Editor’s Note: The following article is an excerpt from the just-released Take Control of Users & Accounts Leopard, a $10 electronic book available for download from TidBits Publishing. The 88-page ebook looks in depth at how user accounts work in Leopard, using accounts for troubleshooting, sharing files between accounts, and much more.
While Tiger had parental controls, they were part of the Accounts preference pane. Leopard has split these functions into their own preference pane, called Parental Controls. You can enable and configure parental controls at any time, for any account. You can also change these limitations as needed: for example, if a certain user needs access to an application you have blocked, or if you want to change the limitations applied to your Guest account.
To set or change parental controls, click the Parental Controls icon in System Preferences. You’ll see a list of accounts to which you can apply parental controls.
Note that you can’t apply parental controls to administrative accounts, or to Sharing Only or Group accounts. The Sharing Only and Group accounts can only access your Mac’s files over a network, so it wouldn’t make sense to apply parental controls to them.
 |
| When Parental Controls are enabled for a user, you can configure all of the above limitations. |
Enabling Parental Controls
To configure parental controls for any account, you first need to authenticate, by clicking the lock icon and entering your administrator’s password. Next, click a user name in the account list and then click the big Enable Parental Controls button in the main section of the window. When you have enabled Parental Controls for a user, you will see all the options available to you.
The Parental Controls preferences are on five sections, each of which is labeled by a button at the top of the pane. I cover each one in turn.
System controls
The first section in the Parental Controls preference pane, System, determines if the account is managed or if it uses Simple Finder, and it lets you choose which applications the account’s user can run.
 |
| When you apply Simple Finder to a user, you limit the access the user has in the Finder, but the rest of the Parental Control options don’t change. |
Simplified account To create a simplified account, check Use Simple Finder (pictured, right). This gives a simplified view of the Finder, with limited menu options, for younger users, or for those who you want to prevent from accessing all the functions of a normal account. Once you have made this choice, you can still apply the rest of the Parental Control settings.
Limit application access Whether you check use Simple Finder or not, you can limit a user’s access to applications on your Macintosh. To begin, check Only Allow Selected Applications. Now, a default set of applications becomes checked in the lower portion of the System section:
This set of checked applications is the same whether you have checked Use Simple Finder or not. However, if you have checked Use Simple Finder, the applications that you select in the list become available in the My Applications folder on the user’s Dock.
You can block access to any program by unchecking its checkbox.
In the case of the potentially huge Other group, you may see some software that you are not familiar with, such as helper applications. The applications are listed alphabetically, so scroll through the list and check any programs you want to allow, such as games. Note that some software may require certain helper applications, so it’s a good idea to look inside the folder containing the application and see if there are any other programs that look like they are needed.
By default, System Preferences isn’t checked in the Other group. However, I suggest that you allow it, so users can change settings, such as the Desktop picture, screen saver, and mouse-tracking speed. They won’t be able to access administrator-only preferences, though, since they will need to authenticate to use them, so there is no risk in giving access to System Preferences
If a user tries to launch an application that has not been allowed, an authorization dialog will appear, enabling an administrator to enter a user name and password in order to allow the application once or always. So, even if you haven’t authorized a helper application, you should be able to do so when the user needs it. (For more on application limits, see the sidebar on the next page.)
Content controls
Click the Content button to set controls for two types of content, that which is accessible from Dictionary, and that which users can access via Safari or other Web browsers.
Dictionary controls To prevent a user from reading the definitions of “certain words,” check the Hide Profanity in Dictionary box. The user will be able to look up these words, and will see a list of the words contained in the dictionary, but will not be able to access their definitions.
(While I understand that some parents and teachers may want to isolate users from disturbing words, the futility of such a procedure is evident. Nothing prevents users from looking up such words in a paper dictionary, at home or in the library, nor from searching for their definitions on the Web. Further, the fact that Dictionary still displays word lists (look up the most common word you can think of that should be blocked, and you’ll see it together with a list of combinations containing that word), makes this protection risible at best.)
Web site restrictions The Parental Controls preferences offer you limited restrictions for Web site access. These controls affect any program that accesses the Web, whether it is Apple’s Safari Web browser; other browsers such as Firefox; or even other applications that can access the Web, such as RSS readers. You have three options:
 |
| When Parental Controls blocks a Web site, you can add the site to the list of allowed sites. This gives users the ability to access sites that are incorrectly filtered as having adult content. |
By default, Apple includes a handful of kid-friendly sites, but you can add your own as well:
To add a folder, from the plus (+) button, choose Add Folder. You can name the folder as you like. To add a bookmark to that folder, click the folder to select it, then click the plus (+) button and choose Add Bookmark as in Step 2 above. For bookmarks already in the list, you can just drag them into the folder.
To remove an item from the allowed sites list, select it, then click the minus (-) button. This deletes the site or folder immediately.
Mail & iChat controls
Click the Mail & iChat button to restrict the selected user’s access to e-mail and chat features. All you can do here is limit which correspondents your user can e-mail or chat with via Apple’s Mail and iChat applications (it does not apply to other software). If you check Limit Mail and/or Limit iChat, you prevent the user from communicating with anyone other than those whose addresses you enter in the list below the checkboxes. The list acts as a whitelist; the user can send e-mail only to and receive e-mail only from addresses in the list.
If the user tries to send e-mail to someone who is not on this whitelist, an alert appears, telling the user that the message can’t be sent to that address. And if an e-mail message arrives from someone who is not on the whitelist, that message will be blocked until a parent authorizes it.
If you select one or both of the Limit Mail or the Limit iChat boxes, your next step is to add any desired correspondents to the whitelist:
At the bottom of the area that lists allowed correspondents, click the plus (+) button (pictured, below).
In the resulting “sheet” (a special type of dialog), there are two ways of working:
 |
| In the Mail & iChat section of the Parental Controls preference pane, click the plus (+) button to add a user to the whitelist. If you check Send Permission Requests To, you can enter your address to receive approval messages for all email addresses not in the whitelist. |
• If you think your correspondent is in Address Book, click the expansion triangle to view your Address Book contacts. You can enter a name in the search field to find any contacts that are in Address Book. If you find the contact you are looking for, select it and click the Add button.
This adds that contact to the list, and it allows the user to correspond with that contact via e-mail and iChat (if the contact’s e-mail address is a mac.com address, which can be used as an iChat identifier).
• If you can’t (or don’t wish to) use the Address Book option:
If you ever want to remove a contact from the list of allowed addresses, select it and click the minus (-) button.
You can also set an e-mail address to receive permission requests. These can be sent if your user attempts to exchange e-mail with someone not in the list of allowed contacts. A permission request contains the contents of the email your user is trying to send, with a header saying, “Is it OK for [user name] to send email to [recipient]?” You can click the Always Allow button to allow this message, and the user will receive an e-mail saying, “Apple Parental Control – Approved.” To work with permission requests, the person receiving them must be using Apple Mail in Mac OS X 10.4 Tiger or later.
To set up permission requests, at the bottom of the preference pane, check Send Permission Requests To, then enter the desired address.
E-mail and chat controls don’t cover all applications : The Mail & Chat controls explained here work only with Apple’s Mail and iChat. If your children use other programs for e-mail, or use webmail, or if they use other chat programs, these settings will have no effect. Count on most teenagers figuring this out pretty quickly.
Time Limits
In addition to all the limits I’ve just discussed—limits to system features, applications, Web content, e-mail, and chat—you can also set time limits so your user can access the Mac only for a limited amount of time on weekdays and on weekends. In addition, you can prevent access between certain times—between bedtime and morning, for instance—on school nights and on weekends. To access time limits, click the Time Limits button in the Parental Controls preference pane.
 |
| You can constrain when a user can use the Mac by configuring the Time Limits section of the Parental Control preferences. |
To apply Time Limits, be sure to select the user whose time you want to limit in the list at the left. Then, proceed through the settings at the right, limiting overall time spent on the Macintosh and when the computer may be used on weekend days and week days.
Logs
When you activate parental controls for a user, no matter what type of controls you apply, your Mac keeps a log of the Web sites that user visits. If you have content limitations set, it will also keep a list of sites that are blocked. If you have limited your user’s access to applications, it will list applications that the user has launched, as well as those that have been blocked, and if you have set limitations on iChat access, it will show all chat attempts made with people not in the user’s whitelist.
You can view these logs to see what your users have been accessing, and what has been blocked; for instance, this is useful if you want to know what Web sites they’ve been trying to visit. In the Parental Controls preference pane, select a user, click the Logs button, and then click one of the Log Collections, such as Websites Visited. You can filter the way this information is displayed, by choosing the duration and whether you want to see it by date or by site from the pop-up menus at the top of the Logs section.
To check out a Web site your user has visited, click it to select it, then click the Open button below. If you don’t like what you see, you can restrict that site—select it and click Restrict. (That button changes to Allow, so if you wish to remove the restriction later, you can do so by selecting that site and clicking Allow.)
 |
| You can check on which Web sites your kids have visited, or tried to visit, from the Logs section of the Parental Controls preference pane. |
You can do the same for applications that have been used or blocked; to change settings, just select an application and select Restrict or Allow.
You can also view logs of chats that users have carried out with others. Just click iChat, then click a name in the log, then click the triangle to view the chats. Double-click a chat, and iChat will open showing the contents of the chat. If you don’t want a user to be able to chat any more with a given contact, click the contact’s name and then click Restrict.
Remote management of Parental Controls
In Leopard, you can remotely manage parental controls for users on your Macintoshes. This is especially useful if you have several Macs at home, and don’t want to go to each computer to make changes, or if you want to glance at your kids’ activity logs and see what they’ve been up to.
To allow this remote management, you must set yourself up with an administrator account on each Mac that you want to manage remotely. And, on each Mac, to turn on remote management, open the Parental Controls preference pane and check Manage Parental Controls from Another Computer. Then, from the Action pop-up menu, choose Allow Remote Setup. Note that this setting applies to all accounts on the Mac.
To access the controls for remotely managing users on a different Mac, do the following:
Now, you can configure the parental controls for the selected user just as if you were in front of the managed Mac; you can even enable parental controls for those accounts where you have not yet done so. You can also view logs, so if you want to check up on what your kids are doing when you’re not able to look over their shoulders, you can do so. (I explained how to work with these controls earlier in this section, so flip back a few pages if you need directions.)
Sidebar: Application limits don’t always work
When setting up a managed account, if you check Only Allow Selected Applications, the user is initially allowed to use the programs in either Applications folder, but no utilities in the Utilities folder. This is one way to prevent users from fiddling with Disk Utility, which can be dangerous.
However, blocking access to individual programs doesn’t offer ironclad protection. Although it prevents users from opening applications by double-clicking them, other applications can still sometimes open blocked applications.
Here’s an example. If you don’t allow a user to run Safari, other programs will still be able to launch Safari. Safari could launch, for instance, if a user ran iTunes and clicked a Web link in the iTunes Store.
To fully protect access to certain software, but still allow supporting programs to run (which you may need to do, especially for games), you must do some sleight of hand. First, log in as an administrator. Then, in the Finder, select the application you want to block and choose File -> Get Info (Command-I). In the Info window, open Sharing & Permissions; you’ll see three names listed: System, Admin, and Everyone.
System is Mac OS X itself, when it needs to access applications. Admin is any administrator. Finally, Everyone means all other non-administrator users, be they managed users or guests. Click the lock at the lower right of the Info window to authenticate, then, from the Privilege pop-up menu for Everyone, choose No Access. Finally, close the Info window.
Now, only an administrator account can access the selected application, because you’ve blocked access for all non-admin users. You can always go back and change these permissions again, giving Everyone Read Only access.
Note that if you change permissions in this manner for specific applications, you may need to change them again after installing any updates. If you ever want to reset permissions on Apple applications, you can do so by repairing permissions with Disk Utility.
[ Kirk McElhearn contributes regularly to TidBits, Macworld, and iLounge, and he has written and co-written a dozen books about using the Mac. His latest is Take Control of Users & Accounts in Leopard ( TidBits Publishing, 2007). ]