<div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif">Note that keychain is not specific to iPhones... it is used by all Apple devices... MacOS, iPhone, iPad. You just have to click "yes" on any browser to have your password saved. So it is really easy to end up with web site credentials in your keychain and then propagate to all devices you own.</div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">David.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Oct 16, 2020 at 5:43 PM Jeff Boyce <<a href="mailto:jboyce@meridianenv.com">jboyce@meridianenv.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<font size="-1"><font face="Calibri">Yes, I had disabled the
keychain sync, and I thought that had solved the issue. I think
it went several months without connecting back to the parents
vlan. I haven't been able to figure out what caused it again,
it may have been the recent iOS update that reset some of the
settings back to default. But now it seems to be doing it again
regularly, and why I am looking for other possible options. I
will go back and look at the keychain sync again. Apple doesn't
make it easy find and disable that; will have to check my notes.<br>
<br>
The parents don't use their phones for conducting banking
transactions and other things that might accidentally be exposed
on the kids phones, so we should have ourselves protected
there. And the kids are still a little too young to be set free
with their own Apple IDs, which is also part of the reason why
they are on a separate vlan. With the phone tied to the parent
account it is much easier to monitor their activity, not as easy
with a separate Apple ID.<br>
<br>
Jeff<br>
<br>
</font></font><br>
<div>On 10/16/2020 12:44 PM, David Kerr
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_default" style="font-family:verdana,sans-serif">Have you tried
disabling keychain sync to iCloud on the kids iPhones? WiFi
passwords are stored in there and if you sync keychain across
devices then that is why the kids iPhones are picking up your
WiFi passwords.</div>
<div class="gmail_default" style="font-family:verdana,sans-serif"><br>
</div>
<div class="gmail_default" style="font-family:verdana,sans-serif">They will also be
getting all your saved userids and passwords... Do you really
want your kids having your bank account credentials?</div>
<div class="gmail_default" style="font-family:verdana,sans-serif"><br>
</div>
<div class="gmail_default" style="font-family:verdana,sans-serif">It would be best for
your kids to have their own Apple IDs -- unless they are still
too young for that.</div>
<div class="gmail_default" style="font-family:verdana,sans-serif"><br>
</div>
<div class="gmail_default" style="font-family:verdana,sans-serif">David.</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">---------- Forwarded message
---------<br>
</div>
<div style="word-wrap:break-word;line-break:after-white-space">
<div>
<div>
<div style="margin:0px"><span style="font-family:-webkit-system-font,"Helvetica Neue",Helvetica,sans-serif;color:rgb(0,0,0)"><b>From:
</b></span><span style="font-family:-webkit-system-font,"Helvetica Neue",Helvetica,sans-serif">Jeff Boyce <<a href="mailto:jboyce@meridianenv.com" target="_blank">jboyce@meridianenv.com</a>><br>
</span></div>
<div style="margin:0px"><span style="font-family:-webkit-system-font,"Helvetica Neue",Helvetica,sans-serif;color:rgb(0,0,0)"><b>Subject:
</b></span><span style="font-family:-webkit-system-font,"Helvetica Neue",Helvetica,sans-serif"><b>[Dnsmasq-discuss]
Block dhcp from serving to specific device</b><br>
</span></div>
<div style="margin:0px"><span style="font-family:-webkit-system-font,"Helvetica Neue",Helvetica,sans-serif;color:rgb(0,0,0)"><b>Date:
</b></span><span style="font-family:-webkit-system-font,"Helvetica Neue",Helvetica,sans-serif">October 16, 2020 at
11:39:31 AM CDT<br>
</span></div>
<div style="margin:0px"><span style="font-family:-webkit-system-font,"Helvetica Neue",Helvetica,sans-serif;color:rgb(0,0,0)"><b>To:
</b></span><span style="font-family:-webkit-system-font,"Helvetica Neue",Helvetica,sans-serif">DNSmasq Mailing List <<a href="mailto:dnsmasq-discuss@lists.thekelleys.org.uk" target="_blank">dnsmasq-discuss@lists.thekelleys.org.uk</a>><br>
</span></div>
<br>
<div>
<div>Greetings -<br>
<br>
I am having an issue on my home network with
Apple devices getting assigned addresses to vlans
that are not desired. Not sure of if dnsmasq will
be helpful in resolving the issue, but thought I
would inquire here as I am exploring many options.
I am running dnsmasq as part of my pfSense gateway
device, but if dnsmasq can solve this then I am sure
I can get it implemented in the pfSense interface.<br>
<br>
The issue is that I have two iPhones on my home
wireless network, and have two vlans for my wireless
network. One vlan is for setup for the parents,
while the other vlan is setup for kids and guests
with different firewall and access restrictions
between the two vlans. All known devices are
assigned static IP's via dnsmasq, with guest devices
assigned dynamic IP addresses. The parent iPhone is
configured to use the parent wireless vlan. The kid
iPhone only has the ssid and password for the kid
wireless vlan remembered on the phone, and has not
been given the password for the parent wireless
vlan.<br>
<br>
The issue occurs when occasionally I find the
kid iPhone being assigned a dynamic IP address on
the parent wireless vlan. When this happens I tell
the kid iPhone to forget that network, and it goes
back to the kid wireless vlan. I am certain that
the kid is not the one making the change to the
parent wireless network.<br>
<br>
I have tracked the issue to an Apple feature,
that synchronizes wireless access point information
between phones on the same account. The kids iPhone
happens to be under the same Apple account as the
iPhone of one of the parents, so when Apple
synchronizes all iPhones on the account the kids
phone gets the information for the ssid and password
of the parent wireless vlan. The kids iPhone will
connect to the parent wireless vlan when dhcp is
renewed if the parent wireless vlan happens to have
a stronger signal than the kid wireless vlan (my
assumption on signal strength being the determining
factor, it may be the the reply comes back quicker
from the parent wireless vlan). When this happens
the kids iPhone gets assigned a dynamic IP address
from the parents wireless vlan. I have gone through
all the options with Apple to try and resolve this,
and nothing works because it is an intended feature
that is supposed to not be broken.<br>
<br>
So I am wondering if there is a configuration
setting that I can add to my dhcp server that would
refuse a specific device from connecting to a
specific vlan. If possible, then I would be able to
block the kids iPhone from connecting to the parent
wireless vlan, thus forcing it back to the kids
wireless vlan. Thanks.<br>
<br>
Jeff<br>
<br>
<br>
_______________________________________________<br>
Dnsmasq-discuss mailing list<br>
<a href="mailto:Dnsmasq-discuss@lists.thekelleys.org.uk" target="_blank">Dnsmasq-discuss@lists.thekelleys.org.uk</a><br>
<a href="http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss" target="_blank">http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss</a><br>
</div>
</div>
</div>
<br>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
Dnsmasq-discuss mailing list
<a href="mailto:Dnsmasq-discuss@lists.thekelleys.org.uk" target="_blank">Dnsmasq-discuss@lists.thekelleys.org.uk</a>
<a href="http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss" target="_blank">http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss</a>
</pre>
</blockquote>
<br>
<pre cols="72">--
Jeff Boyce, CF
Meridian Environmental
2136 Westlake Ave. North
Seattle, WA 98109
206-522-8282
<a href="http://www.meridianenv.com" target="_blank">www.meridianenv.com</a></pre>
</div>
_______________________________________________<br>
Dnsmasq-discuss mailing list<br>
<a href="mailto:Dnsmasq-discuss@lists.thekelleys.org.uk" target="_blank">Dnsmasq-discuss@lists.thekelleys.org.uk</a><br>
<a href="http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss" rel="noreferrer" target="_blank">http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss</a><br>
</blockquote></div>