Front Row vs. Managed Accounts

January 28, 2007

I am in the process of setting up 50 iMac 17″ machines for a lab, so I am creating a master image which I will deploy across them all. The account that the students will use is a managed account where they only have access to a web browser…. or so I thought! I had finished the image and set up a couple of machines when I suddenly remembered about Front Row, Apple’s media centre software. As the bottom-end iMacs do not come with remote controls I had forgotten all about disabling it. Anyway, I thought I would try out a few things while it was still on my image, and the results surprised me. I found that I could open iTunes via Front Row, and from there Safari, even though the permissions on this account told me otherwise. If you would like to try it out for yourself, follow these steps:

1) On your Mac, create an account, click on the Parental Controls tab, and give them access to one application only, say TextEdit.

2) Log in to this account.

3) Verify that TextEdit is the only app you can open.

textedit.jpg

4) Hit Command-Esc to launch Front Row.

5) Switch to the Movies section (the Music section will just tell you that you don’t have any songs in your Library).

6) Browse to a sub menu, such as TV Shows. This will start a spinning graphic on the right and will seem to lock up Front Row.

7) Force Quit from Front Row (Command-Option-Esc). You will be back in the Finder now.

8) If iTunes is not showing, click on the iTunes icon in the Dock, and hey-presto, you’re in!

itunes1.jpg

9) Now your managed account with no permission to run iTunes is breaking the rules. For fun, try launching iTunes from your Applications folder while iTunes is still running. You should get a ‘You do not have permission to open the application iTunes’ dialog, as shown in the picture below:

itunes2.jpg

10) Now to get on the web! In the iTunes Help menu, select ‘iTunes Service and Support’ which will launch Safari, again even though this account does not have permission to do so.

safari1.jpg

So to conclude, Front Row ignores any Parental Controls in a user’s account. If you are setting up Macs in a lab, make sure you disable Front Row by either deleting the Keyboard Shortcut in the System Preferences, or by removing it completely from /System/Library/CoreServices/Front Row.app. Otherwise enjoy the show from the front row!