There are many risks in life, including our online life. Be it social media, purchasing, online banking, chat, IRC, harmful content, addictive behaviors. PREVENTION is the key!
“Online Family Safety” Google Forum for add’l info and discussions – Link
<Meraki System Manager documentation – Link
<Deployment Guide and Best Practices – Link
<Device Enrollment – Link
<Profiles and Settings – Link
<Web content filtering on iOS devices in Systems Manager – Link
<Meraki YouTube Videos
<How to Supervise an iOS device – Link
<Cisco Meraki and Apple Configurator 2.0 to manage supervised iPads – Link (start at 3:45)
<Getting Started with Cisco Meraki Systems Manager – Link
<Managing Devices with Cisco Meraki Systems Manager – Link
<Managing Macs and PCs with Meraki Systems Manager – Link
<Systems Manager Sentry Overview – Link
Mobile Device Security for youth:
As a parent, I will not allow failure to provide protections result in evil to own my child. Why would I provide a device that could harm my child? I MUST plan and manage a mobile device so I can mentor my child into becoming responsible; with mobile devices & other dangerous devices!
For my 15y son’s bday, we got him his first smart phone. Its a post-pay ting.com phone(any sprint phone(buy a refurb off ebay or ting.com). Pay for what you use. I turned OFF Data and turned OFF SMS. We run 3 smart phones on ting, which costs us about $45 a month!
I installed “Smart App Protector” to password protect ALL apps on the phone. By locking the settings, I can ensure he only gets “Internet” when he is on my home WIFI or Church’s WIFI (that is policy controlled Internet Access). To get into “settings”, we must enter a code (that my son does NOT know).
I set the expectation, if I see you misusing your phone–it’ll be in the safe for 30 days. I do weekly checks on the phone to ensure everything is running as I expect.
Also, I set the expectation that after 3 months; he is on the hook to pay the phone bill. Ensure your children know to trust you on expectations(do not FLAKE on your expectations).
So, he can calendar, make/receive phone calls. Use the “LDS Gospel Library”, kindle app–all without a code. When he wants to browse the Internet or use youtube, he must come and ask us to enter the code.
He gained my trust, so I unlocked “Google Voice”. Now he can SMS/TEXT, when on my WIFI 🙂
Also, there is an audit trail on all his SMS messages; which acts like a deterrent.
In fact, I’m now using “Smart App Protector” to protect my phone’s “playstore” and settings. The kids would hoodwink my phone and install their silly games, NO MORE 🙂
I’ve started experimenting with “android whitelist browser”.
SUMMARY: A supervised iphone has MUCH more granular & deep “security controls” than android by using an “mobile device management” (MDM like Meraki.
Meraki MDM is FREE for less than 100 devices!
The main features I use are allowed/denied applications, white-listing websites (block ALL websites except a few allowed), remote app install/removal & phone tracking (lost device or lost child).
Without these granular controls, parents are required to block browsers & all apps that could be mis-used. With granular controls, one can allow them access to helpful websites via a whitelist.
The MDM has a phone finder features, but the native iphone finder is much better/accurate(use safari browser or an android app).
Here are some screenshots of Meraki MDM:
Home Internet Content Filtering:
I’ve been using OpenDNS for about 10 years. Most of my IT colleagues use OpenDNS for their family too. For more granular security controls I HIGHLY recommend Unified Threat Manager (UTM) for features like authentication & authorization based on groups & users, meaning parents can have a policy & kids can have their own policy applied to their username. Also, quota of time limits online for children. The client2VPN is excellent too. You may need to be more technical to install & configure UTM. Opendns is much more simple, but doesn’t have the granular access controls that UTM has.
Unified Threat Manager (UTM)
UTM is a major upgrade since Astro Firewall!
The main features I use is browser authentication so I can apply Internet content policy to particular usernames. Logging, time restrictions & VPN are also used. The ONE feature that pushed me to UTM over OPENDNS is the fact I can give my kids 60-90 minutes of online time, once that is gone they are unable to use the Internet (they self-manage their allotted time).
UTM is FREE for home-use, but you will need to buy some hardware (mini-pc with two Network Interfaces).
Here are some of my UTM screenshots.
This screenshot shows that authentication is REQUIRED.
You can apply multiple policies to certain users & or groups!
Configuring quotas will determine if online usage goes against their “online allowance”
If the categories are not granular enough you can add allow/deny per policy!
You can also control what types of files are downloaded:
Enforce “safe search” for youth/kids & set how much “online time” they are allowed:
Geek out and see your trending Internet usage. I bet my Internet Usage is WAY ABOVE your Internet usage!
Endless logs & reports on user usage and traffic!
REPORT based on user or ip address or both!
LOGS LOGS LOGS!
VPN allows me to close ALL ports into my home network, EXCEPT the VPN port. Once I VPN in, I can access all my internal resources like my NAS etc.
How OpenDNS works:
Basically, every time your computer request a website (Domain name), your computer asks a Domain Name Server (DNS) to convert the name into an IP Address.
If your DNS server knows your source IP address (Your public IP Address), it can intelligently apply policies to govern where you are allowed (whitelist) to surf the Internet or policy to block (Blacklist).
PROS of OpenDNS:
1) Configure on your wifi router and the policy applies to all devices on your network, including mobile devices.
2) Have ONE PC that keeps opendns updated on your Public IP Address.
3) Known malware and known botnet sites are blocked.
4) Ensure you enable, do NOT allow Proxies. If someone is using a proxy they could bypass OpenDNS’s policy.
5) Custom Configuration. Meaning, you could block all social nets, but allow Linkedin.com
6) You can login remotely and change the policy. For example, I’m at work and my wife calls and says, one of the websites the kids need to get to is being blocked. I login and whitelist that website.
7) FREE & easy to configure.
1) Device specific logging is missing. You can see a daily log of all devices, but segmented reports on specific devices is not in the free version.
2) With enough technical skills, it can be bypassed.
3) Free version only allows 25 domains to be whitelisted.
I’ve helped people configure this router. Its pretty nice when a site is blocked, you can say, allow temporarily (with admin password) or allow site permanently (with admin password).
They also have an option to physically lock up the router, so cat5 cables can’t be re-arranged to bypass the content filter.
GENERAL BEST PRACTICES:
1) Use chrome, NOT IE. All malware targets IE…and its not secure. Also, its part of the OS, so once compromised; so is your OS. You can uninstall and reinstall chrome.
2) Use MS Security Essentials on Windows.
4) About every 12-18 months, windows gets owned/compromised; so reinstall it from scratch. Once “owned” you have little hope of really removing the malware. Use Linux 🙂 Or a MAC; they get owned much much less often because they are less of a target, are architected to be more secure; from the beginning. Vs bolt’d on afterwards.
5) Encrypt email messages. OpenPGP message encryption and authentication for Thunderbird
6) Use lastpass.com & keypass and browser plugin to have secure passwords.
7) Password management
8) Have Full Documentation for Any Disaster Need
9) Encrypt your entire hard drive with truecrypt.