|
 |
Parental Controls & Guest Account
|
|
|
|
|
Opening
|
|
|
|
 |
Recently on the Maccast I had a question from a listener about how to restrict access to the Mac and set time limits
|
|
|
|
|
I thought a good, more in depth follow up would be in order to go over some of the tools that are built in to Mac OS X Lion for providing guest and restricted access to the Mac.
|
|
|
|
|
Guest Account
|
|
|
|
|
By default OS X Lion has a Guest account. The account is set up and cannot be removed from the Users & Groups preference pane. The account though is disabled by default.
|
|
|
|
|
The reason the account exists is to allow you to provide guest access without having to set up user accounts manually.
|
|
|
|
|
When enabled the guest account doesn't require a password to log on.
|
|
|
|
|
Guest users can’t make changes to other user accounts or change computer settings, and they can’t log in remotely.
|
|
|
|
|
You can use the Parental Controls (we'll discuss later) to further control and restrict Guest account access when it's enabled.
|
|
|
|
|
It's important to note that Guest accounts can't log in or be used if you use FileVault.
|
|
|
|
|
When a guest user logs in the system creates a temporary Home folder for that user. Any files or data created by the user get deleted when they log out.
|
|
|
|
|
To enable the Guest User account for login
|
|
|
|
|
Open System Preferences, and then click Users & Groups pane.
|
|
|
|
|
Click the lock icon to unlock it, and then type an administrator name and password.
|
|
|
|
|
Select Guest User in the list of accounts.
|
|
|
|
|
A guest account can have a couple of different kinds of access
|
|
|
|
|
To let a guest user log in to the computer, select “Allow guests to log in to this computer.”
|
|
|
|
|
However, guest users can’t log in remotely.
|
|
|
|
|
If you'd like you can set up parental controls for users who have Guest login privileges. This will allow you to limit the amount of access a guest account might have to specific applications, resources (like printers), web sites, etc.
|
|
|
|
|
Select “Enable parental controls,” and then click Open Parental Controls button to configure the restrictions. Again, we'll be going over these setting in a minute.
|
|
|
|
|
To let a guest user access shared files from another computer on your network, select “Allow guests to connect to shared folders.”
|
|
|
|
|
The sharing only account doesn't have login access to the Mac and can only access shared files or folder set up in the File Sharing preferences. It uses the 'Everyone' group to control access.
|
|
|
|
|
These two kinds of guest account access can be used seperately or combined.
|
|
|
|
|
Starting with 10.7.2 there is a "second" form of the Guest account
|
|
|
|
|
If you use iCloud and enable the Find My Mac feature a Guest Account login may still show up in the login window at boot up.
|
|
|
|
|
This is a different form of the Guest account and will appear even if you have Guest login disabled in the User & Groups System Preferences
|
|
|
|
|
The iCloud/Find My Mac version of this account allows someone to reboot into a Safari only secure connection to access the internet. The account has no access privileges other than for Safari.
|
|
|
|
|
The reason? It's kinda like a trap for would be thieves that gives them a way to get on-line so that Find My Mac feature can potentially see and track your Mac revealing it's location.
|
|
|
|
|
In many ways if you plan to use Find My Mac you might want to leave this version of the Guest account enabled even if you don't want to allow full Guest Access.
|
|
|
|
|
If you want to disable this access though, here is how:
|
|
|
|
|
Go to System Preferences > Security & Privacy
|
|
|
|
|
Click the Lock icon and enter an Administrator username and password to make changes
|
|
|
|
|
Click the 'Advanced…' button
|
|
|
|
|
Check the option for 'Disable restarting to Safari when screen is locked'.
|
|
|
|
|
Click OK and exit the System Preferences
|
|
|
|
|
Now keep in mind with this off Find My Mac will not be able to locate the Mac if it is shut down and you have it set up to boot into the login screen (which I recommend).
|
|
|
|
|
You will still be able to use the remote wipe and remote lock features though.
|
|
|
|
|
Parental Controls
|
|
|
|
|
Setting up user account
|
|
|
|
|
Go to System Preferences > Users & Groups
|
|
|
|
|
Click the lock icon (if locked) to unlock it, and then type an administrator name and password.
|
|
|
|
|
Create a new user by clicking on the “+” sign in the lower left corner of the window.
|
|
|
|
|
Under 'New Account:' select the 'Managed with Parental Controls' option
|
|
|
|
|
Enter the account settings, like account name and password, etc. and click 'Create User'
|
|
|
|
|
Back in the main Users & Groups control panel make sure your new account is selected and verify that the 'Enable parental controls' checkbox is checked
|
|
|
|
|
Click the 'Open Parental Controls…' button to begin setting up the controls.
|
|
|
|
|
You can actually also create a new Parentally controlled account directly from System Preferences > Parental Controls
|
|
|
|
|
Click the "+" button in the lower left corner and enter the account setting into the sheet that drops down.
|
|
|
|
|
Enabling Parental Controls
|
|
|
|
|
If you already have an account set up can want to enable the Parental controls you can do that too
|
|
|
|
|
Go to System Preferences > Users and Groups
|
|
|
|
|
Click the lock icon (if locked) and then type an administrator name and password to unlock the settings
|
|
|
|
|
Select the existing account from the users list and then in the main settings window check the 'Enable parental controls' checkbox.
|
|
|
|
|
At anytime you can access the Parental Control settings by going to System Preferences > Parental Controls
|
|
|
|
|
Click the lock icon (if locked) and then type an administrator name and password to unlock the settings
|
|
|
|
|
Also, when you first open Parental controls there is a 'Manage parental controls from another computer' checkbox
|
|
|
|
|
Turn this on and you can manage the parental controls from another Mac on your LAN
|
|
|
|
|
Macs with this feature turned on will show up in System Preferences > Parental Controls on other Macs on your network
|
|
|
|
|
Select the remote Mac and enter the administrator account credentials to be able to remotely set parental controls.
|
|
|
|
|
Apps
|
|
|
|
|
Use Simplified Finder
|
|
|
|
|
Simplifies the Dock and Finder interface
|
|
|
|
|
Dock will have just the Finder, Applications, Documents, Shared, and Trash icons
|
|
|
|
|
Finder windows are just an icon view with no sidebars and right+clicks are disabled
|
|
|
|
|
Single click only will open documents, apps, etc.
|
|
|
|
|
Can switch out of the simple mode temporarily by going under Finder > Run Full Finder and entering admin credentials
|
|
|
|
|
Limit Applications
|
|
|
|
|
App Store apps can be globally restricted by their age rating.
|
|
|
|
|
Don't allow
|
|
|
|
|
up to 4+
|
|
|
|
|
up to 9+
|
|
|
|
|
up to 12+
|
|
|
|
|
up to 17+
|
|
|
|
|
Allow all
|
|
|
|
|
You can also limit Apps individually under 'Allowed Apps:'
|
|
|
|
|
These are sorted into groupings:
|
|
|
|
|
App Store - Apps purchased from the App Store
|
|
|
|
|
Other Apps - Non-App Store apps from the Applications folder
|
|
|
|
|
Widgets - Dashboard widgets
|
|
|
|
|
Utilities - Apps in Applications > Utilities
|
|
|
|
|
Developer - If you have Xcode and Developer tools installed.
|
|
|
|
|
There is a search box to help locate apps to enable quickly
|
|
|
|
|
Any check on app is allowed to be accessed
|
|
|
|
|
In playing with this I ran into trouble with a number of menubar and background apps that had daemons
|
|
|
|
|
iStat menus
|
|
|
|
|
Logmein
|
|
|
|
|
Sophos Anti-virus
|
|
|
|
|
Even Apple's AppsStore updater engine
|
|
|
|
|
They would display an error message asking for access.
|
|
|
|
|
Canceling would just put the error messages in a loop.
|
|
|
|
|
You can grant one-time access or 'Allow Always' by entering your Admin Account credentials
|
|
|
|
|
Allow Always adds the app to the list of approved apps and the Apple will be visible and accessible from the Applications folder
|
|
|
|
|
Launchpad didn't seem to function properly on an account with the Simplified Finder enabled.
|
|
|
|
|
If you don't have the Simplified Finder on all of the Applications seems to be visible regardless of if you have access or not.
|
|
|
|
|
When you attempt to launch a restricted App you get the dialog to allow access once or always.
|
|
|
|
|
Canceling resulting a a perpetually bouncing Dock icon for me until I clicked the app again
|
|
|
|
|
Allow User to Modify the Dock
|
|
|
|
|
Let's the account add, move, or rearrange items in the Dock.
|
|
|
|
|
You can check this on, log into the account, set up the Dock, and then log out and turn it off to pre-set the Dock for the account.
|
|
|
|
|
Web
|
|
|
|
|
This tab allows you to determine what website and URLs can be accessed.
|
|
|
|
|
Unrestricted access will block nothing
|
|
|
|
|
Try to limit access to adult websites automatically
|
|
|
|
|
Not sure what mojo is deployed here
|
|
|
|
|
There is a "Customize…" button that gives additional options
|
|
|
|
|
You can further tweak the lists by adding approved sites to the "Always allow" section and restricting specific site by using the "Never allow" section"
|
|
|
|
|
'Allow access to only these websites:' lets you set up an approved "whitelist" of specific sites.
|
|
|
|
|
When a site that isn't allowed is accessed it will pop up a dialog asking if you want to add it to the approved list. Have to enter admin credentials to do so.
|
|
|
|
|
The site page will be blocked and show an 'Allow access' button and also a list of links to the approved sites if you have a whitelist.
|
|
|
|
|
A side benefit (or detriment depending on your perspective) is that content from 3rd party servers is also blocked.
|
|
|
|
|
Things like Facebook and Twitter like buttons
|
|
|
|
|
Ad server content, etc.
|
|
|
|
|
Also image and media servers that may be on a 3rd party service. This is one that might be an issue as these sites don't pop-up asking for approval
|
|
|
|
|
You can use the Window > Activity menu in Safari to try and determine the URL to add to your white list to allow this content
|
|
|
|
|
People
|
|
|
|
|
This allows you to limit the people that a user can exchange email and instant messages with.
|
|
|
|
|
Check the "Limit Mail" and/or "Limit iChat" checkboxes
|
|
|
|
|
Add approved users and buddies to the the "Allowed" contacts list by clicking the "+" icon
|
|
|
|
|
You can add these manually by filling out the First and last name and then entering the email address or AIM account name.
|
|
|
|
|
Check the 'Add person to Address Book' to (surprise) add them to your Address Book
|
|
|
|
|
You can also add people who are already in your Address Book by clicking the disclosure triangle next to the last name field and selecting a contact from the Address Book
|
|
|
|
|
The 'Send permission requests to:' checkbox allows you to enter an email address that will receive a message anytime the user sends or receives a message from someone not on the approved list.
|
|
|
|
|
The messages they can then be approved or disapproved for delivery
|
|
|
|
|
Logs
|
|
|
|
|
At the bottom of the Apps, Web, and People tabs is the 'Logs' button
|
|
|
|
|
Clicking it opens a sheet that allow you to see Websites visited, Websites Blocked Application, and iChat logs
|
|
|
|
|
These items can be filtered by time period and grouped by content or date
|
|
|
|
|
You can select items from the lists and click 'Open' to open them.
|
|
|
|
|
Applications
|
|
|
|
|
Websites
|
|
|
|
|
iChat logs (transcript)
|
|
|
|
|
You can select individual items and restrict or allow it's access from the log sheet
|
|
|
|
|
So if you see an iChat conversation that is inappropriate you can select that log and restrict access to that contact
|
|
|
|
|
Or if a website was blocked but shouldn't have been you can select it and click the 'Allow' button to allow access.
|
|
|
|
|
The log also show for how long a particular item was accessed.
|
|
|
|
|
Time Limits
|
|
|
|
|
In this pane you can control when and for how long the account has access
|
|
|
|
|
You can set separate limits for Weekdays and Weekends
|
|
|
|
|
For time limits check on the appropriate limit, Weekday, Weekend, or both and adjust the slider
|
|
|
|
|
Slider goes from :30 minutes to 8 hours in :30 minute increments
|
|
|
|
|
"Bedtime" allows you to set a time of day when the account cannot be accessed. Say 10:00 PM to 8:00 AM for example.
|
|
|
|
|
Set a school night and/or weekend window separately.
|
|
|
|
|
User will not be able to access their account during the bedtime window.
|
|
|
|
|
The user will get a warning 15 minutes before the account becomes inaccessible due to time limits
|
|
|
|
|
Also in the pop-up and Administrator can extend the time for that one instance.
|
|
|
|
|
Clicking the clock in the menubar in a time restricted account will show the time remaining or the "Bedtime" time. The login window will also show the time the account can be accessed again.
|
|
|
|
|
Other
|
|
|
|
|
Hide profanity in Dictionary
|
|
|
|
|
Works for dictionary, thesaurus, and Wikipedia
|
|
|
|
|
If Wikipedia is not allowed in the web it is also blocked in the Dictionary app
|
|
|
|
|
The profanity filter is selective, so it will still return what it considers the non-vulgar version of words.
|
|
|
|
|
Limit printer administration
|
|
|
|
|
Can't add, change. or set up printers or their settings
|
|
|
|
|
Limit CD and DVD burning
|
|
|
|
|
Disable changing password
|
|
|
|
|
Last thoughts
|
|
|
|
|
Little "cog" at the bottom of the user list
|
|
|
|
|
Copy and paste Parental control settings from one account to another
|
|
|
|
|
Turn off parental controls completely. seems to retain the settings which is good if you want to temporarily disable the controls to access the account and preset some of the settings.
|
|
|
|
|
Turn on or off remote access of the Parental control settings
|
|
|
|
|
System Preferences
|
|
|
|
|
No way that I can see to restrict access to individual System Preferences
|
|
|
|
|
All or nothing access to the System Preferences app.
|
|
|
|
|
Can go into System Preferences in the account and go under View > Customize and hide individual panes, but a knowledgeable user could just use the search or spotlight to get access or even just unhide them
|
|
|
|
|
These controls are not the best and a little quirky but do give you some control over specific user accounts and their capabilities.
|
|
|
|
|
You can spend a lot of time playing with and managing them and while the could help you set some computing ground rules in the end it may just be easier to work out a trust relationship with your kids. Now that may not be possible and practical in all situations and that why it's good these control are here to help.
|
|
|
|
|
Finally, if you need more control or options there are 3rd party tools like Intego Content Barrier available.
|
|
|
|