Apple Advanced Data Protection, ICloud and FileVault

I started off the year making a joke that I hoped I would remember the password to my work Mac. I guess I shouldn’t have, because my first day back at work I found myself locked out. To be honest, I was positive I remembered my password, but macOS Sonoma was having none of it.

Luckily I tend to make sure I’ve got all my recovery options setup, recovery contacts, recovery keys for FileVault, the works. Should be easy right? I’ll be up and running within 30 minutes. Or so I thought.

The login screen already pointed me in the right direction and offered me the option to restart my machine to reset my password. All I had to do was login with my iCloud credentials and I’d be good to go.

It seemed I hadn’t used this specific iCloud account in a while because before it would let me reset my password I had to accept the new Terms and Conditions for iCloud on a Mac. However, the ‘Agree’ button was greyed out. Nothing I tried would enable it, scrolling down, expanding all the subsections. I was completely stuck.

Searching online taught me that this is been a known bug for over a year now, people who get stuck on this page during installation are advised to skip over this step and later accept them from system settings. However I was in no position to have a ‘skip setup’ button, I had to proceed to be able to reset my password.

Maybe if I log in on my iPhone with this iCloud account I’ll get the terms too? That would have been too easy, it seems these new terms were specific to macOS devices. In the end I took one of my other Macs, created a new user account, logged in to my iCloud account there and accepted the terms. I don’t understand how I could ever explain this to someone who only has one Mac.

With the terms accepted, resetting my password should be a breeze right? Well… no. I got a step further in the process, but I probably got an even worse error now.

##There was an error communicating to iCloud

What am I supposed to do with that? Internet is working, it’s logging me in, I’m getting my verification code and it seems to accept that. At this point the wizard offers me one option. Back, and going back results in the machine restarting going back to the main screen asking me for my password that doesn’t work anymore.

After a few hours of searching I found a small throwaway comment on a Reddit thread. Make sure ADP is disabled. For those that don’t know, ADP, Advanced Data Protection is quite a new feature that Apple offers for iCloud accounts. It basically makes your iCloud account fully E2E encrypted and makes it impossible for Apple to see your data, help you recover your account or share it unecrypted with law enforcement. It’s a feature I ended up enabling on nearly all my accounts last year.

During the setup process you go through quite a few steps to make sure you really know what you’re doing, it tells you if it can’t enable it because you’re using old devices, or if you have certain settings enabled that conflict with what it does. It then reminds you a few more times that if you lose your iCloud password, Apple can not ever help you recover your account.

One step it forgets to mention or check for is if you have FileVault (full disk encryption) enabled on any of your Macs, and if you have your recovery key saved to iCloud. Because if you do, that won’t work anymore. At least not as long as ADP is enabled.

I ended up disabling ADP after which the password reset flow worked perfectly. To top it off though, I got an error resetting my password because my new password couldn’t be the same as my old password. I guess I did remember my password after all.

If any Apple Engineers happen to come across this post, I’ve created two Feedbacks:

  • FB13512134 - Can’t accept iCloud terms during password recovery on Mac
  • FB13512138 - FileVault iCloud recovery not working when Apple Advanced Data Protection for iCloud is enabled.