Recently I woke up and my daughter was sitting on me watching something on the iPad. As I woke ever so slightly I realized that she was watching Transformers the movie on Netflix. I’m not typically a helicopter dad, hovering over her every move, but I did realize amidst the explosions that ya’, I might want to take some of the things I learned writing the book on locking these things down
and put a few very basic measures in place to keep her from seeing something she shouldn’t. After all, she’s gotten about as good at navigating around the thing as I am (and these days she’s getting pretty acclimated with iOS 7).
So let’s look at some basic precautions that parents can take to keep their kids sandboxed into just the material they feel confident with. For starters, the built-in security precautions. These are basically all in the Security app and each comes with repercussions that I’ll go into with each step, so you can decide for yourself if you actually give a crap about them.
The nuclear option is to enable a passcode so the child can only use the device when supervised. I did not do this myself for the home iPad for a variety of reasons: sometimes she locks the device while I’m driving, sometimes she wants to use the device when she wakes up at 6am after I was up hacking stuff ’till 4am and well, because I want the device to be as much hers as mine. So I don’t want to enable a passcode that the she does not know, but you might.
To set a passcode, open the Settings app from the home screen and tap on General in the Settings sidebar (or to not setup a passcode, skip to the next section).
Or to lock the screen when the iOS device goes to sleep, tap Passcode Lock.
If you’re going to enable a passcode, at the Passcode Lock screen, tap on Turn Passcode On and when prompted provide the passcode.
Once you’ve enabled a passcode it’s worth noting that if the passcode is entered improperly too many times the device will be wiped. However, it’s now encrypted and meets certain policy restrictions (e.g. if you use it with an Exchange server at work as well).
Restrictions allow you to disable various features of iOS, including Safari, the Camera, FaceTime, iTunes, iBookstore, App Store, App deletion, Siri and even using explicit language with poor Siri. Additionally, you can control what kind of media can be purchased on the iTunes store. To get started, tap on Restrictions in the General app.
Here, you will see that pretty much everything is allowed by default. You have the option to disable very specific items.
When you enable Restrictions you will be prompted for a Passcode, which can be used to override or disable the restrictions at a later date. This, clearly, you wouldn’t want to share with the child.
Tap Enable Restrictions and note that we’re going to go ahead and enable a few and then postpone a couple of others until the end of the article because they will keep us from completing steps we want to complete later. The restrictions many will want to enable (which disables the feature):
Note: You can also lock the volume level here, although I usually don’t with ours as it just causes problems/arguments and a general desire not to use headphones, which I have a general desire to be used when watching many of her shows.
Another Note: You can browse content that you’ve blocked but not purchase/download that content, so know that if you’re not going to put a passcode on devices, or hide them when children aren’t supposed to use them.
- Safari: It’s not that we don’t want the kids using the web, we just want them to use a specific web browser we give them that doesn’t allow them to screw around.
- Explicit Language: The kids shouldn’t be able to tell siri to use bad words, and trust me, they will if you don’t disable this.
- Deleting Apps: This is more for us. Kids figure out how to do the wackiest things by accident. Including how to delete their favorite Angry Birds app and then crying for you to reinstall it (since later in this article we’re disabling the ability to install apps).
- Music & Podcasts: Move to the Off position to block the device from playing content that is marked as Explicit.
- Movies: I chose to uncheck all but G and PG. You may choose to allow PG-13 or disable PG. These options are different in other countries.
- TV Shows: I chose to allow TV-PG and below. Some of the Saturday morning cartoons have a much higher rating than you might think.
- Books: Move to the Off position to disable the ability for the device to open Explicit Sexual Content.
- Apps: I chose to use 9+ although this is almost a non-issue as we’ll be disabling the App Store later in this article.
- In-App Purchases: I turn this off more so I don’t get random emails from the iTunes Store about buying add-ons for Angry Birds than anything else.
- Require Password: I don’t usually change this option.
- Accounts: I don’t allow changes on my daughters iPad.
Once you’ve enabled all the restrictions you’d like, leave the Restrictions portion of the General app and then go back in, just to verify that the passcode you used earlier still works. Also note that the Accessibility options can be great for those with disabilities, but I usually don’t enable any of them otherwise.
Remove Your Stuff
Still in the Settings app, tap on Mail, Contacts , Calendars. Now this is painful as it basically means that no, the iPad isn’t really yours like you thought it was, but remove your mail accounts. Otherwise, the kids will send mail to the entire Mac Enterprise list like mine did a few years ago. Yup, it will happen and thousands of people will laugh at you (or in my case they’ll just laugh at you more than usual). Once removed the Mail, Contacts, Calendars screen in the Settings app will just show you an option to “Add Account…” as seen here.
Also don’t forget that Facebook, Twitter, Instagram and all the other awesome reasons you bought the thing can end up getting photobombed with pictures she took while sitting in the back seat, tinkering around with Photo Booth. I actually don’t mind these with random characters or pictures my daughter posts of her tinkering with the camera app, so I don’t bother removing them, it’s more email specifically and only because you never know who she’s gonna’ hit up there.
Netflix is one of those funny places where children can spend hours, and while enamored with poster frames of interesting shows, kids can see things you might not want them to see. You can install an App and people can log into each profile and see a queue of shows, but also shows that they might be interested in. Profiles are not password protected, so users can select whichever profile they choose. But, it’s a start. I like to associate a different image with each user. To setup profiles, log into Netflix, hover the mouse over your name and then click on Manage Profiles. Here, create each desired profile and for any children who you want to try and limit, click Edit and then check the “This is a profile for kids under 12” checkbox.
Note: Profiles have a side benefit which is that you don’t see My Little Pony on your queue and your child doesn’t see Sacha Baron Cohen movies in their queue.
I also like to assign an image for each (click the red image in the lower right corner of the avatar for each user to select their own image. Make sure the whippersnapper knows which image they’re to use, and it will be awhile before they realize they can just switch profiles if something’s blocked and they want to watch it. It will be punishment enough logging into a profile that doesn’t have a bunch of cartoons on it (okay mine does) so they won’t want to use anyone elses profile.
Once you’re done you’ll get a cute login prompt on the device, when you log into Netflix.
Anyway, next is the hard part, move all the stuff you want to watch to your profile and leave the kid stuff in their profile (after all, I’m sure that like me they have more crap in their queue than you do!). I did this by having the iPad in my hand and a laptop. I looked at the list on the iPad to see what I wanted to add to my own queue (whoops, they call them lists now) and deleted things from the other profile with the iPad.
Next, we’ll perform one small change in the Settings for the Netflix app. Open the Settings app and scroll down in the sidebar until you see Netflix. Tap it and then turn the Wi-Fi Only option on.
This keeps you from getting an insanely high bill when the kids decide to watch Netflix using your data plan.
Install a Browser
Next, let’s install a browser so they can use the web with a little filter on it. Using a different browser means a slightly different look and feel, but it means we can limit what they’re able to use. To get started, open the App Store on the iOS device. Then, tap K9 in the search bar and install.
Once installed, try to browse a site you know to be just wrong for the kido from within the browser. Once you see the blocked page, you know you’re good.
K9 is a browser that is provided free of charge (well, there’s an ad bar that you can in app purchase to get rid of for $2.99 but close to free!) from Blue Coat, a company that makes proxy servers that filter and track internet traffic. I’m a big fan of their products and if you happen to do IT in a school district or company it might not be a bad idea to check their stuff out as well!
Now, many kids won’t need a web browser, but since you can’t access YouTube without it, you’ll end up needing one eventually. Once you’ve installed a browser it’s time to disable access to Safari. By disabling Safari you limit accessing the web to the K9 browser. To do so, open the Settings app again and tap on Restrictions.
From the Restrictions option in the Settings app, tap Off for Safari.
Then just close Safari and the app will disappear from the home screen.
Disable the App Store
Once you’ve purchased the K9 browser and all the fun games and educational whatnot that your children should have, it’s time to disable the App Store so that no further apps can be installed, such as another browser to bypass the K9 browser previously installed. To do so, open Settings app, tap General and then tap on Restrictions.
From Restrictions simply move the slider for Installing Apps to the Off position.
Close the Settings app and the App Store icon will disappear from the home screen.
Enable Guided Access (aka Kiosk Mode)
Guided Access locks a user inside a single app. Only use this if you want to hand a kid an iPad that’s in an app and not let them close the app. If you use Guided Access you likely don’t need any of the other restrictions we mentioned in this article; however, every time the kid wants to switch apps you’re going to need to provide a pin code and then open another app and then enable Guided Access mode again, which could get pretty darn annoying after awhile.
Using Guided Access is a two part process. First, enable Guided Access, which does little except set a passcode. It’s never a bad thing to enable Guided Access although I’ve seen a kid set a passcode accidentally and the device had to get wiped to undo it. Oh, did I mention, you don’t want to forget that passcode? Once enabled, we’ll restrict access to the app we no longer want users to be able to leave. Once enabled, the app is locked open until the passcode is tapped.
To enable Guided Access, open the Settings app and tap on General. Scroll down until you see Accessibility.
From the Accessibility screen, tap Guided Access.
From the Guided Access screen, tap ON.
Once enabled, you will invariably want to set a passcode (otherwise, why bother?). To do so, tap Set Passcode.
When prompted, provide a passcode.
For children I usually tap Enable Screen Sleep, which allows the device to go to sleep; however I don’t usually do so when setting these things up to actually be in a kiosk. Once you’re happy with the settings, close the app and Guided Access is working. Next, open an app and then triple-click the home button. A screen will open that allows you to Enable Guided Access, tap that from within the app you’d like to enable Guided Access for and viola, the app is locked open. Now, you can also disable certain parts of the screen and whether or not the app allows shaking the device, etc. But I find that can be a bit difficult so I don’t typically use that feature.
Once you’re done with the app, to disable Guided Access, simply triple-click on the home button again, provide the passcode and tap Disable for Guided Access to close. Managing Guided Access is difficult and I find it best for toddlers or bigger kids that might be finding themselves not-to-be-trusted for a short period of time. I mentioned this earlier, but don’t forget the passcode you use to enable Guided Access or you might find yourself wiping the device by the time all is said and done.
Use Safe DNS Servers
You can use a service like OpenDNS.com to control what Internet addresses that a device can access. To do so, first go to https://store.opendns.com/familyshield
and sign up for the free account (unless you want the bells and whistles with their paid accounts).
Open the Settings app and then tap on Wi-Fi in the sidebar. From the Wi-Fi screen, enter 126.96.36.199 and 188.8.131.52 in the DNS field.
Once you enter the DNS servers, close the Settings app. Then close and re-open your browser to delete the cache and open it again to see if the new settings are blocking the naughty sites.
Get a Case
Okay, so none of this is going to matter one little bit the next time the little devil decides to throw a temper tantrum. You know that shirt that says “I’m why mommy and daddy can’t have nice things” is way cheaper than an iPad, but still we let the little tykes play with the things. If we’re gonna’ do that, might as well get a good case for the thing. Otterbox
makes good water and shock absorbent cases, as well as others.
Just so you don’t have to re-download all the movies you’ve bought to keep the little Cheerio-eaters busy, configure these settings again, etc. you should make a backup of the device. I wrote that up a long time ago at http://www.krypted.com/?p=8319
but it’s worth noting that you want to encrypt these backups so everything is captured.
Find My iPad/iPhone
Find My iPhone allows you to track the whereabouts of your iPhone, iPad and iPod Touch. To enable, first turn on iCloud if you haven’t already. To do so, open The Settings app and tap on iCloud in the sidebar. Enter the Apple ID you use to buy software along with the Password and then tap Sign In.
Once added, if you don’t want to sync mail, contacts, calendars, etc then flip their sliders from the ON to the OFF position. Set Find My iPad to On (or Find My iPhone if it’s not an iPad). Close the app and within a few shakes you’ll be able to track the whereabouts of devices.
Once installed, install the Find My iPhone app and log into your iCloud account or use your iCloud account to log into the MobileMe site.
When you install Find My iPhone from the App Store, you’ll use an iCloud account to view where the devices are. Mine aren’t really available in the following screen because I suck and wrote this on an airplane. But whatever… Either way, you can now chase down the bully that stole your darlings iPad and beat them with the folded up stroller, running over them four or five times in your Prius. Or maybe that’s just me. But you can’t do it on an airplane. Sorry.
Get Advanced with Profiles
You can actually lock down a lot of what iOS can do. A lot more than what’s available in the GUI. To do so, you would use something known as a profile. These can control the options we discussed in much of this article. But they can also lock down options that you didn’t even know were available, such as disabling apps not otherwise removable and locking users out of certain features of devices.
Profiles are created manually and installed via USB or email using Apple Configurator
, which I co-authored a book on, available here
, or they can be deployed via an MDM solution, such as Apple’s Profile Manager
or some really enterprise class ones such as Casper MDM. This is much more advanced than what I intended to write here, but I’ve written a lot about MDM over the years as have others, so feel free to dive into that if you deem it necessary.
Check On the Device Routinely
No matter what you do, the device can be reset back to factory defaults and set back up. You don’t have to worry about younger kids searching the Internet and finding how to do it (like here on Apple’s site
). But with older kids, check out the device every now and then and just make sure your parental controls are still in place.
This article is really meant to be an a la cartè listing of things you can do. If the kid is young enough, they’re not going to try to do anything on purpose but the older the child the more likely they will try to break out of the sandboxed environment you’ve created, if only because they see it as a challenge or simply because they can (kindof like when my daughter writes on the wall). But that isn’t to say that you shouldn’t try to do something. And what you do should be age appropriate with an eye on not letting them spend too much of your money on apps or too much of their time on the devices.
Don’t Do Too Much
But don’t do too much. Especially if the kids are older. If you do too much, then the kidos have a tendency to try and break the sandbox you build. Oddly, the less the restrictions the less they’ll try and break them. This isn’t so much an issue with the really young ones (think kindergarten and below) but as they get older it’s a bit more of a problem.
Also, keep in mind that the devices are meant to allow for a maximum level of creativity. The more you allow to happen on the device, the more creativity you may allow for. Whatever’s appropriate for the age and knowledge level of your little one!
krypted September 3rd, 2013
Posted In: iPhone, Network Infrastructure, personal
biff tannen, childproof iphone, DNS, general, ios, iPad, kindergarten, lock, love, nuclear, passcode lock, passcodes, Restrictions, settings
File Services are perhaps the most important aspect of any server because file servers are often the first server an organization purchases. There are a number of protocols built into OS X Mountain Lion Server dedicated to serving files, including AFP, SMB and WebDAV. These services, combined comprise the File Sharing service in OS X Mountain Lion Server.
File servers have shares. In OS X Mountain Lion Server we refer to these as Share Points. By default:
- File Sharing has some built-in Share Points that not all environments will require.
- Each of these shares is also served by AFP and SMB, something else you might not want (many purely Mac environments might not even need SMB). Or if you have iOS devices, you may only require WebDAV sharing.
- Each share has permissions that Apple provides which will work for some but not all.
In short, the default configuration probably isn’t going to work for everyone. Therefore, before we do anything else, let’s edit the shares to make them secure. The first step is to create all of your users and groups (or at least the ones that will get permissions to the shares). This is done in Server app using the Users and Groups entries in the List Pane. Once users and groups are created, open the Server app and then click on the File Sharing service in the SERVICES list in the List Pane. Here, you will see a list of the shares on the server.
In our example configuration we’re going to disable the Groups share. To do so, click on Groups one time and then click on the minus button on the screen.
As mentioned, shares can be shared out using different protocols. Next, we’re going to disable SMB for Public. To do so, double-click on Public and then uncheck the SMB protocol checkbox for the share.
When you’ve disabled SMB, click on the Done button to save the changes to the server. Next, we’re going to create a new share for iPads to be able to put their work, above and beyond the WebDAV instance automatically used by the Wiki service. To create the share, first we’re going to create a directory for the share to live in on the computer, in this case in the /Shared Items/iPads directory. Then from the File Sharing pane in Server app, click on the plus sign (“+”).
At the browse dialog, browse to the location of your iPad directory and then click on the Choose button.
At the File Sharing pane, double-click on the new iPads share.
At the screen for the iPads share, feel free to edit the name of the share (how it appears to users) as it by default uses the name of the directory for the name of the share. Then, it’s time to configure who has access to what on the share. Here, use the plus sign (“+”) in the Access section of the pane to add groups that should be able to have permission to access the share. Also, change the groups in the list that should have access by double-clicking on the name of the group and providing a new group name or clicking on the plus sign to add a user or group.
The permissions available in this screen for users that are added are Read & Write, Read Only/Read and Write. POSIX permissions (the bottom three entries) also have the option for No Access, but ACLs (the top entries comprise an Access Control List) don’t need such an option as if there is no ACE (Access Control Entry) for the object then No Access is assumed.
If more granular permissions are required then click on the name of the server in the Server app (the top item in the List Pane) and click on the Storage tab. Here, browse to the directory and click on Edit Permissions.
As can be seen, there are a number of other options that more granularly allow you to control permissions to files and directories in this view.
Once you have provided all of the appropriate users access to the share, go back to the settings for the share and scroll to the bottom of the screen.
Here, you have the option to set which protocols the share is accessible through (AFP, SMB & WebDAV) as well as make the share accessible to guests (only do this if the share should be publicly accessible) and make the share an option for home folders. Click Done once you’ve configured the share appropriately.
Once a share has been made an option for home folders it appears in both Workgroup Manager and the Server app as an available Home Folder location for users in that directory service.
Once you have created all the appropriate shares, deleted all the shares you no longer need and configured the appropriate permissions for the share, click on the ON button to start the File Sharing service.
The File Sharing service can also be controlled from the command line. Mac OS X Server provides the sharing command. You can create, delete and augment information for share points using sharing.
To create a share point for AFP you can use the following command:
sharing -a -A
So let’s say you have a directory at /Shares/Public and you want to create a share point called PUBLIC. You can use the following command:
sharing -a /Shares/Public -A PUBLIC
Now, the -a here will create the share for AFP but what if you want to create a share for other protocols? Well, -F does FTP and -S does SMB. Once created you can disable the share using the following command:
sharing -r PUBLIC
To then get a listing of shares you can use the following command:
You can use the sharing command to enable FTP for various share points. To do so, enable FTP using the Server app and then use the instructions at this site to manage FTP on shares: http://krypted.com/mac-os-x/ftp-on-lion-server
You can also use the serveradmin command to manage file shares as well as the sharing service. To see settings for file shares, use the serveradmin command along with the settings option and then define the sharing service:
sudo serveradmin settings sharing
To see settings for the services use the serveradmin command with the settings option followed by the services: afp and smb:
sudo serveradmin settings afp
To see a run-down of some of the options for afp, see this article I did previously
. Additionally, for a run-down of smb options, see this one
krypted August 8th, 2012
Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment
Command line, enable WebDAV, file sharing, Mac OS X, Mac OS X Client, macs, mountain lion server, os x, os x mountain lion server, OS X Server, public, serveradmin, settings, settings sharing, Sharing