I've looked through this site and others and can't find the best way to manage Parental Controls on OS X 10.11 MacBook Airs. The laptops are mostly now in the hands of students, and I would love to be able to do 1 of 2 things.
1.) Set parental controls for all accounts on laptops. Specifically restricting explicit content and setting rating limits on Movies, TV Shows, and Apps in the app stores.
2.) Alternatively, a way to allow parents to manage parental controls on laptops without having to setup an additional administrator using on laptops. I see doing that as a huge potential loophole for students to gain admin access to laptops.
Any help, specifically examples of how you are handing this would be greatly appreciated.
These things can't be managed on the Mac quite a readily as on iOS, but one option might be to control iTunes's preferences.
iTunes has the following keys in its preference file;
restrictExplicit = 0; restrictExplicitBooks = 0; restrictGames = 0; restrictMovies = 0; restrictTVShows = 0;
So, you may be able to use MCXtoProfile to convert an iTunes preference file set with the things you want to restrict into an MDM profile that you can distribute over the air.
You could prep the file with the defaults command or just go into iTunes's preferences and set your restrictions in there. If set with a profile these settings will not be modifiable by them, so do make sure that students/parents understand where the restriction is coming from.
Do a search for MCXtoProfile here and elsewhere on the web for many good examples.
I'm not sure about the iTunes but our environment is pretty similar to yours and we push out parental controls via config profile with curfew time e.g. 10pm -6am it works.. most of the time..
We have a static group that is connected to a policy that creates a 'parent admin' account when a parent emails and asks for extra control over the parental control settings. It works pretty well for us.
This is a very interesting topic. I tackled this some time ago and have a functional solution though there are probably better ways. Our users are BYOD but fully managed (imaged) and our faculty often give tests/quizzes electronically but desire certain computer restrictions to be set in place, without needing to involve IT. We've created a Self-Service policy that will install a restricted user called "test" on student machines. This is how I accomplish that.
I setup a "test" user on a current machine and manually set all of the parental controls that I want to set. Then I log into another account and export the plist using a dscl:
#export the parental controls plist for user "test" dscl . -mcxexport /Users/test -o parental_controls.plist
Now that we have the "parental_controls.plist" we can use that to restrict newly created users. I've been using "CreateUserPkg.app" to create a user installer package. This User is called "test". I can go into detail if anyone likes but the point is that you will need to create a user to restrict as part of any such policy.
I take the .pkg from CreateUserPkg and place it in /private/tmp along with the "parental_controls.plist" and drag both items into Composer.
The I add a postinstall script that installs the user via the included .pkg, sets permissions and then imports the parental_control.plist
#Install user package created with CreateUserPkg /usr/sbin/installer -pkg /private/tmp/create_test-2.0.pkg -tgt / #Set permisisons for new user "test" /usr/sbin/chown -R test /Users/test #Import parental control plist dscl . -mcximport /Users/test /private/tmp/parental_controls.plist
This NEEDS to be exported from composer as a .pkg or you will not be able to use the 'postinstall' script. However, once youv'e done that it can simply be deployed as a standard .pkg and loaded into a policy however you like.
We also include a Self-Service policy to remove the test user when an exam/quiz is finished. Faculty members ensure that student log out of the "test" user and run a Self-Service policy that deletes the "test" user.
@pbileci Were you able to solve your problem? I noticed that the parameters I sent out for Parental Controls were indeed getting there. It's just that Parental Controls was not enabled on that account. So, how does one enable Parental Controls on an account?
At first it seems beguilingly simple, but then I discover there's more to finding the solution.