Remote Screen Time in iOS 12 – a breakthrough in Explorer support

With iOS 12 Apple made big changes to what it used to call “restrictions” or “parental controls” and is now called “Screen Time”. It took me a while to appreciate the power of Apple’s approach. It’s not everything Explorer need, but it’s a big step forward. I’m seeing encouraging tweaks and improvements with minor revisions to iOS 12; I think Apple has decided to get this right.

The really big change is that, with the right setup and configuration, it’s possible for a Guide to use an iOS 12 iPhone or iPad[1] to remotely manage app use on an Explorer’s iOS 12 iPhone. I call this Remote Screen Time. I’ll review what it can do here, in the next chapter I’ll discuss local Screen Time and how to make Remote Screen Time work.

Using Screen Time a Guide can define a core set of apps that are always available and then set time limits on individual apps or categories of apps. For example, a Explorer’s iPhone could be set allow only productivity apps during work hours but enable full use after work is done. How important is this? It can make the difference between employment and unemployment.

This is a big improvement over what we’ve had for the past 8 years. There is still room for improvement though. Apple, at the time I write this, has wounded (broken, really) its web access content controls. It would be nice to be able to manage devices from iCloud as well as a Guide’s iPhone. You can’t mix local (on device) and remote Screen Time. There are many small bugs. There can be odd delays in Screen Time enrollment and updating. Most of all there’s an age problem — in order for restrictions to work optimally an Explorer’s age needs to be set in their Apple ID to be under 18 (more on that later) and they have to be configured as part of a Guide’s “family”.

That’s the bad news. I’ll go over the setup and workarounds in the next chapter, but here I’ll review what we do and why it’s worth the struggle. The Screen TIme image below is taken from my (Guide) personal iPhone. I got to it through Settings:Screen Time.

The image shows my personal Screen Time settings[2] first, then in a section labeled “FAMILY” it shows 3 members of our family (names hidden) who are, as far as Apple knows, “under 18”. I can tap on those names to see a screen that is identical to my personal, locally managed, screen.

ScreenTimeFamily 20181124
For each FAMILY member you can see reports like this for a day or a week or a day, for one device or for multiple devices (such as an iPad and an iPhone).

Jf screentimeSummary 20181208

The key features of Screen Time are briefly described in the iPhone User Guide. Please take a look at those, but there’s quite a bit that’s left out. Screen Time has 4 parts: Downtime, App Limits, Always Allowed, and Content & Privacy Restrictions. I’ll talk about the Content & Privacy Restrictions in a later chapter[3], along with some other iOS settings that are important for safe iPhone use.

Downtime, App Limits, Always Allowed are the main ways to setup Screen Time. There’s another hidden and undocumented control that extends App Limits, I’ll discuss it together with App Limits.

Assuming remote Screen Time is working (see next section on setup), the first thing to do is define the apps that are Always Allowed. These will be available regardless of time related blocks. For most Explorers this will be the safety and productivity apps like Health[4], Contacts, Notes, Calendar, Find Friends, Maps and so on. Other standard items I enable include Calculator, Camera, Compass, Files, Find Friends, Mail, Music, Photos, Weather, and Voice Memos. I also enable Messages though it can be a distraction for some Explorers.

Once the Always Allowed apps are defined there’s an opportunity to set limits. You can do the following:

1. Schedule a time interval during which all non-Allowed apps will be blocked. A family user can request more time from a family manager. There’s just one time interval, you can’t schedule different intervals on weekday vs. weekend for example. This is most useful during an Explorer’s work or school hours.
2. Schedule a time interval when the entire device will be blocked. We don’t use this.
3. Set a daily Time Limit for collections of apps like “Social Networking”, Games, and so on. This is total time, not a time interval. These collections are based on how apps are classified in Apple’s App Store. Sometimes they are a bit odd; on one Explorer’s iPhone “Police Scanner Radio” is classified as “Reading & Reference”. We have made use of limits for “Social Networking” and Games, but I actually find the next, undocumented, method more useful.
4. Set a daily limit for a specific app. This undocumented feature is only available for apps that have already been used by an Explorer. It doesn’t show up under “App Limits” where you’d expect to see it[5]!

To set a daily limit for a specific app you have to first tap on the summary of screen time use. This shows a screen where you can see use for “Today” or for “Last 7 Days” and, for Explorers with both an iPad and iPhone you can choose which device to see. Here’s where the secret is found. It may not be obvious, but you can scroll down to see a list of either most used Apps & Websites or Categories for either the current day or the past 7 days. This the real power in Screen Time. You can set daily usage limits for a specific app or even a specific web site. This is where we do most of our adjustments.

There’s a lot of power hidden in remote Screen Time once you have it working. Some of it is more obscure than it should be, but it’s great stuff. To summarize first step is to specify which apps are always allowed, then block all non-Allowed apps during work or school hours, then, if desired, set usage limits on individual apps like Instagram, Snapchat, Safari and the like.

– fn-

[1] I think the almost forgotten iPod Touch would also work. Even an old iPhone 5s can do remote control as long as it’s running iOS 12.
[2] We are all, fundamentally, Explorers. Advanced Explorers, including Guides, may find it helpful to set personal, locally managed, Screen Time limits. Assuming we known our own Screen Time passcodes we can override them, but I find it helpful to set a limit on my compulsive reading habits.
[3] “Content & Privacy Restrictions” aren’t related to time at all, so it’s awkward to have them bundled under “Screen Time”. A more accurate, but less engaging, name for all these things would be “Restrictions”.
[4] See discussion of Health.app. This provides critical health information even when an iPhone is locked. You need this to work.
[5] I hope this gets fixed in iOS 13. It really should show up under App Limits.

Managing an Explorer iPhone with Apple’s two factor authentication

One of my Explorers is very particular about phone hygiene.

He force quits all his apps — immediately. He deletes all instant messages and emails after reading them. He has the makings of a master spy.

In the same vein he clears all nags and notifications cleared — always. When Apple nags him to update iOS he updates immediately — ready or not. When Apple nags him to enable two-factor authentication he enables it. Whether I want it or not.

Two-factor authentication is a problem for Guides. It’s designed to protect a user’s phone and data from outsiders. Unfortunately, that includes well intentioned outsiders like Guides. This makes it hard to support an Explorer by editing their Notes and Contacts for example.

Guide work is a easier, and an Explorer’s iPhone is quite secure, with a strong iCloud password that the Explorer doesn’t know. (You can’t reveal what you don’t know and iPhone use requires the phone passcode, not the iCloud password). It’s hard to avoid Apple’s two-factor authentication [1] though. Even if an Explorer doesn’t enable it Apple requires two-factor authentication for several useful services.

Fortunately there is a workaround — at least for now. From Apple’s ID management site or iPhone Settings:Apple ID:Password & Security you can add a Guide’s mobile phone number [2] to an Explorer’s Apple ID account information:

Two-factor authentication for Apple ID – Apple Support

… A trusted phone number is a number that can be used to receive verification codes by text message or automated phone call. You must verify at least one trusted phone number to enroll in two-factor authentication.

You should also consider verifying an additional phone number you can access, such as a home phone, or a number used by a family member or close friend. You can use this number if you temporarily can’t access your primary number or your own devices

Once you’ve followed the directions at that site this you can access an Explorer’s iCloud account:

  1. Let your Explorer known you’re updating their iCloud data. They will receive a notification on their iPhone that you are visiting their account. If they choose “Don’t Allow” you’ll be blocked. 
  2. Go to iCloud.com and enter the Explorer’s Apple ID and password. At the next screen your Explorer will get the Notification to grant access, but you don’t need it. Instead click “Didn’t get a verification code?”
    Icloud no code
  3. At the next prompt choose “Use Phone Number”.
  4. Choose the number of your phone (Guide phone):
    Choose phone
  5. Enter the number you receive.

You will be given an option to trust the browser you are using so you don’t have to do this again. Accept that offer! In my experience this doesn’t always “stick” but it means you will often avoid this procedure.

I’d rather not have to deal with Apple 2FA but with this workaround it’s manageable.

– fn –

[1] Not to be confused with Apple’s obsolete “two-step verification” — which still shows up in Google searches on this topic.

[2] A number that accepts SMS, including Google Voice numbers.

iPhone safety for Explorers – a chapter section on setting Apple age

When I started my book project I though iPhone setup would be a quick chapter. It didn’t turn out that way. iPhone configuration is probably a third of the book, including initial setup, simplifications, and safety measures.

Most recently iOS 12 forced a complete rewrite of all these chapters and, in the absence of documentation, a good amount of experimentation (my Explorers have been justly annoyed by that)  I’ve discovered, for example, that there are significant remote control options for users whose “Apple age” is less than 18. I’ve also found that when one enables remote control all local Screen Time settings are erased without warning.

With the changes made in iOS 12 safety support now requires setting an Explorer’s Apple age to be under 18 by changing their Apple ID associated birth date. Here’s what I wrote about this today …

The key to safe iPhone use is to decide what birth date Apple should use for the Explorer you are supporting. Apple only provides effective safety support for users for users under 18 years old. The user age, which I think of as the “Apple age”, is based on the birthdate associated with a user’s Apple ID.

If an Explorer’s Apple age is well under 18 this isn’t a concern. If Apple believes an Explorer is near or above age 18 then safety support requires changing the birthday Apple uses.

A user’s birth date can be changed using a web browser at Apple’s ID management site⁠ [1] or through the iPhone’s user account settings [screenshot] under “Name, Phone Numbers, Email”. In my own testing I think it works better to change birth date on the Explorer’s iPhone⁠ [2].

My current practice is to initially set a birth date so that Apple software considers the Explorer to be 14 years old. This doesn’t seem to have many side-effects beyond enabling the iPhone’s safety features⁠ [3]. I can, for example, set my Explorers’ age to 14 but “Allow All Movies” and “Explicit” books.

An initial “Apple age” of 14 means every 3 years a Guide and Explorer must decide whether to revert to the true age or dial back to 14 again. That seems a reasonable interval for reconsideration. The goal of both Explorer and Guide is for the Explorer to no longer require this kind of supported use⁠ [4].

Of course an Explorer can also change their Apple Age using a web browser or their iPhone or any Apple device (including a Mac). Teens discovered this within seconds of Screen Time being available in iOS 12 beta. If this is a concern there are two measures to take.

One measure is to use the Screen Time “Content & Privacy Restrictions” to restrict Account Changes. That will prevent changing Apple Age on the Explorer’s iPhone.

The second measure was discussed in the chapter on initial setup and is also discussed later in this safety chapter. Most Explorer’s don’t need to know their iCloud password and there are safety advantages to keeping that secret. Without knowledge of that password it’s difficult to change Apple Age using web browser [⁠5].

I don’t like changing an Explorer’s Apple age. It’s demeaning. I would like Apple to provide an Accessibility setting called “supported use” that would enable support without changing an Explorer’s birth date. Until Apple does that however, this is the only way I know to support iPhone use for a vulnerable adult. Whether to bring this Apple age change up with an Explorer is something a Guide must decide.

– fn -
1 https://appleid.apple.com/account/manage
2 At the time I write this Screen Flow is new and has many undocumented behaviors and a few bugs.
3 I think this age may also affect what kind of marketing Apple does to its customers.
4 On my own iPhone I have enabled Screen Time blocks to restrict my own use of social media. As an adult I can lift the blocks, but it requires an extra step.
5 I discuss password resets and the effects of two factor authentication later in this chapter.

Netflix accounts can be purchased with a gift card

We learned today that it’s not hard to create an individual Netflix account for an Explorer without the risks of automated credit card or debit car withdrawals (overdrafts, lack of expense control, tracking of spend, etc).

A Netflix account can be funded by a Netflix gift card. Our Explorer paid me cash from his job, I bought him a Netflix gift card on Amazon. When I set up his account I used the Gift card option. It worked. It will be interesting to see what happens when he exhausts the Gift Card fund. I’ll update this post when I learn that.

There is a bug in the process to beware of. Even after entering the Gift card Netflix tries to get a debit or credit card. You can continue without this, but if you click the credit/debit option there’s no control to continue without entering the data. I had to close the window. When I reopened Netflix asked me to finish my Explorer’s signup. I did that and chose the “Continue” option.

iOS 12.0.1 bug: can’t enable blocked site by entering restriction code

In iOS 11 when Web Content was set to “Allowed websites only” and a user tried to access a non-allowed site there was an option to allow the page. Tap on that, enter the restriction code, and the page was added to the permitted list.

This option is missing in iOS 12.0.1. Instead the “allowed websites only” list but be manually edited. Which is almost useless.

Screen Time age-specific behavior: “Ignore Limit” vs. “Ask For More Time” – a plea for a new accessibility setting

Apple introduced “Screen Time” with iOS 12. It includes a feature called “Downtime” with the ability to block sets of apps for specified times. Another similar feature sets time limits on apps. 

This would obviously be helpful for managing screen distraction for special needs children and adults.

Sadly the behavior of Downtime is age specific. If a user’s Apple ID is a member of Family Sharing, and the Apple ID age is under 18, when a user taps on a blocked app Screen Time provides a link to “Ask For More Time”. If the Apple ID age is over 18 (in the US anyway) there’s an option to simply “Ignore Limit”.

So Screen Time is not very useful for vulnerable adults. I would like Apple to add an option to Accessibility called “Supported use” and a companion restriction to block changes to the Supported Use setting.

There is a silver lining though. Apple makes it easy for a user to change their birthday. Tap on Settings [your name] then Name, Phone Numbers, Email then change birthday. I did this on a test device then added the test device Apple ID to my own device Family Sharing account. After doing this blocked apps show the “Ask for More Time” link.  (I expected this to work like “ask to buy” and show up on the Family Sharing administrator’s iPhone, but when I tested it only appeared on the test iPhone’s screen. So it requires physical access.)

You may now be thinking “what’s to stop a supported user from changing their birthday back to adult”? Screen Time > Content & Privacy Restrictions > Account Changes [Don’t Allow] prevents access to the Settings > [your name] control.

Google has taken a different approach with their Family Link solution. They make changing age more difficult, but they enable a pragmatic set of restrictions for anyone over 13 (“age of consent” for Google). 

I hope Apple will one day add a “Supported user” Accessibility option. I also hope they will add remote management of mobile device restrictions to iCloud. In the meantime the age change option may be a good workaround. I’d suggest choosing age 14; that will give Apple 4 more years to add an Accessibility option for cognitive disadvantages. If I find a problem with this I’ll update this post.

PS. There are some bugs with iOS 12 Screen Time — check it’s still working as expected after an iOS update for example. The permitted app UI also displays Home Screen “bookmarks” as GUIDs — long strings of letters and numbers.

 

Why it’s a good idea to monitor email of a vulnerable adult

#1 got this email today:

Isn’t **** is one of your pass? My name is Aubert. 

Porn site you watched had my backdoor planted which taped a video of your greasy stimulating actions with the help of your cam and even taped the clip you were playing. In the video recording you happen to be appearing pleasing. 

Your current email and FB contacts were then sent to me by my malware. 

I’ll email your recording to your friends unless you pay me $1000 via B I T C O I N S in the next 36 hours to the below address: 
B I T C O I N Address: **** 
Make sure to Copy-Paste address because it is case sensitive. 

Once you have sent the money, I will destroy your video and every bit of information I have about you. 

If I do not receive the money, I will send your video to every contact of yours. Think concerning the awkwardness you will get. and likewise if you are in an important relationship, how it will eventually affect? 

If you want proof? Reply “Yes”, and I will email your recording to eight of your email contactsinstantly. 

Yours truly 

This is why it’s a good idea to monitor the email of a vulnerable adult. I’d probably wouldn’t notice this email, I’d delete it in my sleep. A vulnerable adult doesn’t think that way. They are prey.

Our Explorer emails forward incoming email to us, so we caught this one immediately. I deleted it before #1 read it, but I printed a copy to teach him about these scams.

Google’s Family Link for remote device management – puberty, adulthood, and Google Suites

Special needs teens and adults are a vulnerable population. As parents and guardians (Guides) we are obliged to protect them from threats as best we can. Some of those threats can come from smartphones.

Smartphones can promote independence, but they also create risks and harms. The hardest part of my ‘iPhone for all book project’ is writing about how to maximize the benefits and minimize the harms. Excessive screen time is one harm. Other problems include web content that triggers a problematic obsession [4], social media mistakes, scams, trolls and predators, and even legal semi-scams like costly game add-ons and subscriptions.

Guides need tools to manage these risks. We need tools that for teens who live with us, and for adults who may have a separate residence. Especially for the latter, we need remote management tools [1] we can use from our own smartphones or computers.

Apple has effectively no remote management tools [2]. The one small exception is ‘ask to buy’ functionality for Family Sharing — which only works for under 18. In theory third parties could fill this gap, but I’ve found problems with all of the solutions I’ve tested. Qustodio’s VPN can’t handle encrypted connectionsMMGuardian has several killer flaws, and their competition didn’t  even meet my minimal test standards [3].

Google, on the other hand, has multiple remote management tools. If you use Google Suite (but not the free version some of us have) you have a business class mobile device management tool that even supports iPhones. If you’re an educator you can use Google Classroom and G Suite for Education. Lastly, if you’re a parent, you can use Family Link.

Family Link includes:

  • app level blocks and permissions
  • screen time limits
  • web activity controls (!)
  • location tracking

Family Link isn’t quite perfect. It’s not available for G Suite users for example — so if you’re a geek family and have paid for G Suite Basic you’re out of luck [4]. 

There’s also a manageable problem with turning 13. Google considers this the “age of consent” for the US. They don’t seem to mean this in the legal sense of consenting to sexual intercourse (that’s currently 16 in most American states), it seems to mean consenting to parental control. At age 13 a family link member can opt out of the program. When this happens the “parent” will be notified and the child’s “devices will be temporarily locked and unusable”. Originally the program simply ended at age 13, so this is an improvement. The current behavior is annoying, but it’s not a deal-breaker.

I wondered if there was another transition at age 18 (adulthood in the US and most nations). It’s not currently documented anywhere, but Google’s Help service responded to my inquiry (!). They say 13 is the only transition, there are no further changes at age 18. That’s very good news for vulnerable adults.

Android’s multiple controls are enough to knock off Qustodio, MMGuardian and the rest for Android customers. That leaves only the iOS market now, and Apple has made it quite hard for third party vendors to support this range of services.

When it comes to protecting children and vulnerable adults, Android has pulled well ahead of iOS. We can only hope Apple will feel some pressure to match what Google has done.

– fn –

[1] These are known as ‘mobile device management’ tools. That term is most often used in the context of business and education, but it includes this use.
[2] iOS devices have remote management capabilities, but Apple doesn’t offer tools to work with them. They have left this for third-party vendors.
[3] This kind of software is quite hard to test, which may explain why there are so few serious reviews. The more I learn about how Apple mobile device management works the more I understand why vendors struggle to provide a good solution. This can’t be a very profitable niche, especially now that Google provides Family Link for free, and all vendors know there’s a risk that Apple will provide their own solution and wipe out the industry.
[4] G Suite users have G Suite mobile device management, but it’s designed for different kinds of concerns and is a poor fit to the family user.

Update 10/6/2018Gordon’s Tech: Only Apple can provide family mobile device management for iOS. Might require governmental pressure.

The state of the book – August 2018

When I started my book project a part of me thought it would take about 6 months. A little voice, however, said I would take years. Even then I knew the little voice was right. My only consolation was that I was pretty sure nobody else would be crazy enough to tackle this project.

I started in the fall of 2015, so it’s been about 3 years. When I began I was going to handle both Android and iOS smartphones in one book. I gave up on that idea over a year ago, it’s iPhone only now. Maybe one day I’ll do an Android version, but no promises on that.

During the past year I’ve chipped away at the project for a few hours on Sunday mornings and the odd vacation days (like today). I now have second and third drafts for the contents of these chapters (from Scrivener):

Book Chapters

It’s still a long way from done. My current goal is to get 1st edition out by spring 2019 (iOS 12) and a 2nd edition for iOS 13. I’ll be self-publishing of course.

With iOS 12 I have to rewrite the “Setting up” (includes restrictions/parental controls) chapter completely. That’s a good thing; the current version is too complex and detailed. I’m going to redo it focusing on the highest value basics and either give up on the fine points or move them into an appendix. Throughout the book I have screenshots to do and redo and, of course, lots of editing and proofreading and revising. I think I have the right topics and base material though.

One day, one way or another, barring catastrophe, I’ll finish the book.