Scripting Mac Parental Controls application whitelists - anyone have success?

Question

While most of our accounts are managed through workgroup manager, we often set up local accounts to be used for end-of-term governmental exams at the K-12 institition where I work.

It would be nice to lock down the computers such that students can only use their word processor during the exam, and have no access to the internet. I made a local user test account and tweaked some settings under Parental Controls. Then, I was able to export them:

dscl . -mcxexport /Users/testuser -o parental_controls.plist

And re-import them to good effect:

dscl . -mcximport /Users/testuser parental_controls.plist

Watching the filesystem while doing this, I noticed that the applications I whitelisted were signed in the background by Parental Controls, and this was remembered in the settings. My exported plist has lined like this (reformated for readability):

<key>appID</key>
  <data>+t4MAAAAACgAAAABAAAACAAAABQOiCi6O1EFrBaCbNrFU4pEjwH8zg==</data>
<key>bundleID</key>
  <string>com.microsoft.Word</string>
<key>displayName</key>
  <string>Word</string>
<key>path</key>
  <string>/Applications/Microsoft Office 2008/Microsoft Word.app</string>

I found a nice guide to codesigning. Unfortunately, it says that you'll need your own certificate to sign applications with. [And, as this was already becoming more work than I had in mind, and I may just go to 60 computers manually and do it, scripting the keychain to create a new codesigning certificate so that I could then sign some specific apps to then enable parental controls seems like a place where madness lies.]

I did test to see what would happen if I removed the key, and the managed user can not launch the application.

Is there a sensible way to either

script this process
- perhaps I can use an existing certificate?
- perhaps Apple has a Parental Controls CLI utility I can call that will sign them?
manage a local account from Workgroup Manager for a whole lab?
or otherwise perform the same steps for many computers?

score 2 · Accepted Answer · answered Jun 15 '09 at 22:02

2

I am not sure that is what you are looking for, but you can limit application usage with Workgroup Manager on a computer group level.

Obviously, you need an OS X Server with OpenDirectory. You can than define a computer group in Workgroup Manager, add the Macs you want to use for the exam, and, in the preferences dialog for this group, limit the applications. I guess you would need the exact same version of the applications in question on every computer.

But I have to admit I never really tested this, just made a short proof of concept years ago when I was toying around with Tiger Server before rolling it out.

answered Jun 15 '09 at 22:02

Sven

97,248
13
177
225

Now that is a very interesting idea. I've already got computer groups in place. I just need to set the preference up before the test and remove it afterwards. – Clinton Blackmore Jun 15 '09 at 22:08
Yes, that's the idea :) Theoretically ... – Sven Jun 15 '09 at 22:09

score 0 · Answer 2 · answered Jun 17 '09 at 14:17

I did want to mention that when you set up Application Whitelists/Blacklists in Workgroup Manager, it will enable you to scope things by path and not just by the signed key of an application. It may even be possible to do this on a local user or group and then import/export the values.

Scripting Mac Parental Controls application whitelists - anyone have success?

2 Answers2