Tuesday, May 21, 2024

Apple Updates Silently Enable iCloud Keychain

Jeff Johnson:

I’ve discovered today that unfortunately this issue—this bug, I would call it, though who knows whether Apple considers it a bug or “expected behavior”—still exists with the latest versions of macOS Ventura and Sonoma, 13.6.7 and 14.5 respectively.


The external drive had a macOS Ventura 13.6.7 boot volume with iCloud enabled but iCloud Keychain disabled. After updating the volume to macOS Sonoma 14.5, iCloud Keychain was enabled. (I then disabled iCloud Keychain, which actually caused System Settings to hang and eventually crash, but afterward iCloud Keychain did seem to be disabled.)


What I’d like to do is update from Ventura to Sonoma without an internet connection, giving Sonoma no chance to upload my passwords or other data to iCloud before I can disable iCloud Keychain.


You might wonder why I don’t sign out of iCloud before I update from Ventura to Sonoma. It turns out that there’s no point in that, due to another bug, “Signing out of iCloud and signing back in again forgets all of your previous iCloud settings” (FB12168173), which I also discovered last year.

Because installing macOS also re-enables Wi-Fi, his workaround was to turn off Wi-Fi after downloading the installer, delete his Wi-Fi password, and then install the update.


If you’ve never enabled iCloud Keychain and recently upgraded to iOS 17, chances are good that your passwords are now stored on Apple servers. As confirmed by many users, iOS 17 secretly turns iCloud Keychain on. This video shows the entire process step by step[…]


Update (2024-05-28): See also: Hacker News.

Update (2024-05-29): Marcin Krzyzanowski:

I noticed my disk storage went drastically low and I started to check system, then I realized something ( #macos update???) enabled iCloud Photos synchronization to my Mac (that can take all the storage it get, and for that very reason I didn’t enable it on my mac)

Update (2024-05-31): See also: TidBITS-Talk.

Update (2024-06-03): Johann Campbell:

Really wish Apple could stop toggling iCloud Photos on without my permission, when it KNOWS I won’t pay for more than the base 5 GB of iCloud storage.

Update (2024-06-05): Jeff Johnson:

A follower on Mastodon gave me a nice tip on how to prevent this in the future: create a configuration profile.

First, download the Apple Configurator app from the Mac App Store. Then open Apple Configurator, select New Profile from the File menu, uncheck Allow iCloud Keychain in Restrictions, and save the .mobileconfig file.

4 Comments RSS · Twitter · Mastodon

‪Yeah, I had it switched off for years (since I had a third-party password manager), but likewise one of the fairly recent updates (or a new machine setup) must’ve switched it on. Decided to give in and not fight it.‬

I've seen stuff like this for years. Updates on iOS routinely re-enabled Game Center even after having turned it off. iCloud Photos would routinely enable and start uploading images. iCloud drive for apps is opt-out instead of opt-in so as soon as an application is installed it starts putting data on a server.

I don't think any of this is malicious, it's simply coding and testing to the most common case / assumption - people are putting everything on Apple's servers.

I've been a user of Apple services since iTools (https://en.wikipedia.org/wiki/MobileMe#iTools), but I stopped using iCloud and logging in with an Apple ID on all my computers a few years ago because settings for these sorts of things are unreliable.

This particular case is probably linked to the wider rollout of Passkeys support across the major web platforms. Can’t have passkeys without the keychains.

I just noticed that a macOS update enabled iCloud Photos on my Mac, which started to download photos and drastically reduce the free space (that's how I noticed)

Leave a Comment