Parental Controls – First Impressions
Getting things sorted
I expected that the process of taking away my membership of the Administrator group would lead to problems running some of my applications, I wasn’t wrong. The two applications that I’ve run into problems with so far are Wireshark and XCode.I use Wireshark quite a lot at work, and the problems running it relate more to the fact that my recent installation of Snow Leopard changed things than to turning Parental Controls on. On OSX, Wireshark uses the /dev/bpf* devices to enable traffic sniffing, and by default these are owned by the root:wheel use and group with only the root user being able to access them.
sudo wireshark
will get wireshark running as a standard user, but :
- that is bad,and
- my “Loom at Work” account isn’t in the wheel group anyway
The solution that Wireshark users on OSX adopt is to use a ChmodBPF startup item, which changes the ownership and permissions of the devices at each boot. Normally, this would set the group for the devices to the Administrators group, in my case, I have created a wireshark group, and added both the Parent and Loom at Work users.
XCode was a bit more complicated. Pretty much everything works as a non-admin user, except for running and debugging code, for this a special permission is required. A permission that is granted to the normally hidden “Developer Tools” group, a group which the Administrators group is, not surprisingly, a member of.
Managing Users and groups at this level with OSX’s DirectoryService is not exactly straightforward, at least it wasn’t straightforward for me initially. Once I found the Workgroup Manager application, which is part of the OSX Server Tools, things were simple. It appears that there are two developer related groups, Developer Tools and Developer Documentation. My soultion was to create an XCode group, which is a member of both of those groups, and add both of my managed users to that Group.
The Workgroup Manager application gives me a lot more insight into exactly how flexible OSX can be when it comes to account restrictions. It seems to me that the standard “Parental Controls” feature is actually just a wrapper for a much more complete user management system.
With that housekeeping aside, I was free to move on to appreciating the experience of being a “Manager User’. Keep in mind that , as this is a closed process, I control all three of the Loom, Loom at Work and Parent accounts.
The following observations relate specifically to the Loom account.
Application Restrictions
The default set of restricted applications suggested by OSX is reasonably sane. In addition to the default set, I had given myself access to Photoshop, Corel PhotoPaint and a couple of other imaging related applications right from the start. No access to the Preferences panel is annoying, but on a well set up machine, it shouldn’t be a problem.
After less than an hour of doing “stuff” under these restrictions, I found that I needed – really needed – access to Terminal, playing with *nix based devices will do that do you.
The other thing that I can’t live without is SecondLife, but that’s just me.
Content restrictions
Initially, web access was not very successful. As I mentioned in my previous post, https is a problem, and not only because it needs parental approval every time you visit a new site. Normally, when the content filter decides I can’t see a page, I get a nice message telling me that that is the case. Seraching for “Naked Goth Chicks” on google images results in the following.
I can click the Add Website and get Parent to let me keep browsing, Parent can choose to let me through just once, or anytime I like.
When I try to connect to https://www.google.com, I get this result instead
Not nearly as helpful. Parent needs to add the https://google.com to the approved sites list using the Parental Controls preferences pane.
If that was the end of the problem, it wouldn’t be so bad. www.secondlife.com is an example of the difficulty that can come from this limitation. The SecondLife portal allows a user to login and perform various account management. the portal itself is all HTTP, but much of the traffic is HTTPS traffic. Only, the traffic doesn’t go to www.secondlife.com, it instead goes somewhere like https://load-balancer18.lindenlab.com. This conversation silently fails, and since the user gets no feedback about what failed, it is very hard to fix easily. The load-balancer18.lindenlab.com will turn up in the blocked sites log – more on that later – but simply adding it to the allowed sites list from there doesn’t help, since next time, it could be a different machine in the load balancer pool. The solution is to add https://lindenlab.com to the allowed sites list, since this allows access to all of the sub-domains as well. There are a lot of sites that use SSL only for important parts of a session, and serve static content from entirely different servers and domains.
Despite these hiccups, the system isn’t too bad, it hasn’t really hampered my day to day browsing. I have already had a few experiences of being allowed access to one page in a site, while being blocked from a page that it links to. In each case that this has occurred, checking the logs and viewing the blocked content using Parent has led to pages containing some sort of adult content. Of course, we are relying here on someone else’s definition of adult here, which is a subjective thing. The ability to easily grant access to blocked content on a case by case basis does a good job of negating the effect of this subjectivity.
Email/iChat
I haven’t been able to use iChat at all since I switched Parental controls on. I used to use iChat connected to a Messenger account through a Jabber gateway. The Parental Controls don’t support Jabber, and so, I have no messaging. Microsoft Messenger is installed on my MacBook, and although I haven’t tried it, I’m guessing that I could use it unfiltered to chat with people, if only my Parent would let me. The Parental Controls for iChat only support MobileMe, Mac.com and AIM accounts. I expect that the experience is similar to using Mail.
I deliberately opted for a clean slate approach when I switched on the email Parental Controls. Mail and iChat are both limited to approved contacts only, and I left the initial contacts list empty. I did switch on the approval mechanism though. Every email with a non-approved email address (and I assume iChat contact) received by Loom triggers an email to Parent. The email sent includes the full text of the email received. Trying to send an email to a non-approved address prompts Loom to “Request Permission” first. The emails received by the Parent present a toolbar allowing Parent to approve (or dis-approve) of the contact for Loom. When approved, the mail which was previously hidden from Loom is visible on the next mail refresh.
I’m not sure how the process work work with another mail client tough – say Outlook – the approval messages seem to use custom Apple headers.
Even though I am both Loom and Parent, I can’t begin to explain how invasive the process feels to me. Even though Parent only sees the first email received from any given contact, the fact that they see even that email bothers me. As a parent, I can see how important this is, and would like to see an “Approve this eMail” button in there next to the “Approve Contact” button. Clearly a dialog between Parent and Loom needs to occur here.
The other benefit to the Parental Controls is that all of the Junk eMail rules get processed by Parent‘s mail account, and the Loom will only ever get parentally-approved spam.
Time restrictions
Initially, I thought that the time restrictions that I imposed were quite reasonable – for me at least. 3 hours a day on weekdays, seemed like plenty. The 10pm cut-off seemed reasonable.
15 minutes before time runs out, either total time on the computer, or the curfew kicks in, Loom is prompted to add more time. Naturally, the Parent needs to enter a password here to allow a time extension. It is important to note that time logged seems to be what counts here, so even if only a screen-saver is running, I am still using my allocated time. I need to do some testing to confirm this however. In the meantime, I have set a 15 minute automatic logout to minimise time loss when I wander away for an hour or two.
I have found myself repeatedly adding time to Loom‘s session, and allowing myself to remain logged in past curfew, explaining to my inner Parent – quite successfully – that I am in th middle of something important, last night, it was reconfiguring my asterisk box.
The time extensions aside, I have found that these self-imposed limits are changing the way I use the computer – I am forced to prioritise my time. I am planning to stop arbitrarily awarding myself more time – likely to be a failed plan – after I extend my weekend time allocation out to 7 or 8 hours.
Logging
OSX Parental Controls logs activity into four categories :
- Websites Visited,
- Websites Blocked,
- Applications and
- iChat
They track exactly what the names imply. The Websites visited log gives a mechanism to block future access to a site, and the Websites Blocked log allows a site to be approved. Both logs can be sorted by date or site, and filtered by time. Any of the visited pages can be easily opened Parent. The Applications log can be similarly sorted and filtered, and simply records how many times an application was used and how much time was spent using that application. I can see potential for application level time restrictions here. Until I work out how I’m going to test the iChat filters, I can’t report on how the logging works.
I’m a little surprised that there isn’t some kind of Mail log as well, detailing how many messages were sent to which contacts, possibly showing the content of those messages.
Like the Mail contact approval process, the website logs can be incredibly invasive. Everything that I have looked at, including my failed searches for Naked Goth Chicks are logged there. That is of course the point. Like all of these tools, they will only work well if they are part of a dialog between Parent and the Loom.
As Parent the logs give me enough information to talk to Loom about what it is that I am doing on the web, what Parent doesn’t get to see is what Loom actually looked at on Facebook.
Even more Parental Controls
My current obsession with Parental Controls and OSX led me to a search for more information on the subject. So far I have found two more applications which include additional controls.
- the DVD Player and
- iTunes
The DVD player has a per account Parental Control option which requires an Administrator password to activate and deactivate. Once active, Parent needs to approve each DVD to be viewed by Loom. Approval can be granted for all future uses of that DVD or for a single session only. Whilst I have activated this feature, since I don’t watch many DVD’s on my MacBook, it probably won’t affect me greatly.
iTunes allows access to Various types of media to be restricted, and also enables content filtering on the iTunes Store. I have allowed all content types for Loom, but restricted iTunes store access to explicit material, and filtered Movies, TV shows and Applications to Australian PG, PG and 12+ respectively. I can only see the explicit content block and the restriction on iPhone applications actually affecting me since I have never used the other services. Interestingly, the settings appear to have no effect on the iPhone Apps that I have already downloaded, or on the music already in my library.
Next Steps
I am still using Parent fairly regularly, fine tuning Loom‘s web access, and approving contacts. I expect that things will settle down on that front in the next few days. It is the feeling that everything I do is being monitored that I am having trouble getting used to.
As nonsensical as the statement is – there is absolutely nothing that I do on my MacBook that I disapprove of – I still feel as if I need to change my behavior because someone is constantly looking over my shoulder.
Possibly Related Posts:
