OS X Parental Controls Review - State of the art in OS X 10.5 and 10.6

Apple has recently updated their OS X Parental Controls documentation for 10.5 and 10.6. It will be interesting to see if they improve Parental Controls with 10.7(Lion).

The only good thing I can say about the current generation of OS X Parental Controls is that they're an improvement on the non-existent Parental Controls in iOS.

Below is a summary of the current controls documentation, followed by notes of my own. I appreciate the irony that, as the father of a vulnerable child, I share the same agenda as China's totalitarian Party (emphases mine) ...

Mac OS X v10.5, 10.6: About the Parental Controls Internet content filter

The Internet content filter can operate in three modes: unrestricted, automatic, and whitelist.

When "Allow unrestricted access to websites" is selected, the Internet content filter logs websites that the account visits but does not restrict Web browsing. Visited websites are still logged and can be examined in the Logs tab of Parental Controls preferences.

When "Try to limit access to adult websites automatically" is selected, the Internet content filter does its best to block websites with inappropriate content. To do this, the Internet content filter uses the same technology that the Mail application uses to identify "junk" mail. The Internet content filter can identify, with a high degree of accuracy [!], whether a Web page is safe or not by examining various properties of the website including text and structure.

Additionally, the Internet content filter will block a website if the website identifies itself as adult-oriented using RTA (http://www.rtalabel.org/) or SafeSurf (http://www.safesurf.com/ssplan.htm) rating systems, as well as forcing "safe" searches with some search engines.

In this mode, the Internet content filter logs all visited and blocked websites, and flags them as such in the Logs tab of Parental Controls preferences.

In certain situations, the automatic Internet content filter may mistakenly block a safe website or allow an adult-oriented website. For example, if the website uses an uncommon language or if there is very little text on the page. These websites can be identified in the Log tab of the Parental Controls preference pane and added to the "Always Allow" or the "Never Allow" lists. These lists can also be accessed by clicking the Customize… button in the Content tab of Parental Controls preferences. Websites that are mistakenly blocked can also be allowed by clicking the "Allow…" button on the blocked web page and authenticating as an administrator user.

https note: For websites that use SSL encryption (the URL will usually begin with https), the Internet content filter is unable to examine the encrypted content of the page. For this reason, encrypted websites must be explicitly allowed using the Always Allow list. Encrypted websites that are not on the Always Allow list will be blocked by the automatic Internet content filter.

If "Allow access to only these websites" is selected in Parental Controls, the Internet content filter blocks any website which is not on the list. When the blocking web page is presented, a list of allowed websites is also shown. If using Safari, allowed websites are displayed as bookmarks in the bookmarks bar.

Note: For most websites, the Internet content filter considers the domain name and not the path. For example, if http://www.example.com is added to the list, then http://pictures.example.com will be allowed, as will http://www.example.com/movies.

In whitelist mode, visited and blocked websites are flagged in the Logs tab of Parental Controls preferences and can be added or removed from the whitelist there.

The documentation is incomplete (I gave it a rating of "2"). Some additional notes and references:

• Safari history cannot be deleted in the most restrictive mode and in that mode preference changes are limited as well. It can be deleted and preferences can be edited in other modes.
• The documentation false claims about the accuracy of content blocking, and of course images cannot be managed (emphases mine).
• A user account must be closed (user logged out) for content rule updates to be applied.
• Because of the various measures Google takes to evade censorship by authoritarian governments their services are a poor match to Parental Controls. Bing is much more dictator friendly, so I block all Google services and allow Bing.
• OS X Parental Controls settings and logs can be managed from a remote admin account (see references below).
• It is most convenient to allow and block sites while reviewing the log file records.

It's easy to find problems with OS X Parental Controls, but I don't expect much improvement -- even with all the world's dictators on my side. For example ...

1. There's no customer demand for improvements. I think most parents are quite unaware of what most adolescent males do on the web, and I think they prefer to remain unaware. This is not necessarily a bad solution for most adolescents and parents; not all children are equally vulnerable.
2. Technologies for evading monitoring, ensuring security, and protecting privacy also block Parental Controls.
3. Engineers without young children don't like Parental Controls, not least because of how the technologies can be misused. Working on Parental Controls is unlikely to be a career move at Apple.
4. These are hard problems because of the way the Internet is structured, and because content providers are actively trying to evade Parental Controls either because they want to facilitate adult access or because they are seeking vulnerable people to exploit.

See also (mostly Gordon's Tech):

• Parental Controls - The wikipedia problem solved (11/2009)
• OS X Parental Controls: The https bug and our family Google Apps services (4/2010 - I later gave up on all Google services on a parental controlled account)
• Parental Controls - Remote Access and other tips (1/2010)
• Parental controls: Apple and Google joint fail (6/2010) - Back when I was trying to get Google services to work. I later returned to Parental Controls without Google.
• Apple's Parental Controls: Never more broken than with Apple's MobileMe (7/2010) - Totally incompatible, maximally ironic. I bet iCloud will be no better.
• Gordon's Notes: Google's ad platform is a gaping hole in iOS parental controls
• LEGO Digital Designer is pure evil on OS X (protocol blocked by parental controls) - 11/2009
• Can't select Jabber or Google Talk for iChat? Here's one reason. (5/2009 - don't know if this was fixed)
• Apple's iPhone parental controls are completely broken(9/2010) - I bet iOS 5 will be no better.
• iPhone for kids: The Achilles Heel

Update 6/15: Nothing illustrates Apple's disdain for Parental Controls better than this screenshot:

The log display can extend vertically, but not horizontally. It's fixed width. So you can't actually view the URLs. The poor engineer must have taken pity on his users however, if you let your mouse rest on a URL for a while a popup will show you the full text.

This is third rate work.

Parental Controls - Remote Access and other tips

I've just had another go at configuring OS X "Parental Controls". I'm doing this in 10.5, but I don't think 10.6 is much better.

I sometimes wonder why OS X "Parental Controls" are so buggy, awkward, limited, and altogether miserable. They weren't so bad in MacOS 10.9 -- before Jobs returned.

I think that's the clue. I didn't used to think so, but I've come to believe that Apple is Jobs. Evidently Jobs, a notoriously rebellious teenager, believes Parental Controls are a bad idea. So he's sabotaged them.

From the latest ordeal I've three new tips:

1. On editing content - site lists

• In Safari with 10.5 it seems as though, when logged it as a managed user, you can open bookmarks (requires admin pw) and drag and drop links to the Safari Bookmark list to your hearts content. A very efficient way, one might think, to add approved sites. Except it's misleading. When you quit Safari and resume you're back to the set you approved in the Parental Controls Preference Pane. So ...
• There are only two ways to add web sites to the approved list. You can add then in the Parental Controls Preference Pane, or in the managed account, you can add them one at a time, each requiring an Admin password, to the Bookmarks Bar.
• You can drag and drop links and Location bar URLs to the Parental Controls Preference Pane and you can drag and drop to reorganize there. This is a big time saver. I guess someone slipped that one by Jobs.

2. remote monitoring and control from another computer

It's barely noted anywhere, but you can do remote monitoring and control from another computer. This is from the 10.5 Help file:

From OS X Help for 10.5:

If you have a computer on your local network that is managed by parental controls, you can change the settings in the Parental Controls preferences and monitor the user activity remotely.

The trick is to enable remote management in the gear drop down. Look hard, it's below the list of users.

Then, from your remote machine:

In the Finder, choose Go > Connect To Server, and then click Browse.

Select the other computer in from the list of computers on your network and enter the administrator name and password for the remote computer.

In the Finder, choose Apple menu > System Preferences, and click Parental Controls...

... In the Accounts list, in the Other Computers section, select the remote user account you want to change.

Enter the administrator name and password of the remote computer.

3. Adding sites - only the domain matters

I thought I could get finer grained control by adding links to subsites (ex. www.google.com/mail), but that doesn't work. Only the domain seems to matter (though I'm not totally sure about this).

See also:

• Gordon's Tech: Parental Controls - The wikipedia problem solved
• Gordon's Notes: Parental controls - not an Apple thing (2007 - 10.4)
• OS X parental controls logs still broken in 10.5.7
• Can't select Jabber or Google Talk for iChat? Parental Controls conflict
• Gordon's Notes: The software Apple can't do (2009)
• LEGO Digital Designer conflicts with Parental Controls

Update 5/15/10: If this is true, I can't blame Apple's parental control failures on Steve Jobs disinterest.

Parental Controls after OS X 10.8.2: EXC_CRASH and changes to https handling

The kids don't often use my Mountain Lion machines, so I only learned recently that Apple made some significant changes to Parental Controls with the 10.8.2 update. I don't rememberer seeing any documentation at the time and there's nothing in the release notes.

I found out about the changes when I opened the Parental Control Preference Pane on my main Mac. It crashed. I rebooted, it still crashed, and crashed ...

The crash message looked like this one one from last year (I'm on 10.8.3):

Mountain Lion Parental Control time...: Apple Support Communities

Process: System Preferences [2658]
Path: /Applications/System Preferences.app/Contents/MacOS/System Preferences
Identifier: com.apple.systempreferences
Version: 12.0 (12.0)
Build Info: SystemPrefsApp-232000000000000~22
Code Type: X86-64 (Native)
Parent Process: launchd [488]
User ID: 502

Crashed Thread: 0 Dispatch queue: com.apple.main-thread

Exception Type: EXC_CRASH (Code Signature Invalid)
Exception Codes: 0x0000000000000000, 0x0000000000000000

Application Specific Information:
com.apple.preferences.parentalcontrols v.400 (Kindersicherung)
objc[2658]: GC: forcing GC OFF because OBJC_DISABLE_GC is set

I was able get around the crash by turning off parental controls for the affected user from the the User Preference Pane. Then I could open and close the Parental Controls Preference Pane; after that I could reenable PCs for the affected account.

I assume the my old preferences were not compatible with the 10.8.2+ version of Parental Controls, and Apple's code didn't handle this very well. Old bug, not fixed. Disappointing, but there's a workaround.

Which leads to the obvious question -- what the heck did Apple change in 10.8.2 Parental Controls? For sure they didn't fix any of the longstanding defects -- like an execrable UI for log review.

The answer is in a 12 page Apple Discussion Thread, pointing to a mislabeled Apple KB article (it says it's 10.6, but it was revised June 2012 and the change came with 10.8.2). Apple changed how they handle https sites when "Try to limit access to adult websites automatically" is selected in Parental Controls.

You see, Apple's Parental Control infrastructure has never worked with SSL encrypted (https) sites [1]. So they have to decide what to do when someone tries to access an https site. Since the https site is effectively invisible, Apple can either decide to trust it completely or distrust it completely. Prior to 10.8.2 Apple's "automatic" limits erred on the side of universal trust. After 10.8.2 they err on the side of universal distrust (which has always been the "Allow access to only these websites" behavior).

So this isn't a bug introduced with 10.8.2, it's Apple being a bit more honest about how crappy OS X Parental Controls always have been. I wonder if the change was made to avoid litigation, or if the transition to all SSL net access made it impossible to keep the old pretense.

In theory an admin user an approve all the https access requests that come up when a user tries to reach one of those sites, but in practice that doesn't scale.

Bottom line: Parental Controls was born lousy, but with 10.8.2 Apple is at least being honest about how bad it really is. [2]

[1] See  OS X Parental Controls: The https bug and our family Google Apps services back in 2010. I think this is related to my employers ability to block dropbox, but inability to block Google Drive without also blocking Google Search.

[2] Parental Controls are no better on iOS by the way -- thanks to the webkit back door. (Bob Tedeschi wrote about this back in 2012.)

Fixed: My iMac was losing net access – but only for one account …

Some days, I feel like the aging Sheriff in a bad western. The bad bugs been walkin’ into my town for years, and I’ve been shooting ‘em down.

‘Cept I’m not as fast on the draw as I used to be, and the bugs are getting meaner. Sooner or later the bad guys are gonna take this town – unless a new Sheriff comes along.

Not today though. I dropped the latest bastard. It took a few shots though. Not a clean kill.

I’ll tell the story, but first some background. I’ve been weeding my network for months, dealing with a slew of problems that seemed to be software related but were probably more hardware.

I’ve replaced the NIC on my old XP box and an ancient AirPort Extreme. I worked my way through way too many AirPort Time Capsule issues with cobbling together 802.11b,n,g across multiple devices, but it seemed I had things fairly stable.

Wrong. I’d be working away happily, and my browser sessions would hang. Sort of. Well, actually, Safari would first give me weird error messages about being unable to obtain a secure connection “Safari can’t establish a secure connection to the server...”. Firefox said something similar, though sometimes it would work when Safari wouldn’t.

A little bit later though, I’d lose all browser access.

At first I wanted to blame my DSL provider (Qwest), but I’d given them a hard time when the truth was my AirPort was dying. So I decided to be a bit methodical. It took a while but I found …

• Other machines were fine.
• Other accounts on my iMac were fine.
• I could ping things, I could do email, I just couldn’t use my browser.
• When Safari died completely, no other browser worked (Firefox, Camino).
  
• Sometimes logging out and in again would fix things, sometimes restarting the machine, sometimes restarting the Time Capsule …

So it was something to do with my user account and maybe with Time Capsule. My next step was to enable logging on the Time Capsule and to learn to use the OS X Console (equivalent of XP Event Viewer).

That was a revelation. There were lots of little system problems showing up in Console. As it turned out, I had to clean them out before I could find the real problem. So I fixed a MobileMe related bug, removed 2-3 Widgets [2] and learned about MenuCracker and cleaning that out [1], but I was still getting locked out.

Once I’d cleaned up the other Console messages though, I found the sweet one ..

7/22/09 10:50:13 PM com.apple.familycontrols 7470 failed to send kill to 7714. Err:3 No such process

Ahh, yes. Parental Controls, the bane of Apple. Of course my standard user account shouldn’t have Parental Controls, but this made sense. I use Parental Controls and the kids machine and I know how they work, they could cut off my browser access – though there’s supposed to be a UI notice.

I checked the PreferencePane for the problem account from my Admin account, but there seemed to be no Parental Controls set. On the other hand, when I viewed the Parental Controls Preference Pane I wasn’t seeing the big yellow icon and the notice that “Parental controls are turned off for this account”.

So here’s where things get even more obscure. Let’s say you have a User Account and you want to remove Parental Controls. Just enabling everything isn’t enough, there’s another mysterious step.

Here’s what you do

1. Log out of all accounts.
2. Go to an Admin account
3. Go to Parental Controls
4. Click on the (problem) User Name.
5. Look carefully for a small gear icon above the lock icon, window bottom\
6. Click on the gear and choose “Disable Parental Controls …”

It’s been several days now without browser failure, so it looks like I got another bad guy.

If only I knew this one was the last …

---

[1] It’s a hack that allows apps to put an icon in the Finder title bar; it’s not a separate app, it’s a “.menu” resource in the Application Package. If you decide you want to get rid of it, you have to find and uninstall every app that uses it, such as, in my case, MenuMeter. I don’t think MenuCracker was causing me serious problems, but it was producing Console error messages and it has caused grief to some in the past. I not only removed it, I removed Perian and a “Better Finder” Preference Pane. Trying to get simple …

[2] I was surprised by this. Looks like non-Apple widgets are problem prone, I’m sticking the Apple ones – don’t really use them anyway. In particular, I was surprised how many were active in the background – putting error messages on the Console …

OS X Parental Controls: The https bug and our family Google Apps services

OS X has a longstanding bug with parental controls and https connections. In my home with a 10.5 machine I need to use https for Parental Controlled Wikipedia, but other times it doesn't work.

Even things that do work can stop. My son has open access to a tightly locked account. I wanted that access to include his email (hosted on our family domain Google App services - now managed via Dreamhost) so I put our family domain on the allowed list. About two weeks ago it stopped working; I got the inane Apple "couldn’t establish a secure connection to the server" error message.

I'd run into Apple Parental Control's notorious https minefield. Consider this discussion thread that began in 2005 and is still alive in 2010!

Apple - Support - Discussions - Secure Connections and Parental Controls ...

... I have Parental Controls turned on....

The problem that I'm experiencing is that when I try to connect to some secure sites, sometimes Safari complains:

Safari can’t open the page '...' because it couldn’t establish a secure connection to the server “...”."

In 2009 "Mango Buzz" commented ...

... I finally got a fix that seems to work, however, it may be cumbersome. It involves finding the IP address of the websites you are wanting to add...

... I added both the web address with the prefix http and https for both the domain name and the ip address. So far this has worked.

Matt Wagner had some interesting background in 5/09, though he's wrong about the fix. Adding https sites to the allowed list doesn't always work ...

According to http://support.apple.com/kb/HT2900 , the problem that we have been experiencing is by design. Secured connections are encrypted (obviously). This means that the contents of the website are unreadable by the content filter. Because of this, Apple decided to block all connections to secured connections. Just like zuciello explained above, the only way around this problem is to add secured sites that you do not want blocked to the list of allowed sites.

In Aug 2009 biovizier suggested something odd enough to be credible ...

.."I've got a user that is managed, but allowed unrestricted access to web and applications.[...]If access is unrestricted, the parental controls should not interfere with web communication at all."...

When "parental controls" are enabled, whether web restrictions are in place or not, it somewhat stupidly by default enables logging for internet traffic, passing requests through an internal proxy server to do so. It is at this stage that secure connections are being interfered with.

In your situation, since you don't appear to be interested in restricting web use, just turn the logging off as a workaround, eg.

/usr/bin/sudo /usr/bin/dscl . -mcxset /users/username com.apple.familycontrols.logging web always -bool false

Enter the command using "/Applications" > "Utilities" > "Terminal.app" while logged in to an "admin" account, substituting the managed users "short name" where it says "username".

In March of 2010 Sidney San Martin contributed a monster post ...

We ran into this problem, and a wonderfully helpful Apple technician dug up a solution brought down from engineering ... The problem is that https, by design, keeps the hostname you're trying to access (apple.com, mail.google.com, etc.) secret. The computer can't determine directly whether the connection should be allowed. It does know the IP address, and performs a reverse lookup on that IP address get the hostname it checks against your list of allowed sites.

So, the solution is to add as an allowed site the hostname associated with the IP address. It's not too difficult, but does require that you dive into the Terminal.

As an example, let's try to allow access to the Apple store. Start with the hostname you know: store.apple.com. Head into Terminal, and type:

host store.apple.com

You should get back something like this:

store.apple.com is an alias for store.apple.com.akadns.net.
store.apple.com.akadns.net has address 17.251.201.32
store.x.com.akadns.net mail is handled by 10 cbox-ember01.apple.com.
store.apple.com.akadns.net mail is handled by 10 cbox-ember02.apple.com.
store.apple.com.akadns.net mail is handled by 10 cbox-ember03.apple.com.

You can ignore everything except the address line. Now we know that the Apple Store's IP address is 17.251.201.32. Let's use host again:

host 17.251.201.32

Which returns

32.201.251.17.in-addr.arpa domain name pointer cup-store.apple.com.

Which is the information that we're looking for. The reverse DNS name of the Apple Store's only IP address is cup-store.apple.com. You can add this to allowed sites, or just add apple.com.

Head back over to the store page, reload, and see if everything's loading. You can use the Activity window (in the Window menu) to see what is and isn't loading successfully on the page. In some cases, you may find content that's not loaded from the same domain — in this case, static content like images is coming from a248.e.akamai.net. You can follow the same steps to find the reverse DNS names of these other domains.

If a domain resolves to multiple IP addresses, check a few of them. If you're lucky, they'll all point to the same or similar domains, and you can just add the second level domain to allowed sites. If you're not, they may not have reverse DNS records at all, and you'll get a response like this:

Host 153.234.138.207.in-addr.arpa. not found: 3(NXDOMAIN)

In this case, you may have to add all of the IP addresses individually to allowed sites.

If you're having trouble with this method of finding reverse DNS, try to load a problematic site and check the Parental Controls logs. The site should show up under Websites Blocked. Open one of the history entries in a browser. It should just show up as a hostname or IP address, with nothing after the slash. That's the address you need to add

Finally, if you just want to allow access to GMail, I did the work for you: most of Google's IP addresses resolve to a .1e100.net address. If you add google.com and 1e100.net to allowed sites (Google has lots of IPs, it's not worth trying to add them individually), you should be all set.

I tried several of the above fixes (but not disabling logging - I need logging) and more, but I had no luck [1]. Note that I wasn't trying to provide access to google.com or gmail.com -- just family domain Google Apps.

I did finally get something working. I had to ...

1. Switch from OpenDNS to Google DNS.
2. As per San Martin add google.com and 1e100.net to the list of approved sites.
3. Instead of using the URL "mail.myfamilydomain.com" I had to use https://mail.google.com/a/myfamilydomain/#inbox .

I would have preferred not to enable access on this account to www.google.com, but I really did need to have google.com as an authorized site.

I didn't used to have to do all this, so it feels like Google and/or OpenDNS or both of them changes something about two weeks ago.

[1] It's so incredibly tedious. You have to log out of the account, make changes from an admin account, log in again, etc. It saves a bit of time if you remotely manage the parental control prefs rather than use a local admin account. If you look at blocked sites in the logs you can get a clue what's going on and you can right click on blocked sites to enable them. When doing remote admin you need to force a write of your changes by switching tabs - I keep forgetting to do that.

Update:

• A series of Google discussions in 10/2009 suggested adding the Google.com IP address to the permitted site list: https://74.125.45.100. I believe this is the "secret sauce".
• Another user was dealing with "try to block adult content automatically" problem of all https being blocked. They used a pattern template in permitted sites: [https://*.*.gmail.*.*]. I am skeptical that this adds anything.

Update 5/5/10:

• From a google help forum Jawl's Dad wrote: I opened a terminal ... and typed the command host mail.google.com. The first four addresses [see San Martin, above] I added to the 'Allowed sites' with https://a.b.c.d and it works fine now....

Ahh, yes. The Host file. Slowly the memories return. I used to edit host files back when we had to make our own electricity. I'd forgotten about using it to block domains, but that method goes back to the very dawn of the net. It was once used to block advertisers, but I think they got around that. Note that editing the Host file impacts ALL users on a machine, and you may need to worry about permission related side effects.

Searching on Parental Controls and "Host file" brought me a few references.

• Road to Mac OS X Leopard: Parental Controls and Directory Services: provides some technical background that might help me work with Apple's awkward control system.
• Block access to websites on a Mac by modifying /etc/hosts - OS X Daily: using sudo and the nano editor, I think most just use terminal.

Update 6/9/10: After a bitter battle, and a review of 3rd party parental control solutions that suggested this was a dying market, I again restored https access to google. So I had to walk through the above post.

I can't say it's the only thing one has to do, but the addition of https://74.125.45.100 to the Parental Controls whitelist did the trick. It resolves, by the way, to a beta trial of encrypted search services. I need to enable this google.com access even when my son is using our Google Apps site -- the authentication step requires an https Google.com connection.

Update 2/7/11: I gave up on using Google web tools. Not at all family friendly. Did come across a tip to add to this thread ...

One more step is required: after adding https://74.125.45.100  which actually only took me to the google home page (though Parental Controls still restrict any browsing from there) THEN ALSO ADD https://mail.google.com/mail - so the combination of the two additions in the allowed websites does the trick - then when attempting to access Gmail go to gmail.com and the Gmail homepage opens

See also:

• Fixed: My iMac was losing net access – but only for one account …
• Can't select Jabber or Google Talk for iChat? Here's one reason.
• Parental Controls - Remote Access and other tips
• Parental Controls - The wikipedia problem solved
• LEGO Digital Designer is pure evil on OS X

--
My Google Reader Shared items (feed)

Bing and Parental Controls - worse than Google

Google's parental controls are pretty feeble, though there's a roundabout way to lock filtering to the most severe setting.

What about Microsoft's Bing? Bing starts out with one significant advantage -- the connections are not https encrypted so OS X domain filtering actually works.

Alas Bing's controls seem even weaker (emphases mine) ...

Block explicit websites

... Ensure that SafeSearch is always on when your kids search on Bing, choose what they see online, set time limits and game restrictions, and more. Windows users can install the free download, Windows Live Family Safety....

Ensure SafeSearch is on, I presume, by standing over your favorite teen! [3]

Interestingly in 2009 Microsoft had a better approach to parental controls ...

Bing Modified To Enable Porn Filtering - CBS News

... , "explicit images and video content will now be coming from a separate single domain, explicit.bing.net...

... Almost all third-party filtering tools can be configured to block specific domains or sites, as can the parental controls in Microsoft Vista and Mac OS X...

After this 2009 press release however, Microsoft removed all references to explicit.bing.net [1]. I wasn't able to find any explanation of what happened to it. [2]

My own tests suggest Microsoft really did abandon this scheme. The domain 'explicit.bing.net' brings up the usual bing interface, so the domain still exists, but there's no longer any redirecting to this domain. For example, a search on "Hot Babes" with OS X Parental Controls blocking explicit.bing.net brought up an impressive array of high resolution images.

Without the ability to lock Bing's parental control settings, and with the inexplicable demise of explicit.bing.net, Bing manages to come in 2nd behind Google's parental controls. The one advantage of Bing is that the lack of https encryption makes it easier to track pages visited.

[1] Either that or their feeble Blog search doesn't work with Safari. Microsoft is falling apart almost as fast as it grew to power.
[2] I wonder if corporate lawyers advise against attempting to do parental controls. Microsoft probably has less liability if they do nothing than if they provide an imperfect solution. 
[3] Though it doesn't help OS X users like me, Windows Live Family Safety sounds relatively useful.

Subsite filtering - harder than it looks

In general the kids earn supervised computer time, but we have a "learning workstation" that's open access and less supervised. Demand is limited however; the Learning account is restricted to "educational sites". Educational as defined by Dad. The permitted sites are not terribly exciting.

One of the better sites is National Geographic Video. In fact almost all of the Nat Geo site is great -- except for the games. Of course that's also the part of the site that gets the ad revenue, so Nat Geo isn't keen to turn it off.

Naturally the kids just want to play the games. OpenDNS, OS X Parental Controls and the wee firewall built into one of our routers will let me block domains, but not specific URL patterns. So if I block Nat Geo games, I block everything.

Google's not helping me with this one. It doesn't help that the Parental Control software marketplace for OS X is moribund, probably done in by OS X Parental Controls and Steve Jobs presumed personal antipathy to parental controls. I'm also not finding any "home filtering firewall" articles, but that might be a Google problem.

I am also beginning to suspect that selective subsite filtering is technically very hard - or impossible.

I thought I'd try a proxy server with built-in filter controls, but those things are harder to find than the last time I used one about 15 years ago.

So I'm stuck for the moment. I'll update this post if I learn more. Of course eventually the kids will learn the workarounds, but by then they'll either be net solo or I'll have bigger things to deal with.

See also

• Gordon's Notes: Parental controls - not an Apple thing
• Gordon's Tech: Parental Controls - Remote Access and other tips
• Gordon's Tech: Parental Controls - The wikipedia problem solved
• Gordon's Tech: OS X parental controls still broken in 10.5.7 (this bug now fixed I think)
• Gordon's Tech: OS X 10.5: Apple engineers need more children
• Be the Best You can Be: OS X 10.5: time limited computer access
• Gordon's Tech: Can't select Jabber or Google Talk for iChat? Here's one reason.
• Gordon's Notes: The software Apple can't do
• Gordon's Tech: LEGO Digital Designer is pure evil on OS X

Update 3/4/2010: OS X includes Apache server; this post makes it sound relatively easy to use it as a proxy server and use ProxyBlock to control access. Unfortunately it's not clear whether you can control access to a subdomain; I suspect not.

Parental Controls on iOS and OS X: what we do now

A year or two ago I wrote about how Google and Apple have both failed Parental controls. Since then things have not gottenmuch better.

In response to a comment on an old post, this is the compromise I use for the children's accounts on iOS and OS X.

1. Google is blocked. I find Bing searches easier to track and control because it doesn't use https.
2. Children get our family Google Apps domain email through mail.app IMAP, not through Gmail.
3. Children access our family Calendars from their iPhones, not from the desktop. (I could use iCal on the desktop, but iCal is one of the worst pieces of software garbage ever produced.)
4. A 'Family and Learning' account can be accessed at any time. It has very limited net access, has WorldBook, has apps, iTunes, etc.
5. Each child has their own account. Parental control is set to 'automatic'  with a few domains specifically allowed. I was never able to get domain specific filtering to work. After they are on the computer I review their browser history with them. They could of course delete specific browser pages, but I don't believe they have (the computer is very visible and public). I stopped reviewing log files because Apple's log file review UI is almost as crappy as iCal.
6. Because iOS apps have so many back doors to webkit, particularly via ads, we don't use any 'free' apps. Safari is disabled. For now we allow iTunes despite the content it provides -- the boys are getting older.

This works for us, but Apple's Parental Control support is lazy and incompetent. They simply don't care.

Android/Google, as best I can tell, are worse. Note that Google Gmail explicitly states all US users must be 14 or over (COPPA partly, but really this is a Google copout). i don't think Android OS includes any default parental controls.

I don't know how Windows 7 does. I suspect it's a bit better. I can't find anything about parental controls in Metro/Windows Mobile.

See also:

• Back to the future: OS X Parental Controls, DVD Encyclopedias, and MacKiev 9/2011
• Steve Jobs hates me: Viewing Mac OS X Lion Parental Control logs 8/2011
• OS X Parental Controls Review - State of the art in OS X 10.5 and 10.6 6/2011
• Parental controls: Apple and Google joint fail 6/2010

Can't select Jabber or Google Talk for iChat? Here's one reason.

I really felt like crying when I ran into this latest bit of Apple tragi-comedy.

I tried configuring iChat on my mother's managed account (protect the Dock from accidental deletions), but I couldn't use her Gmail credentials (Google Talk option). Jabber and Google Talk were grayed out.

Why?

Google tells us ..

Apple - Support - Discussions - Can't add jabber or google talk, ...

... Jabber [and Google Talk] and in Fact Bonjour over iChat are excluded in Leopard when Parental Controls are activated...

It doesn't matter that the Parental Controls have no restrictions on iChat or the web. If you enable parental controls, even if all you're doing is protecting the Dock from changes, then iChat can't use Google Talk.

Why not? Why this senseless, irrational, bit of blithering madness that's persisted, without documentation, through 7 point updates to 10.5.7?

Because Apple hates us.

There's a comparable mysterious "Gray out" in iTunes related to iPhone parental controls, but at least that makes a kind of sense.

I hate you too Apple.

Update 4/17/2010: An Apple Discussion post describes enabling Adium functionality even with Parental Controls:

http://*.*.live.com
https://*.*.live.com
http://messenger.live.com

By adding the above we were able to Adium to work while still having parental controls turned on.

See also: OS X Parental Controls: The https bug and our family Google Apps services.

Parental controls bugs in Safari 5: can't add sites to whitelist and more

I posted this to Apple's Discussion forum:

Apple - Support - Discussions - Parental controls bug with 10.6.4 and Safari 5 

When Safari is locked in Parental Controls it only opens approved sites. If a user tries to go to a non-approved site a dialog appears allowing an admin to add the site. If the admin authorizes ongoing use, the site should be added to the Safari bookmarks bar.

That's not working any more. The site is not added. THe Admin has to drag the url to the bookmarks bar and reauthenticate. If the admin does not do this the authorization will not stick.

Anyone else see this?

Might be a new 10.6.4/Safari 5 bug.

Also users are able to edit Safari 5 settings even when Parental Controls are on. I need to retest, but I think that's broken too.

Lastly, today is the first time I tried copying parental controls from a remote to a local account. I have a feeling there are bugs here as well. In the app access control I am seeing apps listed as local that I think are only on the remote account.

It's always been easy to find serious Parental Control bugs, but I think some of these are Safari 5 problems. I don't think Apple QAs OSX Parental Controls.

Update: I've submitted a bug report  on this.

Parental controls: Apple and Google joint fail

After an epic struggle, I've given up on Apple's parental controls. They never worked very well, but Google's change to https seems to have broken them completely. I can't enable Google Calendar or Gmail access without also enabling image search. I'm not even sure I can allow allow Google access while blocking YouTube (the rules seem to be changing quickly).

It's a bleedin' mess.

I'm currently evaluating Net Nanny and Safe Eyes, but really I don't want either of them. I need a net appliance I can configure for our entire network. Those devices, however, costs thousands. Or I need to give up on Google.

I'm seriously considering the latter. If MobileMe were to offer Google-class calendaring I could use Bing for family search. I think OS X Parental Controls may still work with Microsoft's offerings.

I have to imagine Windows 7 parental controls are far better than Apple's, otherwise vast numbers of parents must be in full denial ...

Update 6/9/10: xkcd - Now I get it. So this is how things work for those that don't realize quite how bad things are ...

Update 6/14/10: I might be having some limited success with the combination of ...

1. OS X Parental Controls: whitelist only, with the https://74.125.45.100 trick and our Google Apps family domain.
2. Google's lock safe search set to the most severe filtering. It's not obvious, but I think you can log in with a parent's personal iGoogle account, lock safe search, then log out. You must, however, enable always receive cookies which is probably a serious security risk. Clearing cookies will clear this, but Parental Controls makes that harder to do.

Update 6/17/11: A comment suggests iBoss Home, a combination of wireless router and a subscription service.

Parental Controls - The wikipedia problem solved

I'm setting up a special account on one of our laptops that will be used by my son with light supervision. It will be much more restricted than the account he uses when closely supervised.

So I'm back with Apple's notoriously buggy Parental Controls. It's been a while, so I was pleasantly surprised to see that several old bugs are better in the latest version of Safari and 10.5.

One is acting strangely however. I wonder if it's a new Safari bug. When I limit access to listed web sites, many links within the sight are unavailable. This isn't how it's supposed to work (emphases mine) ...

Mac OS X 10.5: About the Parental Controls Internet content filter

... If 'Allow access to only these websites' is selected in Parental Controls, the Internet content filter blocks any website which is not on the list. When the blocking web page is presented, a list of allowed websites is also shown. If using Safari, allowed websites are displayed as bookmarks in the bookmarks bar.

Note: For most websites, the Internet content filter considers the domain name and not the path. For example, if http://www.example.com is added to the list, then http://pictures.example.com will be allowed, as will http://www.example.com/movies....

The key word here is "most". In one site I tested it works as above. In another, only the main page is accessible. I can't find any documentation that explains why behavior varies by site. I'll try asking on Apple Discussions.

Update 11/20/09: I found a 2008 post on this topic. The user never found a fix, but later, on a different 10.5 machine, the problem resolved.

Update 11/21/09: Wikipedia has a nonstandard approach to IP addresses. I can use ping to find an IP address for simple.wikipedia.org, but I can't use that address in a URL. I suspect this is done to meet some security and confidentiality goal. However this approach may also defeat Parental Controls, which probably works from IP addresses.

Update 11/21/09b: We use OpenDNS on some kid machines, and OpenDNS supports a "shortcut" redirect like "simple" for simple.wikipedia.org. Except it doesn't work for this domain. Wikipedia is doing something unusual with IP addresses, perhaps as a side-effect of protecting user IP addresses. I think Wikipedia manages IP addresses differently for logged in users, so I'm going to explore that option next.

Update 11/21/09c. I dance the geek dance of Dilbertian triumph. What worked for me is the combination of establishing a user account and secure server access (https to wikimedia.org server). The sequence I followed is:

1. From Admin account off content controls for the child account browser.
2. In Child account create a user account on wikipedia and use their secure login: https://secure.wikimedia.org/wikipedia/simple/wiki/Special:UserLogin. Create a bookmark to this page.
3. Go to main page: https://secure.wikimedia.org/wikipedia/simple/wiki/Main_Page. Create a bookmark to this page.
4. Now return to Admin account and limit access controls to the above listed bookmarks.

It now works.
--
My Google Reader Shared items (feed)

OS X parental controls still broken in 10.5.7

I checked after the 10.5.7 update. The Parental Controls log is still broken,

if you set the range to anything more than 1 month you get no results:

Alas, it doesn't end there.

In theory you can use parental controls to configure managed accounts so that a managed user can change their password.

In practice, when I do that, the managed user cannot click on the Accounts PreferencePane (it's grayed out). So the setting to enable password change does nothing.

Lastly, if you switch a user from managed to standard so you can change their login password and keychain password together, OS X loses all the allowed and disallowed websites configured in Parental Controls. If you switch back to Managed User you start over.

Apple's Parental Controls have been broken in every version of OS X I've used. I think they last worked in Mac Classic version 8 or so.

Why, oh why, can't we customers be more demanding?

Apple's Parental Controls: Never more broken than with Apple's MobileMe

You haven't really felt the full pain of OS X's busted parental controls until you try to enable MobileMe access on a restricted account.

I've tried and failed repeatedly with both MobileMe synchronization and me.com web access. To enable them I had to disable all application and all web content restrictions.

I'd previously run into the Google Parental Controls problem. You can't enable access to a Google Apps domain without also enabling access to Google search. I thought MobileMe would be more parent friendly. I was "oh so wrong", if anything it's a bigger Fail than Google.

If only I could lock Steve Jobs into a room until he got this working. Apple's Parental Controls would be a quite different experience.

I give up. Time to try something different.

iOS 7 fixes iOS parental controls webkit hole. Finally. (EXCEPT for Siri)

It's been exactly three years since I wrote Apple's iPhone parental controls are completely broken.

Sure, you could turn off Safari -- but there was no way to disable use of webkit embedded browsers. A lot of apps and games kids like, including encyclopedias, use links that bring up an embedded browser. From there it's often a few hops to Google and beyond.

I ranted about this in various places, but mine was a lonely voice. (One can imagine many reasons why most parents don't seem to be concerned about full web access with iOS devices, but, whatever the reason, there's clearly no clamor for a fix.)

Today, years after I gave up, Apple fixed parental controls in iOS 7. You can use Restrictions:websites:specific websites only to restrict both Safari and webkit access to urls. I believe the changes were made pretty deep in the iOS network stack, they seem to affect all browser use.

iOS comes preconfigured with a set of approved sites. The list is not simple to edit but they are all fine with me. You can add others.

There are bugs. Even preconfigured sites seem to sometimes require second authentication on attempted access. Still, it's a big, albeit very late, improvement.

IOS 7 is quite slow on the iPhone 4s two of the kids use, but this one feature is worth the sluggishness.

Update: In early testing #1 says he can't hack the current restrictions. It also seems to be far more useable than superficially similar site restrictions in OS X Mountain Lion; Mountain Lion's current mechanism has been completely broken. I wonder if some serious attention went into making this work.

Update 11/29/2013.

Siri: "Show me pictures of dogs". Shows dogs.

Siri: "Show me pictures of xxxx"....

You have to disable Siri, there are no parental controls there.

The multi-iPhone family - two approaches

What's the best way to manage multiple iPhones in a single family?

There are at least two broad approaches, and combinations of them. We've tried 'em all. At the moment we manage 3 iPhones (parents and one child) and 1 iTouch as well as several iPods.

I'll share our experiences here.

Apple's preference is for every family member to have at least a separate OS X user account, if not a separate computer. Each person should have a companion MobileMe that manages synchronization across multiple machines. Apple would probably prefer that each family member have their own iTunes (.mac) account for media purchases, so DRMd material would only play on one device.

This approach does have advantages, but there are obvious disadvantages. It's an expensive and complex approach with a lot of management needs and there are issues with sharing apps and movies.

We've used a variant of the "Apple approach" with two user accounts on one machine, and all purchases through a single iTunes account (mine). One account owns iTunes and apps, the second subscribes to App updates through "family sharing" [1]. This does enable each account to have its own Address Book and it aligns well with using MobileMe on phone and multiple OS X machines.

This "classic" multi-user approach blows up completely when you add Parental Controls. Among other problems, MobileMe is violently incompatible with Parental Controls. I wasted hours trying to make it work before I retreated to a much simpler Google approach.

The Google Approach [2] is relatively painless. I use it with my son's iPhone. I sync it in my user account for media access and app installation, but I use Google Sync (Exchange server/ActiveSync) against his account on our family Google Apps domain for the phone's email, contacts and calendar. He could access the Google Calendar and Mail through a Parental Controlled account using OS Mail and iCal but in practice he just uses his phone [3].

There are some downsides since iTunes is designed for a single user with a single set of "last played" values and ratings, but in practice the confusion is modest and the pain reduction is immense. It's also much cheaper than the "Apple approach".

So, going forward, we're making less use of the OS X desktop, more use of Google (alternative is MobileMe) cloud services. This gets around the sharing/identity problems of iPhone synchronization.
--
[1] We go through some geeky maneuvers so that my wife can have full access to all media from her user account without replicating files. See links below for tips. In short; set iTunes to not import, then media library into client iTunes. Incredibly iTunes creates links to media.

[2] You can do this with MobileMe on the iPhone and the MobileMe web interface, but without the Parental Controls-incompatible desktop you lose a lot of the value of MM. For various reasons we've gone the Google approach.

[3] Google web browser access is (yet again) OS X Parental Control hell. You can't enable web access to a Google Apps domain without enabling access to Google search.

See also:

• The flaw in iTunes: 2 users, 2 iPods - and our brain locked future (2005, introducing BrainLock with Palladium Inside, aka the RetinaChip)
• iTunes 9 home sharing is mediocre (2009)
• The ultimate AirTunes, iPhone Remote, iTunes setup
• Working around iTunes lack of multi-user support
• Sync iTunes Libraries Between Two Macs

Lion: prompted for lpadmin group when printer pauses (and Apple's permissions mess)

I didn't have a problem with Snow Leopard and my prior printer, but our elder MacBook (plastic, dual USB, no ML support) running Lion is having repeated problems with our Brother HL-6180DW. The printer keeps going into a paused state (sleep / wake bug?), and users are prompted to "Type the name and password of a user in the lpadmin group to allow...". Of course the kids don't know what to type -- and this is a very awkward prompt in any case. Something is broken.

Of course a lot of things are broken with OS X and printing - even in Mavericks. So this isn't a great surprise. It is annoying though.

There are lots of online tips on this mostly focusing on terminal commands for adding users to lpadmin manually or disabling printer queue password requirements. Sometimes they seem to work, sometimes not. [1]. 

The only Apple doc on this covers 10.5 (Leopard) to 10.6 (Snow Leopard). It's weirdly written, and suggests some intersection with parental controls  "Limit printer administration" (which makes sense). Then it talks about toggling admin privileges for the admin user, even though one assumes that only non-admin users would see the prompt.

FWIW even after I created a new admin account on the Lion machine OS X 10.7 wouldn't let me toggle admin status for my primary admin account. It merely said it couldn't. Seems there was something odd about that admin account. So I deleted it (my admin accounts are all disposable, I only use them for admin tasks). I'll see if fixing that makes any difference. If not I'll play around with toggling parental controls and exploring Workgroup Manager and those terminal commands.

- fn -

[1] If you don't like Terminal Commands took a look at Workgroup Manager. Lion’s Server Admin Tools includes Workgroup Manager, I used Workgroup Manager downloads to get the Mountain Lion version (see also). You need to select “Show System Records” to see the “system” users and groups (thank you Google).

In Mountain Lion the lpadmin group is _lpadmin and the Name is Print Administrators. All Administrators were members of lpadmin, and so was ONE of the FIVE non-admin accounts on that machine. Interestingly the ONLY non-admin member of lpadmin on my ML box has parental controls enabled. By Darwin, Apple made such a mess of permissions in OS X.

See also:

• 10.5: Disable printer queue password requirements - Mac OS X Hints: first seen in 10.5, Leopard.
• Mac OS X - Print Job “On Hold (Authentication required)” - Authentication problem with print servers, suggests I might try changing his password.
• osx - How to Resume a Paused Network Printer with non-Admin credentials?: “_lpoperator should suffice, talks about adding Staff to _lpoperator

Update 4/5/2014

Most of the problems were with one user’s account. With Workgroup Manager I found he was NOT a member of Staff, but all other Lion user accounts were. He was a member of a Group that had the same name as his User Name, probably due to the horrid User/Group/Staff mess of 10.3 to 10.7. I deleted that Group and assigned him to Staff. I’ll see if that works.

There’s also a recent Brother printer driver update to try, and a firmware update. The latter requires Java, which is essentially obsolete on the Mac. I was able to perform the update using an old Lion machine. Shame on Brother for not supporting firmware updates via the web app. (They used to.)

Apple's iPhone parental controls are completely broken

I've ranted about how crappy OS X Parental Controls are, but I thought iOS did better.

Not.

My son specializes in hacking iOS. It's not hard. Even #@$@ PublicRadio.app has an $@$# embedded webkit browser function. Disabling Safari doesn't disable embedded WebKit access, and it's evidently extremely easy to incorporate WebKit into an app. So app developers do it -- because they can.

What the heck is wrong with Cupertino and parental controls? Is it the (bottled) water?

Update 10/2/2010: Martin in comments suggested a brilliant idea Apple could implement now. They could say that any app with unrestricted embedded webkit access gets an NC17+ rating. I'm sure PublicRadio and WolframAlpha would close their backdoors immediately.

Of course there are lots of things Apple could do in software, but that would take at least 6-12 months to do if it's not already done. I like Martin's suggestion.

Back to the future: OS X Parental Controls, DVD Encyclopedias, and MacKiev

I was born into a world of progress. Things were supposed to get better, the old would fade away.

That was then. Now we live in a whitewater world. One year we get the iPhone, another year movie viewing fails. Bits and pieces of solutions come together then fall apart again. Cloud services come and go with bewildering speed (fear the cloud).

In this world all-but-forgotten DVD Encyclopedias are making a return to our home. That's weird.

They're coming back because OS X Parental Controls have failed me [1]. Lion's PC "bug fix" was the last straw.

Sure, I blame Apple -- but it's not their fault alone. For reasons both good (bypass tyrants) and bad (involuntary marketing) the web fights controls. I can't win this fight.

So, in addition to the child accounts we monitor by log tracking (%$$# OS X Log Viewer), I've created a completely open account on one of our machines. That account can be open ... because it has no net access. None at all.

This account has old-school local apps like iTunes (access to our media server, App Store and Ping disabled) and AppleWorks. The machine is old enough to also include a 6+ yo copy of World Book encyclopedia.

That old encyclopedia could do with a tune up. So I took a look at what's available in DVD land. Amazon has the 2011 copy of EB (Mac/Win) for $23. That's a good end-of-year deal, but I'm skeptical about the quality of their OS X software.

On the other hand, MacKiev, a Ukranian OS X dev shop that did a great job resuscitating Mavis Beacon Teaches Typing produces the Mac version of World Book Encyclopedia. It runs on both legacy and Intel machines all the way from 10.3.9 (!) to Lion. It's more money ($40) but I'll give it a try once the 2012 edition comes out.

I've really got to hold onto my old software going forward.

[1] Incredibly, iOS is even worse.

LEGO Digital Designer is pure evil on OS X

I downloaded LEGO Digital Designer : Virtual Building Software for my Lego-crazed 10 yo. It's going to be hard to tell him it doesn't work on OS X.

I got it working on one account, but on another it says there's no internet access (cannot access internet) -- then it hangs. I have to kill it.

It looks and smells like a cheap hacked port from Windows, probably outsourced to the lowest bidder.

I'm one seriously annoyed customer. Maybe it's time to try to interest Ben in the non-Lego world. Lego doesn't really need our money this holiday season.

Update: It's incompatible with parental controls. If controls are enabled in any way, even if all web access is allowed, it doesn't work. I wonder if it uses some chat protocol to communicate with the server; I know enabling parental controls blocks jabber/google talk protocols in 10.5 (bug).

--

My Google Reader Shared items (feed)