Setting Parental Controls in Leopard
Mail & iChat controls
Click the Mail & iChat button to restrict the selected user’s access to e-mail and chat features. All you can do here is limit which correspondents your user can e-mail or chat with via Apple’s Mail and iChat applications (it does not apply to other software). If you check Limit Mail and/or Limit iChat, you prevent the user from communicating with anyone other than those whose addresses you enter in the list below the checkboxes. The list acts as a whitelist; the user can send e-mail only to and receive e-mail only from addresses in the list.
If the user tries to send e-mail to someone who is not on this whitelist, an alert appears, telling the user that the message can’t be sent to that address. And if an e-mail message arrives from someone who is not on the whitelist, that message will be blocked until a parent authorizes it.
If you select one or both of the Limit Mail or the Limit iChat boxes, your next step is to add any desired correspondents to the whitelist:
At the bottom of the area that lists allowed correspondents, click the plus (+) button (pictured, below).
In the resulting “sheet” (a special type of dialog), there are two ways of working:
In the Mail & iChat section of the Parental Controls preference pane, click the plus (+) button to add a user to the whitelist. If you check Send Permission Requests To, you can enter your address to receive approval messages for all email addresses not in the whitelist.
• If you think your correspondent is in Address Book, click the expansion triangle to view your Address Book contacts. You can enter a name in the search field to find any contacts that are in Address Book. If you find the contact you are looking for, select it and click the Add button.
This adds that contact to the list, and it allows the user to correspond with that contact via e-mail and iChat (if the contact’s e-mail address is a mac.com address, which can be used as an iChat identifier).
• If you can’t (or don’t wish to) use the Address Book option:
If you ever want to remove a contact from the list of allowed addresses, select it and click the minus (-) button.
You can also set an e-mail address to receive permission requests. These can be sent if your user attempts to exchange e-mail with someone not in the list of allowed contacts. A permission request contains the contents of the email your user is trying to send, with a header saying, “Is it OK for [user name] to send email to [recipient]?” You can click the Always Allow button to allow this message, and the user will receive an e-mail saying, “Apple Parental Control - Approved.” To work with permission requests, the person receiving them must be using Apple Mail in Mac OS X 10.4 Tiger or later.
To set up permission requests, at the bottom of the preference pane, check Send Permission Requests To, then enter the desired address.
E-mail and chat controls don’t cover all applications : The Mail & Chat controls explained here work only with Apple’s Mail and iChat. If your children use other programs for e-mail, or use webmail, or if they use other chat programs, these settings will have no effect. Count on most teenagers figuring this out pretty quickly.
In addition to all the limits I’ve just discussed—limits to system features, applications, Web content, e-mail, and chat—you can also set time limits so your user can access the Mac only for a limited amount of time on weekdays and on weekends. In addition, you can prevent access between certain times—between bedtime and morning, for instance—on school nights and on weekends. To access time limits, click the Time Limits button in the Parental Controls preference pane.
You can constrain when a user can use the Mac by configuring the Time Limits section of the Parental Control preferences.
To apply Time Limits, be sure to select the user whose time you want to limit in the list at the left. Then, proceed through the settings at the right, limiting overall time spent on the Macintosh and when the computer may be used on weekend days and week days.
When you activate parental controls for a user, no matter what type of controls you apply, your Mac keeps a log of the Web sites that user visits. If you have content limitations set, it will also keep a list of sites that are blocked. If you have limited your user’s access to applications, it will list applications that the user has launched, as well as those that have been blocked, and if you have set limitations on iChat access, it will show all chat attempts made with people not in the user’s whitelist.
You can view these logs to see what your users have been accessing, and what has been blocked; for instance, this is useful if you want to know what Web sites they’ve been trying to visit. In the Parental Controls preference pane, select a user, click the Logs button, and then click one of the Log Collections, such as Websites Visited. You can filter the way this information is displayed, by choosing the duration and whether you want to see it by date or by site from the pop-up menus at the top of the Logs section.
To check out a Web site your user has visited, click it to select it, then click the Open button below. If you don’t like what you see, you can restrict that site—select it and click Restrict. (That button changes to Allow, so if you wish to remove the restriction later, you can do so by selecting that site and clicking Allow.)
You can check on which Web sites your kids have visited, or tried to visit, from the Logs section of the Parental Controls preference pane.
You can do the same for applications that have been used or blocked; to change settings, just select an application and select Restrict or Allow.
You can also view logs of chats that users have carried out with others. Just click iChat, then click a name in the log, then click the triangle to view the chats. Double-click a chat, and iChat will open showing the contents of the chat. If you don’t want a user to be able to chat any more with a given contact, click the contact’s name and then click Restrict.
Remote management of Parental Controls
In Leopard, you can remotely manage parental controls for users on your Macintoshes. This is especially useful if you have several Macs at home, and don’t want to go to each computer to make changes, or if you want to glance at your kids’ activity logs and see what they’ve been up to.
To allow this remote management, you must set yourself up with an administrator account on each Mac that you want to manage remotely. And, on each Mac, to turn on remote management, open the Parental Controls preference pane and check Manage Parental Controls from Another Computer. Then, from the Action pop-up menu, choose Allow Remote Setup. Note that this setting applies to all accounts on the Mac.
To access the controls for remotely managing users on a different Mac, do the following:
You’ll now see a list of users available. (If you were to disconnect from the remote Mac in the Finder, you’d still be able to access this list in the Parental Controls preference pane.)
Now, you can configure the parental controls for the selected user just as if you were in front of the managed Mac; you can even enable parental controls for those accounts where you have not yet done so. You can also view logs, so if you want to check up on what your kids are doing when you’re not able to look over their shoulders, you can do so. (I explained how to work with these controls earlier in this section, so flip back a few pages if you need directions.)
Sidebar: Application limits don’t always work
When setting up a managed account, if you check Only Allow Selected Applications, the user is initially allowed to use the programs in either Applications folder, but no utilities in the Utilities folder. This is one way to prevent users from fiddling with Disk Utility, which can be dangerous.
However, blocking access to individual programs doesn’t offer ironclad protection. Although it prevents users from opening applications by double-clicking them, other applications can still sometimes open blocked applications.
Here’s an example. If you don’t allow a user to run Safari, other programs will still be able to launch Safari. Safari could launch, for instance, if a user ran iTunes and clicked a Web link in the iTunes Store.
To fully protect access to certain software, but still allow supporting programs to run (which you may need to do, especially for games), you must do some sleight of hand. First, log in as an administrator. Then, in the Finder, select the application you want to block and choose File -> Get Info (Command-I). In the Info window, open Sharing & Permissions; you’ll see three names listed: System, Admin, and Everyone.
System is Mac OS X itself, when it needs to access applications. Admin is any administrator. Finally, Everyone means all other non-administrator users, be they managed users or guests. Click the lock at the lower right of the Info window to authenticate, then, from the Privilege pop-up menu for Everyone, choose No Access. Finally, close the Info window.
Now, only an administrator account can access the selected application, because you’ve blocked access for all non-admin users. You can always go back and change these permissions again, giving Everyone Read Only access.
Note that if you change permissions in this manner for specific applications, you may need to change them again after installing any updates. If you ever want to reset permissions on Apple applications, you can do so by repairing permissions with Disk Utility.
[ Kirk McElhearn contributes regularly to TidBits, Macworld, and iLounge, and he has written and co-written a dozen books about using the Mac. His latest is Take Control of Users & Accounts in Leopard ( TidBits Publishing, 2007). ]