78565 Views Previous 1 2 3 4 5 Next 60 Replies Latest reply: Jul 26, 2010 10:08 PM by ys_5441 Go to original post
..."I've got a user that is managed, but allowed unrestricted access to web and applications.[...]If access is unrestricted, the parental controls should not interfere with web communication at all."...
When "parental controls" are enabled, whether web restrictions are in place or not, it somewhat stupidly by default enables logging for internet traffic, passing requests through an internal proxy server to do so. It is at this stage that secure connections are being interfered with.
In your situation, since you don't appear to be interested in restricting web use, just turn the logging off as a workaround, eg.<pre>
/usr/bin/sudo /usr/bin/dscl . -mcxset /users/username com.apple.familycontrols.logging web always -bool false</pre>
Enter the command using "/Applications" > "Utilities" > "Terminal.app" while logged in to an "admin" account, substituting the managed users "short name" where it says "username".
Although my problem isn't directly related to websites, I have a managed account with unrestricted access to applications and no matter what, I cannot get msn to work for that user. It works on admin account no problem. Also tried substitute, Adium, and aMSN open source version.
Any idea what the problem could be? (besides the obvious that MS writes $* software.
Apple, hello.... Are you out there???
Not on these forums. It only contains Mac OS X customers, just like you.
You can use the following 2 web sites to communicate Mac OS X issues back to Apple:
<http://bugreporter.apple.com> Free ADC account needed for BugReporter
Really? Not on these forums?
This KB article suggests posting kernel panic info to these discussion forums:
"+If you record a kernel panic, you can post this information to Apple Discussions.+"
Have you activated parental controls ?
If you want to control the internet content with parental controls.
MSN is not going to work if you don't authorize some internet addresses in parental controls.
To have MSN working you need to authorize at least
messenger.hotmail.com but I discovered that Adium is using more Microsoft server, and as the list is quite long, here is a way to simply authorize MSN on a managed account with parental controls.
1- In Parental Control system preference panel, go to tab content and chose "Try to limit ..." option.
2- click on Customize and allow MSN server by adding the following addresses
and that's all.
If you need something more granular and you want to control every addresses got to the following page to get all the addresses used by MSN.
Thanks for this... just to add, since Microsoft has recently changed a lot of their messenger settings you should also add the following to this list...
By adding the above we were able to Adium to work while still having parental controls turned on.
We ran into this problem, and a wonderfully helpful Apple technician dug up a solution brought down from engineering. I'm very surprised it wasn't made into a knowledge base article.The problem is that https, by design, keeps the hostname you're trying to access (apple.com, mail.google.com, etc.) secret. The computer can't determine directly whether the connection should be allowed. It does know the IP address, and performs a reverse lookup on that IP address get the hostname it checks against your list of allowed sites.
So, the solution is to add as an allowed site the hostname associated with the IP address. It's not too difficult, but does require that you dive into the Terminal.
As an example, let's try to allow access to the Apple store. Start with the hostname you know: store.apple.com. Head into Terminal, and type:
You should get back something like this:
<pre>store.apple.com is an alias for store.apple.com.akadns.net.
store.apple.com.akadns.net has address 18.104.22.168
store.x.com.akadns.net mail is handled by 10 cbox-ember01.apple.com.
store.apple.com.akadns.net mail is handled by 10 cbox-ember02.apple.com.
store.apple.com.akadns.net mail is handled by 10 cbox-ember03.apple.com.
You can ignore everything except the address line. Now we know that the Apple Store's IP address is 22.214.171.124. Let's use host again:
<pre>126.96.36.199.in-addr.arpa domain name pointer cup-store.apple.com.</pre>
Which is the information that we're looking for. The reverse DNS name of the Apple Store's only IP address is cup-store.apple.com. You can add this to allowed sites, or just add apple.com.
Head back over to the store page, reload, and see if everything's loading. You can use the Activity window (in the Window menu) to see what is and isn't loading successfully on the page. In some cases, you may find content that's not loaded from the same domain — in this case, static content like images is coming from a248.e.akamai.net. You can follow the same steps to find the reverse DNS names of these other domains.
If a domain resolves to multiple IP addresses, check a few of them. If you're lucky, they'll all point to the same or similar domains, and you can just add the second level domain to allowed sites. If you're not, they may not have reverse DNS records at all, and you'll get a response like this:
<pre>Host 188.8.131.52.in-addr.arpa. not found: 3(NXDOMAIN)</pre>
In this case, you may have to add all of the IP addresses individually to allowed sites.
If you're having trouble with this method of finding reverse DNS, try to load a problematic site and check the Parental Controls logs. The site should show up under Websites Blocked. Open one of the history entries in a browser. It should just show up as a hostname or IP address, with nothing after the slash. That's the address you need to add
Finally, if you just want to allow access to GMail, I did the work for you: most of Google's IP addresses resolve to a .1e100.net address. If you add google.com and 1e100.net to allowed sites (Google has lots of IPs, it's not worth trying to add them individually), you should be all set.
Thanks for the great post. I reprinted it with acknowledgement on a blog post I wrote on this topic:
It my case I had our family Google Apps email working with Parental Controls -- until about two weeks ago. Then it stopped working.
To get it working again I had to user you 1e100.net trick, allow google.com, change from OpenDNS to GoogelDNS as my DNS provider and use a particular Google Apps mail URL. (All in 10.5, the kid machine is a G5).
Wow, this is miserable stuff.
Thanks again for sharing,
We wanted to disable the web restrictions with HTTPS but be able to use other functions in parental controls.
The workaround below worked - for a few days
/usr/bin/sudo /usr/bin/dscl . -mcxset /users/username com.apple.familycontrols.logging web always -bool false
It seemed to revert back. Is there a way of seeing what this setting is currently set to and/or to perminantly set it to not restrict web browsing?
+1 on the usefulness of Sidney's response ! Thanks very much for posting.
As a follow-up, I'm monitoring the frailty of the solution over time. For example, the authentication server auth.me.com is fronted by Akamai. How often does the IP address for that host change? Do we have to constantly play catch-up to keep the white-list in sync?
I'll post what I find.
I found this from this KB <http://support.apple.com/kb/HT2900>:
https note: For websites that use SSL encryption (the URL will usually begin with https), the Internet content filter is unable to examine the encrypted content of the page. For this reason, encrypted websites must be explicitly allowed using the Always Allow list. Encrypted websites that are not on the Always Allow list will be blocked by the automatic Internet content filter.
Please let me know if that works.