Advanced Data Protection will complicate new device setup this Christmas

Posted:
in General Discussion
Users who have already enabled Advanced Data Protection will have a more complicated device setup process than normal this holiday season, especially for new HomePod and Apple Watch owners. Here's why.

Advanced Data Protection launched with iOS 16.2
Advanced Data Protection launched with iOS 16.2


End-to-end encryption across iCloud backups, photos, iMessage , and several more categories is an obvious benefit of Advanced Data Protection. This increased level of privacy and security will drive tech-savvy users to enable the feature ASAP, but it does come with some inconveniences.

Apple says that products must be running the latest operating system updates in order to be signed into an Apple ID with Advanced Data Protection. Otherwise, these products could potentially mishandle the new service keys generated by the feature.

Apple's support document specifies the issue below.
Devices where the user is signed in with their Apple ID must be updated to iOS 16.2, iPadOS 16.2, macOS 13.1, tvOS 16.2, watchOS 9.2, and the latest version of iCloud for Windows. This requirement prevents a previous version of iOS, iPadOS, macOS, tvOS, or watchOS from mishandling the newly-created service keys by re-uploading them to the available-after-authentication HSMs in a misguided attempt to repair the account state.
That means any new iPhone, iPad, Mac , Apple TV, Apple Watch, or HomePod must be up to date before being added to an Apple ID. That's not a direct issue for products that can be updated without an Apple ID, but it will create some complications for setup.

Setting up new products while using Advanced Data Protection

An iPhone, iPad, Mac, and Apple TV can be set up without an Apple ID attached. So, users with Advanced Data Protection enabled can turn on the new product, select an option that says something like "Sign into an Apple ID later," and then get the device up to date in Settings.

Products that can't be interacted with unless they are attached to an Apple ID create a different problem. The Apple Watch and HomePod both need to be attached to an account before they can be configured and updated, so users must handle setup a different way.

The most simple option is to turn off Advanced Data Protection, set up the new device, get it updated, then turn Advanced Data Protection back on. This method can be used for setting up new iPhones, iPads, etc. as well if the user wants to avoid the awkward setup procedure mentioned earlier.

Another option would be setting up the products on an Apple ID that doesn't have Advanced Data Protection enabled. Perhaps that would mean setting up a "dummy" account just for this purpose or using a spouse's account to get the product set up. However, that may be complicated as a HomePod can only be set up by the Apple Home Organizer, so keep that in mind.

We recommend turning off Advanced Data Protection for the brief time it takes to set up new products. However, turning off the feature then adding a new product introduces another small complication.

New products can't toggle Advanced Data Protection right away
New products can't toggle Advanced Data Protection right away


To prevent a malicious actor from enabling Advanced Data Protection after hacking a user's account from a new device, Apple has applied a limit to the feature. New products won't be able to turn on Advanced Data Protection for a month or so after being added. However, that doesn't prevent other devices from turning it on.

For example, a user with a new iPad would turn off Advanced Data Protection on their iPhone, set up the new iPad, update the new iPad, then turn on Advanced Data Protection from their iPhone. If they attempt to enable the feature from the iPad, they would be stopped by an alert.

This complexity of setting up new products will only be a temporary issue. Eventually, all products purchased new will have updates beyond iOS 16.2, macOS Ventura 13.1, etc. already installed, which will enable new device setup with Advanced Data Protection enabled.

Read on AppleInsider

Comments

  • Reply 1 of 16
    SHKSHK Posts: 25member
    Yeah, I'm thinking this is not worth the trouble.
    gatorguyn2itivguy
  • Reply 2 of 16
    gatorguygatorguy Posts: 24,285member
    I expect a flood of problems from new iPhone users next month. IMO they should be strongly advised not to use Advanced Data Protection.  Even for the rest of us I believe overall it will be more of a problem with little to no real benefit if we engage it. An exception would be journalists, activists, high-profile individuals (public figures) and certain business people. For us more common folk it would be creating a headache. But a number of us will do it anyway.

    Your phone, your choice.
    edited December 2022 lkruppn2itivguy
  • Reply 3 of 16
    Thank you for this heads up article it will make my “tech life” a lot simpler this week.
    watto_cobra
  • Reply 4 of 16
    dewmedewme Posts: 5,422member
    I have not turned ADP on because I have a mix of devices, some with older versions of iOS, macOS, and iPadOS. I’m not sure how ADP handles backward compatibility so I’m not going to do anything that’ll cripple my older devices. 

    For now I’ll just add another layer of tinfoil and wait for a very clear and unambiguous article that describes all of the potentially breaking changes that turning ADP on causes to all devices- old and new. This is something that I cannot afford to be wrong about. 

    Ok ... looked it up on Apple Support: https://support.apple.com/en-us/HT212520

    That makes it easy. Unless all of your Apple devices that use the same Apple ID for iCloud are compatible with ADP, you can't use it. Anywhere. It also kills web access to iCloud data. Of course this makes sense from a security perspective, but it excludes a heck of a lot of existing Apple customers from being able to use ADP at all. I guess I'll check back in a few years after all of my older and unsupported devices buy the farm and go on to the big recycling center in the sky. 
    edited December 2022 n2itivguyStrangeDayswatto_cobra
  • Reply 5 of 16
    I have ADP turned off cause I have several devices that are older. 
    watto_cobra
  • Reply 6 of 16
    dewme said:
    I have not turned ADP on because I have a mix of devices, some with older versions of iOS, macOS, and iPadOS. I’m not sure how ADP handles backward compatibility so I’m not going to do anything that’ll cripple my older devices. 

    For now I’ll just add another layer of tinfoil and wait for a very clear and unambiguous article that describes all of the potentially breaking changes that turning ADP on causes to all devices- old and new. This is something that I cannot afford to be wrong about. 
    Those old devices will eventually have to be removed from accessing iCloud altogether. I have new devices but I am also still holding on to a Sierra iMac which still going strong and I can do a few things there that got broken since High Sierra. But I discovered last week that safari passwords where keychain is located on Sierra doesn’t update anymore to the cloud. So the password count doesn’t match. If you add a password on Sierra you won’t see it on newer devices. Same thing happened to the books app. I still use it but now it is retired from iCloud. 
    dewmewatto_cobra
  • Reply 7 of 16
    lkrupplkrupp Posts: 10,557member
    Top questions asked in the Apple Discussion Forums:

    1. I forgot my Apple ID password

    2. I forgot my Apple ID

    3. I forgot my iPhone passcode

    4. How do I turn off 2FA

    5. I forgot my Firmware password

    Now add I forgot my ADP password to the list and watch the reaction when told there is no reset, no workaround, no bypass, Apple can’’t help you, and your data is lost forever with no possibility of ever getting it back.

    The average user does not need ADP, should not activate ADP, and will eventually rue the day they did.
    edited December 2022 gatorguyjas99watto_cobra
  • Reply 8 of 16
    Just add an update section after you connect to wifi in the setup menu. Many devices do this
    n2itivguydoozydozenwatto_cobra
  • Reply 9 of 16
    One iMac in the house can’t move to Ventura and so it can’t benefit from end-to-end encryption, unless we remove it from iCloud. All the other 9 devices are fully updated.
    This is quite disappointing. In the end this is just a software matter and Apple could quite easily have offered this as part of a software update for the previous version of macOS. You don’t need a Ventura equipped device for that at all.
    JanNLwatto_cobra
  • Reply 10 of 16
    I just enabled ADP on my iPad Pro M1, was told I have to wait a month before enabling for my iPhone 14 pro max and I still have not looked at my MacBook Pro 2016 which cannot run the latest Ventura system. 

    So some of the comments above are not true. I hope that my MacBook Pro does not have to be taken off the iCloud. I am going to call Apple to get the dope from the horse’s mouth so to speak. 
    edited December 2022 watto_cobraAieeeeeee!
  • Reply 11 of 16
    dewme said:
    I have not turned ADP on because I have a mix of devices, some with older versions of iOS, macOS, and iPadOS. I’m not sure how ADP handles backward compatibility so I’m not going to do anything that’ll cripple my older devices. 

    For now I’ll just add another layer of tinfoil and wait for a very clear and unambiguous article that describes all of the potentially breaking changes that turning ADP on causes to all devices- old and new. This is something that I cannot afford to be wrong about. 

    Ok ... looked it up on Apple Support: https://support.apple.com/en-us/HT212520

    That makes it easy. Unless all of your Apple devices that use the same Apple ID for iCloud are compatible with ADP, you can't use it. Anywhere. It also kills web access to iCloud data. Of course this makes sense from a security perspective, but it excludes a heck of a lot of existing Apple customers from being able to use ADP at all. I guess I'll check back in a few years after all of my older and unsupported devices buy the farm and go on to the big recycling center in the sky. 
    Not quite accurate - it disables iCloud web access, but it doesn’t kill it. You can re-enable it from a trusted ADP device, via a push notification. Then it is disabled again after an hour. So, good if you need to sign in from a trusted browser somewhere to grab something. 

    https://support.apple.com/en-us/HT212523
    edited December 2022 techconcdewmewatto_cobra
  • Reply 12 of 16
    dewme said:
    I have not turned ADP on because I have a mix of devices, some with older versions of iOS, macOS, and iPadOS. I’m not sure how ADP handles backward compatibility so I’m not going to do anything that’ll cripple my older devices. 
    Yeah, I suspect most of us are in that position... for now.

    SHK said:
    Yeah, I'm thinking this is not worth the trouble.
    It's opt-in and not on by default.  That should eliminate the masses that don't know what they're doing.  This a great feature and I'm glad Apple finally made this move.

    gatorguy said:
    I expect a flood of problems from new iPhone users next month. IMO they should be strongly advised not to use Advanced Data Protection.  Even for the rest of us I believe overall it will be more of a problem with little to no real benefit if we engage it. An exception would be journalists, activists, high-profile individuals (public figures) and certain business people. For us more common folk it would be creating a headache. But a number of us will do it anyway.

    Your phone, your choice.
    Support becomes easy... "Hi Apple, I forgot my password.".  "Apple: Do you have ADP turned on?", "Customer: Yes".  "Apple: Sorry, wish I could help".

    It's probably not for the average person that doesn't care about their data so much.  For those that do, this is a great thing. 
    watto_cobra
  • Reply 13 of 16
    dewmedewme Posts: 5,422member
    dewme said:
    I have not turned ADP on because I have a mix of devices, some with older versions of iOS, macOS, and iPadOS. I’m not sure how ADP handles backward compatibility so I’m not going to do anything that’ll cripple my older devices. 

    For now I’ll just add another layer of tinfoil and wait for a very clear and unambiguous article that describes all of the potentially breaking changes that turning ADP on causes to all devices- old and new. This is something that I cannot afford to be wrong about. 

    Ok ... looked it up on Apple Support: https://support.apple.com/en-us/HT212520

    That makes it easy. Unless all of your Apple devices that use the same Apple ID for iCloud are compatible with ADP, you can't use it. Anywhere. It also kills web access to iCloud data. Of course this makes sense from a security perspective, but it excludes a heck of a lot of existing Apple customers from being able to use ADP at all. I guess I'll check back in a few years after all of my older and unsupported devices buy the farm and go on to the big recycling center in the sky. 
    Not quite accurate - it disables iCloud web access, but it doesn’t kill it. You can re-enable it from a trusted ADP device, via a push notification. Then it is disabled again after an hour. So, good if you need to sign in from a trusted browser somewhere to grab something. 

    https://support.apple.com/en-us/HT212523

    Thanks for the clarification!
    watto_cobra
  • Reply 14 of 16
    danoxdanox Posts: 2,971member
    Thank you Apple, now get out of content creation.
  • Reply 15 of 16
    ... if accurate is this the best news from Apple in a while for privacy ... ?
    Is Apple abandoning having a key for such accounts ...?
    How does Siri 'learn from this app' and CoreML factor in ?
    It would be even better if it could be supported asap at a broader (aka 3 versions) of the various operating environments...
    Of note mail (email) appears excluded...
    : o
    watto_cobra
  • Reply 16 of 16
    icoco3icoco3 Posts: 1,474member
    The technical way would be to attach to a computer in recovery mode and update to the latest OS then configure the device.
Sign In or Register to comment.