In a previous blog I've stated how vital it is to implement Application Whitelisting to help prevent malicious penetration of your computer. In OS X this is done by logging in with a Managed user account with Parental Controls enabled.
Apple may have chosen a painfully poor name for this type of account, as I've yet to meet a client that calmly went down the path to having their account be under Parental Control! Rest assured, it's only a terrible naming choice, and this type of account, although appropriate for children, is also appropriate for adults, administrators, and even your boss. It is considered one of the mandatory steps to ensure the security and integrity of an IT environment.
Assignment: Configure an OS X Managed with Parental Controls Account
For our assignment we will be configuring your own account to have the added security of application whitelisting. These same steps should be taken for all non-administrative accounts on your computer, and all computers in your household or business. Understand that best practices holds that all of your non-administrative accounts should have application whitelisting enabled–and that you never login with an administrative account.
1. On the computer hosting the user account to be managed, open Apple menu > System Preferences > Parental Controls.
2. Select the Lock icon to authenticate as an administrator.
3. In the sidebar select the target account to manage.
4. If you want to manage parental controls from another computer on the same network, enable the Manage parental controls from another computer checkbox.
5. Select the Enable Parental Controls button. The Parental Controls System Preference pane opens. Unlock the pane.
- Allow use of camera is self-explanatory.
- Allow joining Game Center multiplayer games is self-explanatory.
- Allow adding Game Center friends is self-explanatory.
- Limit Mail to allowed contacts helps to prevent unknown and unwanted people from exchanging email with the user. Selecting the Manage button opens a configuration window for this option.
- Limit Applications activates application whitelisting. It allows picking which specific applications the account will have access.
6. This is the heart of why we are doing all this work.
7. Expand Other Apps. Enable the checkbox for applications this account needs, but do not enable the Other Apps checkbox as this will allow any application to run. Keep in mind we are attempting to prevent unwanted malware from launching.
8. Enable the Utilities checkbox. A non-administrator is not going to create problems accessing these applications.
9. By selecting the Logs button, the administrator is able to view the activities of the managed user. Logs may be viewed from any other computer on the same network.
10. Select the Done button to return to Parental Controls.
If all you wanted to accomplish is to enable Parental Controls, your job is done! However, if you want to further restrict activities and access to this system, you can return to edit the Web, Stores, Time, Privacy, and Other tabs.
Questions? You know who to call. Or better yet, order your own copy of Practical Paranoia today.
Marc L. Mintz, MBA-IT, ACTC
President & CIO
Mintz InfoTech, Inc.