more of the original poster's quote
As there was no attachment to an Apple ID, there was no risk of a breach of security for Apple, yet they still feel it OK to prevent access to their data.
Since it's all [second-hand information], we really don't know how Apple reacted to this issue, but I believe there must be an attachment to an Apple ID and that, with proof of ownership, Apple won't intentionally prevent access to the data, if it's possible to retrieve it.
 



I don't fully understand [criticism] of Apple's position. It clearly wasn't enterprise use of MDM that was judged to “put users’ privacy and security at risk” but the third-party app developer's use of such methods.
I would be more sympathetic to Apple's position if these apps had not been previously approved for sale - and, once approved, being available for many months, even years in some cases, and now all of a sudden they are a security problem. All of a sudden, because Apple is now providing similar security features. As Andre Aggasi used to say in his Canon commercial, "Image is everything!", and Apple's image in this case has been sullied.
 


Yes, you need an Apple ID to set it up. But you don't ever have to set it up with iCloud. The two are separate.
They may be separate, but there is little knowledge of what Apple ID does what to various parts of macOS. Apple, if you are reading this, create an Apple ID manager that provides clear management of Apple IDs.
 


Maybe it's just me, but I think that's unforgivable. Surely they could have a system through an Apple Store where you could go in, prove your identity and get your device unlocked. I can go to a bank with suitable ID and borrow a million dollars, but it seems you can't get data off your own device if Apple deems you unworthy.
[Actually] Apple does have a process for recovering locked devices when you can prove your identity. I understand your frustration - I went through this with a deceased relative's iPhone. The process is somewhat cumbersome, but it seemed to me not wildly inappropriate for what reasonable security might require. (The process for the cool $mil from the bank may also be a little trickier than you assume.)

My deceased-relation case was one in which I had neither the iOS passcode for the device nor the password for the Apple ID. I expected that to be hard (had to provide death certificate, took months). I believe that if you just have a lost or forgotten iOS passcode, the process is much more efficient.
 



Ric Ford

MacInTouch
More about yesterday's Apple security updates:
Eclectic Light Co. said:
macOS Mojave 10.14.5 update has been released, with Sierra and High Sierra Security Updates 2019-003

... This release also disables any accessories which have insecure Bluetooth connections, and fixes an issue with resetting user account passwords after using a personal recovery key (PRK) to unlock a FileVault volume. Full details are here.

Security fixes include: a bug in the App Firewall, vulnerabilities to crafted audio and movie files, a bypass for Gatekeeper checks (an important fix), a couple of issues with Disk Images, an authentication issue in EFI, three kernel bugs, four in SQLite, and multiple bugs in WebKit. A full listing should shortly be available from here.

... Bundled with the main update is an update for Mojave to KEXT block version 14.5.1, and most if not all Macs should have an EFI Firmware Update: this iMac Pro with a T2 chip moves up to version 220.260.170.0.0 with iBridge at 16.16.5125.0.0,0. Thanks to Pico for discovering those already, so that they are now listed on the EFI firmware version page.
 


As for an Apple ID manager, check out:
Apple ID
Manage your Apple account
OK, so I went to the page to manage my Apple ID. Of course, the one thing I wanted to do it will not let me do - merge the multiple Apple IDs that I have.

Also, I wanted to add my home phone (land line) as a contact, but again it won't allow me to. It verifies the phone with a text. Of course, my home phone does not accept text messages. There is no option to actually call the number and give me a code over the phone.

Apple, get with it. Not everyone who has a computer (or Apple ID) has a phone that is capable of receiving text messages.

Yet another way that Apple is becoming less attractive to me.
 


I recently attempted an online donation from my iPhone using Apple Pay. There were three addresses listed for my credit card, but only one was mine. The others were recognizable: one was”Jim” at a local (Oregon) business suite where I had done business years ago, but the other was weird... the name and address of the present owner of a real estate agency, 2500 miles away, with whom I have never had any kind of business transaction, although I did visit once years ago. The incorrect info appeared in my Apple Pay prefs.

A senior moment might be the cause, but has any one else seen this behavior?
 


Important to note that macOS 10.14.5 and Security Update 2019-003, for macOS 10.13 and 10.12 only, has security fixes in place for the ZombieLoad issue effecting Intel CPUs. However, the fixes are not supported on older Mac hardware from 2009/2010:
Apple said:
What's really strange is that to enable full mitigation from this issue also requires the user to manually use the terminal!
Apple said:
I say "strange", but actually it's clearly about user perception - if you enable full mitigation, your Mac will slow down significantly in some circumstances.

Testing conducted by Apple in May 2019 showed as much as a 40 percent reduction in performance with tests that include multithreaded workloads and public benchmarks. Performance tests are conducted using specific Mac computers. Actual results will vary based on model, configuration, usage, and other factors.

But I guess that's okay, let's leave everyone vulnerable to potential exploit because Apple doesn't want bad press about Macs slowing down. (YDVOAMV - Your Dystopian View Of Apple May Vary)
 


OK, so I went to the page to manage my Apple ID. Of course, the one thing I wanted to do it will not let me do - merge the multiple Apple IDs that I have.
Not long after Tim Cook became CEO, there were indications that Apple was working to allow the merging of Apple IDs and that the issue had Cook's personal attention. Unfortunately, it looks like the best that Apple has been able to do is to offer "Family Sharing."

The ability to merge Apple IDs has been a popular request for a long time. I suspect that it may be one of those things that is extremely obvious and easy to articulate but devilishly difficult or extraordinarily costly to accomplish for any number of obscure/complicated technical issues. My bet is that true merging of Apple IDs is a feature that never will be implemented.
 


OK, so I went to the page to manage my Apple ID. Of course, the one thing I wanted to do it will not let me do - merge the multiple Apple IDs that I have.
[An issue] since at least MobileMe days has been the inability to merge Apple IDs.

The best way to "merge" accounts (app or iTunes purchases) is to set up both Apple IDs as members of a family plan.

If you are trying to access mail on two IDs, you might set up the less used one to forward to your main account.
 


DFG

Apple has posted instructions on how to enable full mitigation for the well-known Intel CPU vulnerabilities.

The mitigation comes in the form of two new NVRAM options, which get installed with the latest security updates. Thankfully, this works not only on Mojave, but in High Sierra and Sierra as well.

The catch? There are two: 40% performance penalty, and the mitigation isn't enabled in Boot Camp. This seems overkill for a normal user, so I am not going to apply it on my MacBook Pro. Hopefully I won't regret it some day.
 


Apple has posted instructions on how to enable full mitigation for the well-known Intel CPU vulnerabilities. ... This seems overkill for a normal user, so I am not going to apply it on my MacBook Pro. Hopefully I won't regret it some day.
See this article on AppleInsider:
Malcolm Owen said:
Why that 40% performance hit for full 'ZombieLoad' mitigations probably won't affect you

... Apple was quick to patch the problem as part of the macOS Mojave 10.14.5 update on Monday, protecting effectively all Macs released from 2011 onwards. The patch itself has no measurable performance hit on Macs when left alone in its default state, however this did not provide a full mitigation for the vulnerability.

A full mitigation could be applied, eliminating any possibility of the issue affecting a Mac, but in the process it disabled hyper-threading and, by Apple's estimates, reduce system performance by as much as 40%. This reduction only applied to anyone who enabled the full mitigation in the Mojave update, as well as those who installed Security Update 2019-003 for High Sierra and Sierra and similarly enabled it.

... A source of AppleInsider within Apple corporate not authorized to speak on behalf of the company advised "The Mojave patch from Monday has robust protections for MDS vulnerabilities. If users feel that they are at a high-risk for related attacks, we've enabled the ability to turn off hyper-threading in total in Mojave, Sierra, or High Sierra."
 


Ric Ford

MacInTouch
More on the ZombieLoad vulnerability and patches:
TechCrunch said:
Apple, Amazon, Google, Microsoft and Mozilla release patches for ZombieLoad chip flaws
... Apple has fixes out for every Mac and MacBook released during and after 2011.

The tech giant said in an advisory that any system running macOS Mojave 10.14.5, released Monday, is patched. This will prevent an attack from being run through Safari and other apps. Most users won’t experience any decline in performance. But some Macs could face up to a 40% performance hit for those who opt-in to the full set of mitigations.

The security update will also be pushed to Sierra and High Sierra versions. iPhones, iPads and Apple Watch devices aren’t affected by the bugs.

Google patches Android, will update Chrome

The search and browser maker also confirmed it has released patches to mitigate against ZombieLoad. ...

Mozilla plans long-term Firefox fix

Firefox browser maker Mozilla said it’s got a long-term fix on the way.

“Firefox has applied the mitigation recommended by Apple on macOS,” said a Mozilla spokesperson. “The macOS mitigation will be part of our upcoming Firefox release (67) and Extended Support Release update (60.7), both scheduled for May 21.”
 


I recently attempted an online donation from my iPhone using Apple Pay. There were three addresses listed for my credit card, but only one was mine....
Joe Hallett's report of bogus addresses on a credit card reminds me of an incident over 30 years ago when a credit card company merged my account with that of a woman a few miles away and started sending the bills to her. It was quite a mess and took a while to straighten out. I wonder if the difficulty of sorting out such messes is one reason why Apple makes it very hard to combine Apple IDs. I suspect another is that hackers might find ways to combine AppleIDs with yours and use that for identity theft.
 


A movie trailer of a potential Apple ID horror story from the real world:

Yesterday I was checking out a purchase at a major retailer. Next to me, a woman and the cashier helping her were trying to log the woman's iPhone into iTunes to download the store's app so the woman could claim a discount. In the process, the woman was revealing what she thought was her Apple ID(s?), loudly enough for me to overhear, had I been trying.

Having finished my transaction, I decided not to intervene against the public vocal sharing of log-in credentials - that the customer didn't seem to remember accurately. I hope she didn't get locked out.
 


I'm dealing with my own (or rather, a friend's) Apple ID nightmare right now. He's a farmer, so not really tech savvy (unless he's running the fancy GPS in his combine). Migrated him from an ancient HP Pavilion to an iMac in 2011. His wife set up the Apple IDs, but they've since divorced.

He just got an iPad to run a couple agricultural apps and asked me to help set it up so it syncs with the iMac.

Problem 1: he didn't know the Apple ID password, so we had to call Support and wait 24 hours to reset. Got that done last night.

Problem 2: He "knows" the answers to his security questions, but apparently the answers are case-sensitive, and one of the questions is the name of the road he grew up on, which was renamed at some point, and he's not sure which name would have been entered. I've now locked his account out for the 8-hour wait period twice trying to properly answer these.

A call to Apple Support last night was unhelpful, as they apparently will not / cannot reset from their end. There is no indication initially that you entered the wrong information, either! And even if you do figure out what happened, there is no clue given as to which answer was incorrectly entered.

Problem 3: The recovery email address was his former wife's and is a dead account now - no access to it.

Problem 4: She used to own an iPod Touch, which was the only other Apple device that could have received a confirmation code.

So we appear to be stuck, and the only option I can think of now is to create a new Apple ID and hope there wasn't too much media or many apps purchased under the old one, since all that will be lost.

Open to suggestions if I've left out an option.

My friend uses a Samsung phone, and has asked about replacing it with an iPhone. The integration would be nice, but as he will likely need to replace the iMac before long, I'm about ready to tell him to get an HP or Dell and to keep the Samsung... I bet the agricultural apps he wants to run are available on Android, too.
 


I'm dealing with my own (or rather, a friend's) Apple ID nightmare right now. He's a farmer, so not really tech savvy (unless he's running the fancy GPS in his combine). Migrated him from an ancient HP Pavilion to an iMac in 2011. His wife set up the Apple IDs, but they've since divorced.

He just got an iPad to run a couple agricultural apps and asked me to help set it up so it syncs with the iMac.
Problem 1: he didn't know the Apple ID password, so we had to call Support and wait 24 hours to reset. Got that done last night.
Problem 2: He "knows" the answers to his security questions, but apparently the answers are case-sensitive, and one of the questions is the name of the road he grew up on, which was renamed at some point, and he's not sure which name would have been entered. I've now locked his account out for the 8-hour wait period twice trying to properly answer these.
A call to Apple Support last night was unhelpful, as they apparently will not / cannot reset from their end. There is no indication initially that you entered the wrong information, either! And even if you do figure out what happened, there is no clue given as to which answer was incorrectly entered.
Problem 3: The recovery email address was his former wife's and is a dead account now - no access to it.
Problem 4: She used to own an iPod Touch, which was the only other Apple device that could have received a confirmation code.
So we appear to be stuck, and the only option I can think of now is to create a new Apple ID and hope there wasn't too much media or many apps purchased under the old one, since all that will be lost.
Open to suggestions if I've left out an option.
My friend uses a Samsung phone, and has asked about replacing it with an iPhone. The integration would be nice, but as he will likely need to replace the iMac before long, I'm about ready to tell him to get an HP or Dell and to keep the Samsung... I bet the agricultural apps he wants to run are available on Android, too.
A couple of suggestions, Stembridge:

Do try everything you can to get the existing Apple ID access problem resolved. You never know when your friend may need some app or information stored in that account that he isn't thinking of now.

Also, by all means create a new Apple ID for him, so all his future Apple dealings can be done with it and exclude his ex-wife. If he can gain access to the original account, he can likely use family sharing to gain access to items associated with it.

And one final, but very important security item: never answer security questions with real information! If the information is ever hacked, such as mother's maiden name, you don't want the crackers to be able to use that information to access your other accounts. Instead, make up different, bogus information for each question on each account, e.g. mother's maiden name = Lovely, SuperLady, or Queenie; first boss = Pontificator, LoudMouth, Hercules. Of course, make a secure record of all these, with backups.
 



Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts