Apple’s Advanced Data Protection Gives You More Keys to iCloud Data

It’s still encrypted - but Apple has a key to decipher it. That’s the way all of iCloud works now, and will unless you turn on ADP for your account.

Having not turned on ADP yet, I don’t know if Apple warns you when you share a folder/file that the recipient doesn’t have ADP or not.

This a reference quote about iWork documents not supporting ADP. I didn’t read the article as saying that you can’t use ADP if you want to do iWork file collaboration- I read it as those particular files will not have ADP turned on and that Apple will have keys to decipher them.

@ddmiller is spot on. If you share something with someone not using Advanced Data Protection, the system falls back to Apple’s standard data protection, where everything is encrypted in transit and at rest, but Apple manages the keys.

And neither iWork collaboration nor iCloud Shared Photo Library Shared Albums can use Advanced Data Protection at all because of how they must interact with servers and the outside world. Again, they have encryption going on all the time; it’s just that Apple controls the keys.

In my mind, there are only two reasons not to turn on Advanced Data Protection once it becomes available:

• You have old devices that can’t upgrade to the necessary version of OS and that you still need connected to your iCloud account.

• You’re uncertain of your ability to remember/record/access your login information such that you want Apple to be able to perform account recovery for you if you get locked out.

The iCloud data security overview explicitly states iCloud Shared Photo Library supports Advanced Data Protection if all users have opted in. Did you mean to say Shared Albums?

I would say the other reason not to turn it on is if you access iCloud through the web client frequently. (I’m hoping calendars, email and contacts will be accessible without extra authentication since those are not E2E encrypted, but Apple has not said that will be how it works).

Yep, brain short circuit. Fixed.

And yes, if you use the iCloud.com Web clients a lot, that’s going to be much more annoying with Advanced Data Protection turned on. I don’t know how common that would be.

I do have a few Macs that are stuck on pre-Ventura OSes and for which I don’t necessarily need iCloud connectivity (except for Music, which does, in fact, work fine when you disconnect from iCloud.) So I’m getting myself ready for this going forward to see if I can run those Macs disconnected from iCloud but still have them be useful so I can turn on ADP.

Two of them are Mac Mini that I use basically as iTunes/Music media servers, one of which stores the canonical version of all of our ripped CDs, plus, of course, purchased iTunes tracks and now some tracks from Apple Music. One of them also runs SpamSieve as a spam filtering drone for all of the email accounts we have that don’t have strong server-based spam filtering. (Wonderful product and solution.) For these, I don’t need access to contacts, calendars, iCloud Drive, Notes, Reminders, etc. - I just need the ability to connect to the iTunes Store and to my Apple Music account, plus the email accounts in the Mail app. And, yes, I can do that (this I’ve already been doing on one of the Mac Minis.) I’ve also been using one of the Mac Minis to connect to the iCloud Photos and be the source of backup offsite and to Time Machine, but that I can no longer do after disconnecting from iCloud - for that I have transferred that function to an iMac that can run Ventura and I will use that computer for this.

My bigger issue is my old 2015 MacBook Air which I have kept as a backup to my 2022 MBA, and that I also use during the summer when I am my main home while we have moved up to the summer house with the 2022 MBA. (Yes, I know, first world problems.) The 2015 is stuck at Monterey.

I’m not all that worried about losing access to Messages and FaceTime on the old MBA - I don’t like using Messages on the Mac anyway, and almost all of my FT is from my iPad or iPhone. Reminders - I use this a little, but I’m ok with having them only my phone and iPad. I really don’t need them on my Mac. Notes - this one is tougher. Notes I use mostly as a list of things that I want to read later, but it’s also a convenient way to transfer info between computers. For right now, I am trying out the app Agenda as a Notes replacement for that, and the Notes app itself I’ll use just for ephemeral content (such as scanning documents using the iPhone camera) and for private info that I lock with passcode / FaceID / TouchID.

Also, the iMac I mentioned before is at home, so I can really just use that. The main issue is going to be if the 2022 MBA fails and I need to use the 2015 as a backup until I get it repaired/replaced. (For that actually I think I would just disable ADP temporarily and reconnect to iCloud.)

So to get ready for this, I’ve moved almost all iCloud Drive content to my Sync dot com syncing service (a service similar to Dropbox, but a bit less expensive and with a nicer MacOS app).

As for this:

As I have said, Mail is fine. Calendars I have solved by sharing my calendars to another iCloud account that I will not be turning ADP on and then adding the other iCloud account to Calendars; I can now get calendars on the 2015 MBA.

Contacts: that’s tougher. There seems to be no way to share contacts with another account as you can calendars, Apple doesn’t have shared family account contacts, and I can’t find a way to access an iCloud account from within Contacts unless you are officially connected to it. And my Apple ID is not an iCloud account, so I can just connect to iCloud as a secondary account and sync contacts (unless I have missed something.) But, the truth is, I don’t think that I need this. If I ever need an email address from anywhere, I can just share the actual address in an Agenda note (or email it to myself) and manually add the contact to the 2015 MBA. (I had thought about using my fastmail account as my main contacts repository, but connecting fastmail contacts to iOS seems to be a bit of a pain, requiring either a profile, which I’d rather not do, or a non-SSL carddav server. I could use my old gmail account for contacts, but I’d rather not. I’ll just manually export them and maintain them manually, as listed above.)

Agenda: the first wrench in this plan was that Agenda syncs using iCloud by default to sync. However, it does support syncing via Dropbox, so I’m trying that out. I had to do some manual editing to some notes that wouldn’t sync (just changing their name forced a sync, then I renamed them back).

One last thing that I’ll need to do is go up to the summer house and upgrade the Apple TV there to tvOS 16.2. After that I should be able to try out ADP.

Unless you are 100% on 16.2 and 13.1, this isn’t easy.

I have and use several older Macs stuck as far back as Catalina. But I don’t think I’ll truly be needing iCloud services on those systems. I’ll definitely be trying out ADP as soon as a few days go by without hearing about anything dramatic with these updates.

IMHO the writing is on the wall for local iOS backup to Mac. Looks like Apple has finally successfully bullied me into submission with their most recent shenanigans. If ADP works well and holds its promises, I will be moving to iOS iCloud backup (considering the base 5GB iCloud will suffice for my humble iPhone backup needs). I need only backup so I’ll probably be just fine, but I’m afraid the iMazing crowd is effed.

I agree that the free storage tier should provide enough storage to hold the data for the tasks that Apple forces you to use iCloud (and a bit more to encourage users to try out other products.) That said, the upgrade to 10x the free amount (50Gbps) is only $1(USA)/month ($12/year). That should provide more than enough storage to handle backups from a few oodles on mobile Apple devices. What’s more, it also gives you access to Apple Private Relay and the ‘Hide My Mail’ feature allowing you to quickly create email aliases for anticipated junk.

I wouldn’t dispute that, but, frankly, I will certainly not reward their bullshit bullying tactics with even more revenue. I fork them over more than enough money for hardware every single year already. I have zero interest in most of their “services”. Half is of little to no value to me, the other is crap. Of course, as always, YMMV.

Haha, I’m kinda the other way… already store most docs in iCloud Drive, and would like even higher storage plan maximums than Apple currently offer. But I get you’re point. ;-)

Pardon the slightly OT: if you do not include iMessage in iCloud (say because you only use your one single iPhone for iMessage), does it still get backed up to iCloud such that a new iPhone will pick up all old message threads? Or is that exactly why even with just a single iOS device you’d want iMessage sync turned on with iCloud?

If you have messages in iCloud turned off, the messages get backed up to iCloud, yes. If you have iCloud for messages turned on, it doesn’t duplicate the storage by also backing them up.

I think your best shot in a situation like this where you want access to iCloud data without having to sign in using the Apple authentication framework is just to create an app-specific password for your IMAP/SMTP/CALDAV/CARDDAV access and use standard PLAIN authentication. These are “well-known” endpoints (imap.mail.me.com, smtp.mail.me.com, contacts.icloud.com, calddav.icloud.com). Of course if you can make it work by other means / if you can do without, that works too.

Yes, they have, much as it pains me to concur, succeeded in their shameful little coup to extract further revenue from the already very likely premium-storage purchaser of Apple hardware. And ditto re my move to iCloud backup at no extra cost, except that I’m already paying for 50 GB storage, now close to empty thanks to the backups next to my iCloud Mail, some iCloud Drive content, and EPub/PDF books, so that while I do appreciate iCloud Plus, it’s more that I don’t have to pay extra for this change, just to pay what I’m already paying. I am distinctly displeased by it, though–an iCloud backup may be more convenient, but it doesn’t back up “sync data”, so you still need to be tethered if you actually want to restore your device as is, particularly for stuff you just can’t get from the cloud (non-Apple audiobooks, lossless music, etc). But I think I’ve already grumbled enough about that, so …

Yes, that’s my take; the choice is simply one of the mechanism used. Using Messages in iCloud would seem to be the more flexible option, since you can choose not to use Backup at all if you want, and because it makes syncing much easier if you add a new device.

I attempted to enable Advanced Data Protection on my iPhone but received a message that my iPad first had to be updated to iPadOS16.2. Apple seems to think it is on 15.xx (I can’t remember). But the iPad is definitely at 16.2. I tried turning off the iPad and the iPhone but nothing changed. Similarly, if I try to turn on ADP on my wife’s iPhone, she gets a message that our iMac needs to be updated. But it is updated to 13.1. I don’t see that message on my phone. FWIW, we share contacts and calendars on our devices so are each logged into iCloud on our respective devices. Any suggestions on what is going on and how to resolve the issue?

I pushed all my very old Macs (those that cannot be updated to a sufficiently new macOS – as well as my really old iPhones/iPads) off my iCloud so I could finally test ADP.

But now it looks like since my wife and I are in Family Sharing I also need to get her to do the same for her devices. No ADP for me until all her stuff is also up to the latest and greatest.

She won’t mind pushing her old 2010 13" MB or an old iPhone 4 out of iCloud, but she’s not going to be thrilled about being “forced” to upgrade to 13.1 right now on her main MacBook. Not that she minds 13.1 (and due to security concerns she would do so eventually anyway), but like me she’s not really interested in any of the “new stuff” so to her such an upgrade is just a waste of time that at best interferes with her work, and at worst means follow-on trouble that then has to be sorted out. Some of Apple’s latest software QA/QC snafus have certainly left a mark. I will have to tread lightly and be prepared to offer up a dinner invitation.

Ok, so much for me right now, then. Family plan with my wife and my two adult kids, and who knows what their Macs and iPhones are running these days? (One of them has a 12” MacBook, though I think it’s the one that supports Ventura. So, someday, maybe.) I’m pretty sure my wife is still on 15.7.1 on her iPad Mini. I’ll have to check at some point.

So … I’m thinking about starting a family. (Being still single and just yesterday turned 40, there are obstacles, but nothing insurmountable, I hope.) My mother needs more than the 5 GB of storage for free, and my iCloud backups have just pushed me into the storage red. I need more iCloud storage. My options are to stridently object to Apple’s forced backups to iCloud, which is my short-term temporary fix, or to upgrade to the 200 GB plan, help mum cancel her own 50 GB storage, then start a family in order to share. It’s all about the pennies, you understand. No doubt the switch to iCloud is now absolutely inevitable, but as things stand I’m back to entering my passcode every time I want to start a backup. Obviously, I am a wee bit annoyed. As now discussed, though, the bigger problem is going to be getting ADP enabled. Fortunately I will be able to help mum do her upgrades, and she’s quite able to adapt to subtle changes after the initial bump, so that should also be a temporary roadblock. Or maybe I should just swallow my pride and start throwing money at Apple, given the amounts being saved. Reducing my usage isn’t much of an option at present, sadly.

What happens if you have iCloud Family members with a device not on the latest OS, when trying to enable ADP?

Does it actually check every device they’re logged into for compatibility before allowing it, or just lock them out of said device entirely somehow until they upgrade it to the latest OS?

It would be good to know the methodology beforehand, in case we hit against it.

If they are not on the latest OS they won’t have an option to enable ADP.

So you can turn it on for yourself, but they won’t be able to enable it at all on any of their devices. Is that right?

EDIT: …or not?

When you attempt to turn it on you will get a notice that all non-compliant devices must abandon iCloud first.

“abandon iCloud” - what does that mean?