Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Use iMazing Profile Editor (free), and make a profile that blocks the apps that you need not having access to - then obviously install the profile to the mac, it needs an admin account to remove it.
 
Ok I'll be the one to say what probably everyone else is thinking. If your kid is so untrustworthy that you you can't trust them to not fk about with your machine at this kind of deep level when your back is turned, I really don't think I'd let them use it unsupervised. I wouldn't rely on system privileges. When my kids were young enough to need restricted access, I really only used the restricted-access controls so they couldn't mess something up by accident, or view online content which was not appropriate for their age, not to prevent them from deliberately trying to corrupt my system.
 
  • Like
Reactions: kevcube
Ok I'll be the one to say what probably everyone else is thinking. If your kid is so untrustworthy that you you can't trust them to not fk about with your machine at this kind of deep level when your back is turned, I really don't think I'd let them use it unsupervised. I wouldn't rely on system privileges. When my kids were young enough to need restricted access, I really only used the restricted-access controls so they couldn't mess something up by accident, or view online content which was not appropriate for their age, not to prevent them from deliberately trying to corrupt my system.
No, that's not the case here. They kid is not going to destroy the computer. The situation is that the kid should be paying attention to class and not goofing off on Chrome with incognito mode. The issue being that by using the terminal, they can re-enable incognito mode for Chrome, and goof off. Chrome is required for schoolwork.
 
Did I miss the part where he said this was on a computer used in class, not at home? If so then fair enough.
But this seems more of a trust issue than something we should expect system restrictions to solve without issue.
If the student abuses his privileges, then take those privileges away. Can't do your work because daddy took the T-bird away? Well who's fault is that? Sometimes they have to learn the hard way.
Just my opinion of course.
 
Did I miss the part where he said this was on a computer used in class, not at home? If so then fair enough.
But this seems more of a trust issue than something we should expect system restrictions to solve without issue.
If the student abuses his privileges, then take those privileges away. Can't do your work because daddy took the T-bird away? Well who's fault is that? Sometimes they have to learn the hard way.
Just my opinion of course.
That is totally unnecessary, and you teach nothing to the kid. As a sysadmin, I have seen countless grown-ups and professionals with the exact same desire for freedom - you can't just stop that. The trick is to block/allow the apps or system access that you need for each user, and this way you teach them that you get the tools/access that you need for your position/work. That's much better in their head than just take their toy away. And system restrictions work way better than you think. All major companies are now moving away from server controlled systems to MDMs for a reason
 
That is totally unnecessary, and you teach nothing to the kid. As a sysadmin, I have seen countless grown-ups and professionals with the exact same desire for freedom - you can't just stop that. The trick is to block/allow the apps or system access that you need for each user, and this way you teach them that you get the tools/access that you need for your position/work. That's much better in their head than just take their toy away. And system restrictions work way better than you think. All major companies are now moving away from server controlled systems to MDMs for a reason
There's a difference here in my mind between a student's computer and an enterprise-computer in a work environment which (like my work's PC I'm currently typing on) has privileges purposefully restricted to comply with company IT requirements, assist with protecting this PC from external threats, and also to an extent to protect me from accidentally misusing my device in a way which breaches company policy.

That said, fully agree in restricting privileges on the student's computer to help to enforce compliance, where possible, that's logical, but, I maintain there is (potentially) a trust issue here. As for taking toys away, of course, a last resort. But the student has to understand that misuse has repercussions. You say it teaches them nothing...we'll that's what it teaches them: consequences. No point having bland consequences which don't act as a deterrent.

I accept this is something we're probably not going to agree on because we're looking at it from completely different perspectives.
 
Last edited:
Thanks.

Since I don't see a group listed like 'wheel' or 'admin', I'll next need to compare your groups with those of your child. The command for that is:
Code:
id CHILD
where CHILD is the short username of the child's account. Please post the output of the command.

uid=505(CHILD) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),701(com.apple.sharepoint.group.1),702(com.apple.sharepoint.group.2),100(_lpoperator),704(com.apple.sharepoint.group.3),705(com.apple.sharepoint.group.4)

Finally, could you clarify this:

Are you saying that Terminal commands issued by a non-admin user will change global settings for Chrome when it's used by all other users? Or does it only affect that user's Chrome settings?

If it's the former, then that seems like a serious security flaw. Even if all the Mac accounts are sharing a Chrome profile, that just seems like a design flaw that's asking for trouble.

If it's the latter, i.e. only affecting the user who used the Terminal commands, then at least the problem is limited in scope. It's one thing to alter one's own sandbox, but quite another to alter the sandboxes of everyone else in the world.
I think that it just makes changes for that user's Chrome settings? For instance, if I disable Incognito Mode in Chrome from my admin account, it doesn't do that globally for all users of Chrome on the computer. So I'd need to do that in their user account. But that also means, if they can find the right commands to undo those settings, and have access to Terminal, they can run them and it doesn't require any admin privileges to do it.
 
It depends on what the Terminal commands are. For example, if Chrome uses the defaults system in addition to its own files, then things get hairier.

Also, it might be necessary to lock directories, not just files, for reasons outlined above. But that then leads to a regress of locking, all the way up to the home dir, and locking that dir seems unlikely to work out.
The defaults command is involved.
 
There's a difference here in my mind between a student's computer and an enterprise-computer in a work environment which (like my work's PC I'm currently typing on) has privileges purposefully restricted to comply with company IT requirements, assist with protecting this PC from external threats, and also to an extent to protect me from being falsely blamed for misusing my device in a way which breaches company policy.

That said, fully agree in restricting privileges on the student's computer to help to enforce compliance, where possible, that's logical, but, I maintain there is (potentially) a trust issue here. As for taking toys away, of course, a last resort. But the student has to understand that misuse has repercussions. You say it teaches them nothing...we'll that's what it teaches them: consequences. No point having bland consequences which don't act as a deterrent.

I accept this is something we're probably not going to agree on because we're looking at it from completely different perspectives.
It's a computer at home that's used for schoolwork. I'm not trying to put the child in a cocoon or a straightjacket, just trying to put some restrictions in place that help them stick to schoolwork and remove the temptation to goof off (and hide it with private browsing) when they should be working.
 
  • Like
Reactions: MajorFubar
I was able to do this by following the screen time instructions posted above. I set downtime to on, and did not provide a time limit for terminal. I don't use chrome, but allowed a time limit for safari. It worked fine. You couldn't open terminal or any other app without a limit
 
It's a computer at home that's used for schoolwork. I'm not trying to put the child in a cocoon or a straightjacket, just trying to put some restrictions in place that help them stick to schoolwork and remove the temptation to goof off (and hide it with private browsing) when they should be working.
Totally roger that, and the OS definitely has ways to help you do that. Absolutely no way am I trying to tell you how to parent, but some things are just down to parent-child trust with the threat of reasonable yet impeding consequences if that trust is broken. That's how I handled it, along with of course setting up the managed accounts which restricted what they could do. Maybe I was just lucky my kids respected the trust I put in them to use the computer properly.
 
Totally roger that, and the OS definitely has ways to help you do that. Absolutely no way am I trying to tell you how to parent, but some things are just down to parent-child trust with the threat of reasonable yet impeding consequences if that trust is broken. That's how I handled it, along with of course setting up the managed accounts which restricted what they could do. Maybe I was just lucky my kids respected the trust I put in them to use the computer properly.
We've had some ongoing discussions. They're not unaware of their tendencies and bad habits and we've agreed to some things like time limits on social media and downtime after bedtime or during the school day. Our approach is that we're trying to help them stay focused and not overindulge and develop better habits so that when they have complete control over this stuff one day, they can self-police. But kids are kids and are sometimes too clever by half and it got to where I needed to tighten a couple of things up and ward off workarounds.
 
uid=505(CHILD) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),701(com.apple.sharepoint.group.1),702(com.apple.sharepoint.group.2),100(_lpoperator),704(com.apple.sharepoint.group.3),705(com.apple.sharepoint.group.4)
The groups are nearly the same as yours. The only difference is you have 501(access_bpf) and CHILD doesn't. Unfortunately, I don't see a way to turn that into something useful.

I'm not familiar with how Monterey manages group membership, but if you can add 'titan' to the 'wheel' group, then a permissions change to Terminal.app would give the desired block. On my computers, my admin accounts have been a member of 'wheel' since 10.0, when I added it manually, and I haven't had to do much adjustments since then.


The above mention of iMazing Profile Editor made me think of Apple Configurator 2, which is another tool for editing profiles. There's a lot of configurable capability in profiles, but I've never had to delve into them.
I know there are threads on MacRumors about it, too.
 
This thread deals with the News app but probably applies equally to Terminal.app

https://forums.macrumors.com/thread...ed-list-with-news-app-app-still-runs.2226594/
chflags and chmod can’t be used in Monterey on system apps because they are on that stupid Signed System Volume.
Unless you are willing to do this https://forums.macrumors.com/thread...tem-volume-as-writeable.2332937/post-30822017

The above mention of iMazing Profile Editor made me think of Apple Configurator 2, which is another tool for editing profiles.
Doesn’t work on macOS to restrict access to apps, only on iOS.
"blockedAppBundleIDs
[string]
If present, prevents bundle IDs listed in the array from being shown or launchable. Include the value com.apple.webapp to restrict all webclips. Requires a supervised device. Available in iOS 9.3 and later, and tvOS 11.0 and later."
https://developer.apple.com/documentation/devicemanagement/restrictions
 
  • Like
Reactions: adrianlondon
Did I miss the part where he said this was on a computer used in class, not at home? If so then fair enough.
But this seems more of a trust issue than something we should expect system restrictions to solve without issue.
If the student abuses his privileges, then take those privileges away. Can't do your work because daddy took the T-bird away? Well who's fault is that? Sometimes they have to learn the hard way.
Just my opinion of course.
Not sure if you don’t have kids, or are naive enough to think you know everything that’s happening when you aren’t looking. I don’t know how old the child is here, but personally I’d be worried about a teenager that isn’t straining against their shackles more than one who is. Parental Controls exist for a reason in most OSes, and “you’re going to use this for schoolwork, not fun” is a big reason. The problem here is that Chrome opened a hole through them and Chrome is non-negotiable.

Frankly the reason for wanting to disable Terminal isn’t the question here, how to do it is.
 
  • Like
Reactions: adrianlondon
You can try disabling System Integrity Protection (doable from the Recovery Mode only)
csrutil disable

then you can move Terminal somewhere in your user library or either restrict access

And enable System Integrity Protection back (yep, from the Recovery Mode)
csrutil enable
 
Not sure if you don’t have kids, or are naive enough to think you know everything that’s happening when you aren’t looking. I don’t know how old the child is here, but personally I’d be worried about a teenager that isn’t straining against their shackles more than one who is. Parental Controls exist for a reason in most OSes, and “you’re going to use this for schoolwork, not fun” is a big reason. The problem here is that Chrome opened a hole through them and Chrome is non-negotiable.

Frankly the reason for wanting to disable Terminal isn’t the question here, how to do it is.
If you read my other posts on this thread you'll see that when my own children were young enough to need managed access, I managed perfectly well using a mixture of the account-restriction facilities built into MacOS, along with a trust between us that they wouldn't attempt to purposefully abuse their privileges. If Chrome is the only sticking point here because it effectively bypasses the account restrictions, then don't let them use Chrome if you feel they'll be too tempted to abuse it.
 
We've had some ongoing discussions. They're not unaware of their tendencies and bad habits and we've agreed to some things like time limits on social media and downtime after bedtime or during the school day. Our approach is that we're trying to help them stay focused and not overindulge and develop better habits so that when they have complete control over this stuff one day, they can self-police. But kids are kids and are sometimes too clever by half and it got to where I needed to tighten a couple of things up and ward off workarounds.
Sounds like a great approach to me :)
 
  • Like
Reactions: TitanTiger
The groups are nearly the same as yours. The only difference is you have 501(access_bpf) and CHILD doesn't. Unfortunately, I don't see a way to turn that into something useful.

I'm not familiar with how Monterey manages group membership, but if you can add 'titan' to the 'wheel' group, then a permissions change to Terminal.app would give the desired block. On my computers, my admin accounts have been a member of 'wheel' since 10.0, when I added it manually, and I haven't had to do much adjustments since then.


The above mention of iMazing Profile Editor made me think of Apple Configurator 2, which is another tool for editing profiles. There's a lot of configurable capability in profiles, but I've never had to delve into them.
I know there are threads on MacRumors about it, too.
I'm tinkering with iMazing Profile Editor but having some trouble getting it to install the profile. Working with their support people to see what's up.
 
I'm tinkering with iMazing Profile Editor but having some trouble getting it to install the profile. Working with their support people to see what's up.
The answer is in #40
"Requires a supervised device. Available in iOS 9.3 and later, and tvOS 11.0 and later."
 
I think that's for Apple Configurator. iMazing Profile Editor lets you manage macOS devices.
Apple sets the rules for macOS, iOS and tvOS, profile apps can create profiles based on those rules. You can install a profile that restricts access to an app on macOS, but it will have no effect because macOS does not recognize that restriction.
iMazing uses the same ProfileManifests as ProfileCreator https://github.com/ProfileCreator/ProfileManifests
Searching for blockedAppBundleIDs now returns Manifests/ManifestsApple/com.apple.applicationaccess-tvOS.plist and Manifests/ManifestsApple/com.apple.applicationaccess-iOS.plist https://github.com/ProfileCreator/ProfileManifests/search?q=blockedAppBundleIDs
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.