Use iMazing Profile Editor (free), and make a profile that blocks the apps that you need not having access to - then obviously install the profile to the mac, it needs an admin account to remove it.
No, that's not the case here. They kid is not going to destroy the computer. The situation is that the kid should be paying attention to class and not goofing off on Chrome with incognito mode. The issue being that by using the terminal, they can re-enable incognito mode for Chrome, and goof off. Chrome is required for schoolwork.Ok I'll be the one to say what probably everyone else is thinking. If your kid is so untrustworthy that you you can't trust them to not fk about with your machine at this kind of deep level when your back is turned, I really don't think I'd let them use it unsupervised. I wouldn't rely on system privileges. When my kids were young enough to need restricted access, I really only used the restricted-access controls so they couldn't mess something up by accident, or view online content which was not appropriate for their age, not to prevent them from deliberately trying to corrupt my system.
That is totally unnecessary, and you teach nothing to the kid. As a sysadmin, I have seen countless grown-ups and professionals with the exact same desire for freedom - you can't just stop that. The trick is to block/allow the apps or system access that you need for each user, and this way you teach them that you get the tools/access that you need for your position/work. That's much better in their head than just take their toy away. And system restrictions work way better than you think. All major companies are now moving away from server controlled systems to MDMs for a reasonDid I miss the part where he said this was on a computer used in class, not at home? If so then fair enough.
But this seems more of a trust issue than something we should expect system restrictions to solve without issue.
If the student abuses his privileges, then take those privileges away. Can't do your work because daddy took the T-bird away? Well who's fault is that? Sometimes they have to learn the hard way.
Just my opinion of course.
There's a difference here in my mind between a student's computer and an enterprise-computer in a work environment which (like my work's PC I'm currently typing on) has privileges purposefully restricted to comply with company IT requirements, assist with protecting this PC from external threats, and also to an extent to protect me from accidentally misusing my device in a way which breaches company policy.That is totally unnecessary, and you teach nothing to the kid. As a sysadmin, I have seen countless grown-ups and professionals with the exact same desire for freedom - you can't just stop that. The trick is to block/allow the apps or system access that you need for each user, and this way you teach them that you get the tools/access that you need for your position/work. That's much better in their head than just take their toy away. And system restrictions work way better than you think. All major companies are now moving away from server controlled systems to MDMs for a reason
Thanks.
Since I don't see a group listed like 'wheel' or 'admin', I'll next need to compare your groups with those of your child. The command for that is:
where CHILD is the short username of the child's account. Please post the output of the command.Code:id CHILD
I think that it just makes changes for that user's Chrome settings? For instance, if I disable Incognito Mode in Chrome from my admin account, it doesn't do that globally for all users of Chrome on the computer. So I'd need to do that in their user account. But that also means, if they can find the right commands to undo those settings, and have access to Terminal, they can run them and it doesn't require any admin privileges to do it.Finally, could you clarify this:
Are you saying that Terminal commands issued by a non-admin user will change global settings for Chrome when it's used by all other users? Or does it only affect that user's Chrome settings?
If it's the former, then that seems like a serious security flaw. Even if all the Mac accounts are sharing a Chrome profile, that just seems like a design flaw that's asking for trouble.
If it's the latter, i.e. only affecting the user who used the Terminal commands, then at least the problem is limited in scope. It's one thing to alter one's own sandbox, but quite another to alter the sandboxes of everyone else in the world.
The defaults command is involved.It depends on what the Terminal commands are. For example, if Chrome uses thedefaults
system in addition to its own files, then things get hairier.
Also, it might be necessary to lock directories, not just files, for reasons outlined above. But that then leads to a regress of locking, all the way up to the home dir, and locking that dir seems unlikely to work out.
It's a computer at home that's used for schoolwork. I'm not trying to put the child in a cocoon or a straightjacket, just trying to put some restrictions in place that help them stick to schoolwork and remove the temptation to goof off (and hide it with private browsing) when they should be working.There's a difference here in my mind between a student's computer and an enterprise-computer in a work environment which (like my work's PC I'm currently typing on) has privileges purposefully restricted to comply with company IT requirements, assist with protecting this PC from external threats, and also to an extent to protect me from being falsely blamed for misusing my device in a way which breaches company policy.
That said, fully agree in restricting privileges on the student's computer to help to enforce compliance, where possible, that's logical, but, I maintain there is (potentially) a trust issue here. As for taking toys away, of course, a last resort. But the student has to understand that misuse has repercussions. You say it teaches them nothing...we'll that's what it teaches them: consequences. No point having bland consequences which don't act as a deterrent.
I accept this is something we're probably not going to agree on because we're looking at it from completely different perspectives.
Totally roger that, and the OS definitely has ways to help you do that. Absolutely no way am I trying to tell you how to parent, but some things are just down to parent-child trust with the threat of reasonable yet impeding consequences if that trust is broken. That's how I handled it, along with of course setting up the managed accounts which restricted what they could do. Maybe I was just lucky my kids respected the trust I put in them to use the computer properly.It's a computer at home that's used for schoolwork. I'm not trying to put the child in a cocoon or a straightjacket, just trying to put some restrictions in place that help them stick to schoolwork and remove the temptation to goof off (and hide it with private browsing) when they should be working.
We've had some ongoing discussions. They're not unaware of their tendencies and bad habits and we've agreed to some things like time limits on social media and downtime after bedtime or during the school day. Our approach is that we're trying to help them stay focused and not overindulge and develop better habits so that when they have complete control over this stuff one day, they can self-police. But kids are kids and are sometimes too clever by half and it got to where I needed to tighten a couple of things up and ward off workarounds.Totally roger that, and the OS definitely has ways to help you do that. Absolutely no way am I trying to tell you how to parent, but some things are just down to parent-child trust with the threat of reasonable yet impeding consequences if that trust is broken. That's how I handled it, along with of course setting up the managed accounts which restricted what they could do. Maybe I was just lucky my kids respected the trust I put in them to use the computer properly.
The groups are nearly the same as yours. The only difference is you haveuid=505(CHILD) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),701(com.apple.sharepoint.group.1),702(com.apple.sharepoint.group.2),100(_lpoperator),704(com.apple.sharepoint.group.3),705(com.apple.sharepoint.group.4)
501(access_bpf)
and CHILD doesn't. Unfortunately, I don't see a way to turn that into something useful.chflags and chmod can’t be used in Monterey on system apps because they are on that stupid Signed System Volume.This thread deals with the News app but probably applies equally to Terminal.app
https://forums.macrumors.com/thread...ed-list-with-news-app-app-still-runs.2226594/
Doesn’t work on macOS to restrict access to apps, only on iOS.The above mention of iMazing Profile Editor made me think of Apple Configurator 2, which is another tool for editing profiles.
Not sure if you don’t have kids, or are naive enough to think you know everything that’s happening when you aren’t looking. I don’t know how old the child is here, but personally I’d be worried about a teenager that isn’t straining against their shackles more than one who is. Parental Controls exist for a reason in most OSes, and “you’re going to use this for schoolwork, not fun” is a big reason. The problem here is that Chrome opened a hole through them and Chrome is non-negotiable.Did I miss the part where he said this was on a computer used in class, not at home? If so then fair enough.
But this seems more of a trust issue than something we should expect system restrictions to solve without issue.
If the student abuses his privileges, then take those privileges away. Can't do your work because daddy took the T-bird away? Well who's fault is that? Sometimes they have to learn the hard way.
Just my opinion of course.
csrutil disable
csrutil enable
Once again, that is not enough in Big Sur and Monterey. See https://forums.macrumors.com/threads/cant-boot-after-mounting-system-volume-as-writeable.2332937/post-30822017You can try disabling System Integrity Protection (doable from the Recovery Mode only)
If you read my other posts on this thread you'll see that when my own children were young enough to need managed access, I managed perfectly well using a mixture of the account-restriction facilities built into MacOS, along with a trust between us that they wouldn't attempt to purposefully abuse their privileges. If Chrome is the only sticking point here because it effectively bypasses the account restrictions, then don't let them use Chrome if you feel they'll be too tempted to abuse it.Not sure if you don’t have kids, or are naive enough to think you know everything that’s happening when you aren’t looking. I don’t know how old the child is here, but personally I’d be worried about a teenager that isn’t straining against their shackles more than one who is. Parental Controls exist for a reason in most OSes, and “you’re going to use this for schoolwork, not fun” is a big reason. The problem here is that Chrome opened a hole through them and Chrome is non-negotiable.
Frankly the reason for wanting to disable Terminal isn’t the question here, how to do it is.
Sounds like a great approach to meWe've had some ongoing discussions. They're not unaware of their tendencies and bad habits and we've agreed to some things like time limits on social media and downtime after bedtime or during the school day. Our approach is that we're trying to help them stay focused and not overindulge and develop better habits so that when they have complete control over this stuff one day, they can self-police. But kids are kids and are sometimes too clever by half and it got to where I needed to tighten a couple of things up and ward off workarounds.
I'm tinkering with iMazing Profile Editor but having some trouble getting it to install the profile. Working with their support people to see what's up.The groups are nearly the same as yours. The only difference is you have501(access_bpf)
and CHILD doesn't. Unfortunately, I don't see a way to turn that into something useful.
I'm not familiar with how Monterey manages group membership, but if you can add 'titan' to the 'wheel' group, then a permissions change to Terminal.app would give the desired block. On my computers, my admin accounts have been a member of 'wheel' since 10.0, when I added it manually, and I haven't had to do much adjustments since then.
The above mention of iMazing Profile Editor made me think of Apple Configurator 2, which is another tool for editing profiles. There's a lot of configurable capability in profiles, but I've never had to delve into them.
I know there are threads on MacRumors about it, too.Apple Configurator - Official Apple Support
Access resources, contact options and learn about mass configuration and iOS deployment options for your institution's devices with Apple Configurator.support.apple.com
The answer is in #40I'm tinkering with iMazing Profile Editor but having some trouble getting it to install the profile. Working with their support people to see what's up.
I think that's for Apple Configurator. iMazing Profile Editor lets you manage macOS devices.The answer is in #40
"Requires a supervised device. Available in iOS 9.3 and later, and tvOS 11.0 and later."
Apple sets the rules for macOS, iOS and tvOS, profile apps can create profiles based on those rules. You can install a profile that restricts access to an app on macOS, but it will have no effect because macOS does not recognize that restriction.I think that's for Apple Configurator. iMazing Profile Editor lets you manage macOS devices.