Using iCloud Keychain with Apple device deployments
iCloud Keychain keeps Wi-Fi network passwords and website passwords used in Safari up-to-date on all your iOS and iPadOS devices and Mac computers set up with iCloud. It also stores Internet account sign-in and configuration information, and passwords for other apps that support it. iCloud Keychain also stores credit card information users save in Safari, so Safari can autofill the information. iCloud Keychain is disabled when used with a Managed Apple ID.
iCloud Keychain consists of two services:
Keeping Keychain up-to-date on all devices
User approval is initially required to keep iCloud Keychain up-to-date on iOS and iPadOS devices and Mac computers. Each keychain item (user name and password for a website or email address) that’s eligible is exchanged with per-device encryption via iCloud key value storage. The keychain items are temporary and don’t persist in iCloud after being updated.
Keychain recovery lets users save their keychain, without giving Apple the ability to read the passwords and other data, and it provides a safety net against data loss. This is particularly important when Safari is used to generate random, strong passwords for web accounts, because the only record of those passwords is in the keychain.
The user’s iCloud Keychain is backed up in iCloud if the user creates an iCloud Security Code, which encrypts the user’s keychain using a strong passcode. A secure escrow service provides a copy of the keychain only if a strict set of conditions is met.
Important: If the user doesn’t create an iCloud Security Code, Apple can’t help recover the user’s iCloud Keychain information.