After an initial bump in disconnections things appear to have returned to normal and therefore this advisory incident is being closed.
Please note that the temporary "icloud_app_specific_password_required" attribute added to the profiles endpoint to help during this migration process will be removed on or after August 1st 2017.
Posted Jul 05, 2017 - 14:31 UTC
How Apple respond to invalid credentials appears to have changed slightly, this was responsible for the majority of the errors observed. This would have led to credentials taking a little longer than they should have done to become invalidated. At the time of writing around 30 accounts were in this state and a fix has been released to identify them more readily. We believe this change in behaviour could be related to the change to enforcing app-specific passwords.
There was also an account with an event we were failing to parse adding a significant amount of noise to our logs, a fix has been released for this as well.
Posted Jun 18, 2017 - 22:28 UTC
We're seeing an escalating number of errors syncing Apple iCloud accounts. Our team is investigating.
Apple calendar sync will be affected for some iCloud account currently.
Posted Jun 18, 2017 - 16:31 UTC
The app-specific password requirement seems to be in place now, at least for some accounts.
We've only seen around 10% of the accounts we expected become disconnected. We're currently operating under the assumption there is a staggered rollout of the requirement.
Posted Jun 16, 2017 - 15:39 UTC
The first batch of emails encouraging using an app-specific password has now gone out.
Posted Jun 08, 2017 - 17:29 UTC
The Cronofy authorization and relink flows have been updated to instruct users to create an app-specific password.
Posted Jun 06, 2017 - 06:35 UTC
From June 15th, 2017 Apple will require that all end-users who want to give access to their iCloud calendar use an app-specific password.
The Cronofy authorization flow will change shortly to reflect this requirement. Initially, encouraging users to use app-specific passwords and then making it mandatory on June 15th.
What you need to do will depend on whether your application sends calendar account relink emails or not, eg when a password expires.
Cronofy Sends Relink Emails
This is the standard behaviour of applications using Cronofy, In this case we will be sending a specific email just to iCloud users that don't have app-specific passwords on their account. This email will encourage them to do this and explain why.
It might be a good idea to contact your users directly and let them know this is happening so when the email comes from Cronofy they're ready to action it.
We will be begin sending this email to iCloud users from Wednesday 7th June.
My App Sends Relink Emails
You will need to contact your affected users and request that they setup an app-specific password.
So you can target the correct users, we've provided an additional attribute on the profiles end point for Apple iCloud accounts.
If you would like us to provide you a list of potentially affected users, please contact firstname.lastname@example.org and we will organise a CSV export for you.
We will append updates to the incident.