Managing Parental Controls on Computers

sapalmerBCS
New Contributor III

I've looked through this site and others and can't find the best way to manage Parental Controls on OS X 10.11 MacBook Airs. The laptops are mostly now in the hands of students, and I would love to be able to do 1 of 2 things.

1.) Set parental controls for all accounts on laptops. Specifically restricting explicit content and setting rating limits on Movies, TV Shows, and Apps in the app stores.

2.) Alternatively, a way to allow parents to manage parental controls on laptops without having to setup an additional administrator using on laptops. I see doing that as a huge potential loophole for students to gain admin access to laptops.

Any help, specifically examples of how you are handing this would be greatly appreciated.

11 REPLIES 11

psliequ
Contributor III

These things can't be managed on the Mac quite a readily as on iOS, but one option might be to control iTunes's preferences.

iTunes has the following keys in its preference file;

restrictExplicit = 0;
restrictExplicitBooks = 0;
restrictGames = 0;
restrictMovies = 0;
restrictTVShows = 0;

So, you may be able to use MCXtoProfile to convert an iTunes preference file set with the things you want to restrict into an MDM profile that you can distribute over the air.

You could prep the file with the defaults command or just go into iTunes's preferences and set your restrictions in there. If set with a profile these settings will not be modifiable by them, so do make sure that students/parents understand where the restriction is coming from.

Do a search for MCXtoProfile here and elsewhere on the web for many good examples.

sapalmerBCS
New Contributor III

@psliequ Thanks. I'll take a look at MCXtoProfile.

pakkari
New Contributor

Hi,

I'm not sure about the iTunes but our environment is pretty similar to yours and we push out parental controls via config profile with curfew time e.g. 10pm -6am it works.. most of the time..

We have a static group that is connected to a policy that creates a 'parent admin' account when a parent emails and asks for extra control over the parental control settings. It works pretty well for us.

Chris_Hafner
Valued Contributor II

This is a very interesting topic. I tackled this some time ago and have a functional solution though there are probably better ways. Our users are BYOD but fully managed (imaged) and our faculty often give tests/quizzes electronically but desire certain computer restrictions to be set in place, without needing to involve IT. We've created a Self-Service policy that will install a restricted user called "test" on student machines. This is how I accomplish that.

I setup a "test" user on a current machine and manually set all of the parental controls that I want to set. Then I log into another account and export the plist using a dscl:

#export the parental controls plist for user "test"
dscl . -mcxexport /Users/test -o parental_controls.plist

Now that we have the "parental_controls.plist" we can use that to restrict newly created users. I've been using "CreateUserPkg.app" to create a user installer package. This User is called "test". I can go into detail if anyone likes but the point is that you will need to create a user to restrict as part of any such policy.

I take the .pkg from CreateUserPkg and place it in /private/tmp along with the "parental_controls.plist" and drag both items into Composer.

48dec79853fe4ec29d68ceade89f4d4c

The I add a postinstall script that installs the user via the included .pkg, sets permissions and then imports the parental_control.plist

#Install user package created with CreateUserPkg
/usr/sbin/installer -pkg /private/tmp/create_test-2.0.pkg -tgt /

#Set permisisons for new user "test"
/usr/sbin/chown -R test /Users/test

#Import parental control plist
dscl . -mcximport /Users/test /private/tmp/parental_controls.plist

This NEEDS to be exported from composer as a .pkg or you will not be able to use the 'postinstall' script. However, once youv'e done that it can simply be deployed as a standard .pkg and loaded into a policy however you like.

We also include a Self-Service policy to remove the test user when an exam/quiz is finished. Faculty members ensure that student log out of the "test" user and run a Self-Service policy that deletes the "test" user.

Chris_Hafner
Valued Contributor II

I should probably look into using profiles for this, but it has to be 100% so I might begin using profiles, but loading them directly as part of a policy rather than using APN.

anickless
Contributor II

Has anyone tried this with High Sierra? where does the mcxexport save the plist to?

Chris_Hafner
Valued Contributor II

@anickless

Has anyone tried this with High Sierra?

Yep.

where does the mcxexport save the plist to?

Wherever you are in the terminal at that point. Generally, your home directory.

pbileci
New Contributor III

There's an option when creating a configuration profile to set the Parental Controls, but it doesn't work when I apply the configuration profile to a Macbook. What does this setting actually do? I tested it on Mojave.

Chris_Hafner
Valued Contributor II

@pbileci How are you creating the parental Control profile? I just made one to test and it went quite funky on me. Mind you, it looks like creating the profile here for this is a bit limited but would be convenient in certain circumstances.

pbileci
New Contributor III

I create a new Configuration Profile and there is a setting for Parental Controls.

LACCITMH
New Contributor

@pbileci Were you able to solve your problem? I noticed that the parameters I sent out for Parental Controls were indeed getting there. It's just that Parental Controls was not enabled on that account. So, how does one enable Parental Controls on an account?

At first it seems beguilingly simple, but then I discover there's more to finding the solution.