How to gain control over my kid's Chromebook?
November 6, 2020 2:02 AM   Subscribe

How do I control website access on a school owned Chromebook at home?

My youngest has a school owned Chromebook that they are using for remote learning. They have learned (and taught their "pod friend") how to get to youtube and if they are not directly in my view there is a 95% chance they are watching Jaiden Animations or Mr. Beast instead of foing school work. Because it is a school owned Chromebook I have pretty little control over it and because it isn't on the school's network the school also has little control over it (please correct me if I am wrong here).

I think the trickiest part in all of this is that their teacher uses videos on Youtube so it can't be something that just blocks youtube. Their teacher makes a Google Slide deck for each day that has the links embedded into the slides. Sometimes the videos aren't linked to when the schedule first goes out in the morning but typically are within the first hour. I usually have 15 minutes that I could give permission to linked videos if that is a thing.

We have an older Eero mesh network (3 yearsish) and with both parents working full-time and two kids remote schooling I would much rather throw money at the problem than time if at all possible. Thank you for your thoughts and ideas!
posted by a22lamia to Technology (28 answers total) 5 users marked this as a favorite
I used to netadmin a school. Allowing only filtered access to YouTube at a network level was always tricky, but it became a hell of a lot more tricky when Google started the present-day push to use HTTPS for everything.

The technical issue that needs to be overcome is that having established a HTTPS session with and its various streaming servers, the design of HTTPS is supposed to guarantee that there's simply no way for an observer watching the data being exchanged over that session to see what's actually in it, or apply edits to it; it's all encrypted.

So if little a22lamia is watching a Mr Beast video instead of something linked by their teacher, there's no way to tell, just by watching the network traffic, that this is happening. All that's visible on the network are streams of encrypted gibberish. You can tell that YouTube is serving up something to the web browser, but that's all you can tell. There's no way to discern which pages or streams are being pulled from those servers, because all the request traffic heading toward the server is end-to-end encrypted as well.

The only way around this is to run what's called a man-in-the-middle (MITM) attack against HTTPS traffic. This requires that all of it gets forced to flow through some box that you control on its way between the web browser and the servers, and that your interception box runs software that lets it pretend to be YouTube while relaying only approved requests and the response pages and streams they call up.

So when the web browser tries to connect to YouTube, it gets fooled into connecting to your MITM box instead. The downstream side of your MITM box completes the process of setting up encrypted connections with the web browser by pretending to be YouTube's server(s), while on the upstream side it's pretending to be a web browser and setting up its own encrypted connections to the real YouTube servers. So now it gets to see exactly what's being requested, and is in a position to apply filtering rules to that.

But HTTPS is deliberately designed to make MITM attacks hard. You wouldn't want your local cafe to be able to install something on its free wifi that would let it skim your bank account details, for example. I'll spare you the technical details but the only way to mount a successful MITM attack against HTTPS involves installing a special certificate into the web browser that deliberately breaks the browser's security badly enough to let MITM succeed. And browsers don't let you do those installations over the network.

Given that this is a school-controlled Chromebook, there might or might not be a way for you to install such a certificate for a MITM facility that you're running inside your own local network. Chances are you can't; even if you can, you'd more than likely need the cooperation of your school's IT support folks.

But this is an issue on the school network, and on every other corporate network with some pseudo-legitimate need to filter employee HTTPS traffic, every bit as much as it is on yours. So there's some chance that the school already has some kind of commercial network-level HTTPS MITM filter in place to cover its fleet of school Chromebooks. And if you're lucky and the school IT crew has a clue, they will be doing that using a cloud-based security-as-a-service provider such as ZScaler that doesn't rely on any particular LAN being used to get the network the last hundred metres to the Chromebooks.

Alternatively, they might have some kind of filtering already in place that runs inside the web browsers on the Chromebooks themselves rather than trying to do it all at the network level.

Your best bet is to get in contact with the school's IT support people and find out what technical countermeasures they have in place against Mr Beast when the Chromebooks are on campus. If you're lucky, they'll be able to tell you how to turn the same stuff on at home as well.
posted by flabdablet at 3:45 AM on November 6, 2020 [8 favorites]

I think this is something that you are going to have to solve with 'parenting' and not with technology.

The problem seems to be that your child is not paying attention in school and is doing something else on their school computer during school time.

I don't have the answer for you, but I think you'll need to do whatever you normally do at home to get your child to comply with rules.

I don't know if rewards, or discussions or punishments or period checks or some combination of them will help, but I think you're going to have to try them.

Don't get me wrong - I think that parenting remote schooled kids while simultaneously working from home (and stressing about the election and corona) is one of the most difficult things in the world right now. It won't be easy.
posted by jazh at 3:54 AM on November 6, 2020 [14 favorites]

I agree with jazh that the kind of technical countermeasures you're asking about generally don't work in the medium to long term; kids are ingenious and will eventually find and share ways around all of them.

Personally I don't see that as a bad thing - the main purpose of education, it seems to me, is to promote creativity in problem solving - but having worked in this space, and as a parent myself, I can fully understand why school parents persist in pushing to prevent pictures of people's private parts showing on school-managed screens.
posted by flabdablet at 4:03 AM on November 6, 2020

On the one hand, if your kid is getting the work done, then personally I wouldn't mind them filling time with Youtube (assuming what they're watching is "appropriate").

On the other hand, if they are doing this instead of working, then technological solutions are going to be tricky. They've circumvented one block, they will figure out how to circumvent another (or their friends will). In this case, is there a place they can sit to do their work where you can see their screen while you're working? I'm guessing this may not be feasible or you'd be already doing it, but I'd set things up so you could see their screen at a glance from your desk. Even if this is annoying for them (less comfortable seat, or whatever) - remind them that as you can't trust them to behave, they're going to have to deal with the consequences. Kind of the equivalent of the teacher making them sit in the front row to keep an eye on them.
posted by EndsOfInvention at 4:10 AM on November 6, 2020 [1 favorite]

You're not the only person dealing with this. Parents in my cohort have contacted the teacher to request that the teacher run the video and share screen, rather than sending kids YT links directly. They can also try embedding the video itself in a presentation rather than the links out. YT is a Pandora's Box of real sh*t for kids, and teachers/schools need to be hyper-alert to access, especially given the assumption that parents are not watching alongside to have those "teachable moments" when kids' normal behavior leads them to Mr. Beast, and then another, and another, and then just one more.

YT makes about $15 billion/year. Age 15-25 is their key demographic. It is designed to be addictive. Kids cannot be expected to manage this on their own, nor should schools put them in a position to.
posted by cocoagirl at 4:12 AM on November 6, 2020 [14 favorites]

Response by poster: Thank you for your answers and I am looking forward to more.

I agree that in a normal situation parenting would be the solution but both parents have stretches where we can't be in the room with the kids (due to work) and some of those times overlap so there is no one to keep an eye on them. If they were getting their school work done it wouldn't be an issue but they aren't. They are also logging into their zoom class and then opening another tab for youtube and watching youtube instead of participating in class.
posted by a22lamia at 4:23 AM on November 6, 2020 [1 favorite]

I am not sure how to do this on a Chromebook, but one could edit the hosts file with something like: *

Which would simply make youtube fail to load.

Or you could be sneakier and funnier and point youtube to a domain you own with a page that says "Get back to your schoolwork, CHILD'S NAME HERE" and freak them out.
posted by terrapin at 5:17 AM on November 6, 2020 [3 favorites]

In that case the teacher needs to handle this by screensharing or some other method, as they would if the kids were in school using laptops.
Terrapin they can't block YouTube as the teachers send the kids YouTube videos to watch.
posted by EndsOfInvention at 5:23 AM on November 6, 2020

For most school-owned and -managed Chromebooks, you really can't do it without some truly nerd-heroic measures: what flabdablet describes takes pretty serious know-how.

The Chromebooks tunnel all their network traffic back to the school department systems, and the filtering happens -- or doesn't happen -- there.

It infuriates me because my kids can't access the music library and e-book library that I have at home, even though they are on my network and they are my kids. And I can't block access to rubbish (during school hours) that I would, using my PiHole.
posted by wenestvedt at 6:13 AM on November 6, 2020

FWIW I believe that the teachers can see when a kid is on a different tab and not watching the primary Zoom screen. My child's teachers have made this perfectly clear to the students (and to individual students who are egregious offenders) and the fear/negative impact of being "caught" doing this helped curb the behavior.

Didn't eliminate it, mind you, but curbed it.
posted by nkknkk at 6:29 AM on November 6, 2020

If they're in a Zoom class at the same time it won't work, because you can't have simultaneous Zooms on, but if you're monitoring at other times and aren't on Zoom yourself, one of my friends has her kids share their screens with her (she does it to be sure she selects the whole screen and not one window) and she checks in on them that way. I realize that's likely only a partial solution but maybe it will help.

These are trying times man.
posted by warriorqueen at 6:42 AM on November 6, 2020 [3 favorites]

I'm in a similar situation.

YouTube is tricky because it's talking to a myriad of Google servers do to it's thing. Blocking everything that is Google won't work because 1) the Chromebook needs to talk to Google, 2) If you're on Chromebooks then your district is almost surely using Google Classroom, and 3) some of the actual course material might be YouTube videos that the teacher has assembled for multiple reasons (some good, some lazy).

I've been experimenting with a Pi-Hole, which will intercept DNS requests. It's normally used to block advertising on your network but you can also blacklist any other domains you want. It's possible to sink * and see what happens.

Getting one up and running takes a bit of knowledge, though. And you need a PC or small embedded computer like a Raspberry Pi that sits on your LAN 24/7 and runs the DNS server for your network.

Back in the early COVID spring I tried using Disney Circle to block YouTube during class time, but that showed me that the Google tendrils are many and complex and Circle's method of blocking YouTube interfered with Classroom.

I'll save my rant for how shitty Classroom is as a remote-learning platform for another place and time.
posted by JoeZydeco at 7:18 AM on November 6, 2020 [1 favorite]

For most school-owned and -managed Chromebooks, you really can't do it without some truly nerd-heroic measures: what flabdablet describes takes pretty serious know-how.

My slightly less nerd-heroic approach would be to cut off Youtube completely (or cut the internet off completely, if kiddo really just needs these particular videos) and use the I usually have 15 minutes that I could give permission to linked videos to download the specific Youtube videos needed. I figure the most complicated part is setting up a way for you to share those videos with the school Chromebook after they're downloaded?

If you don't already have a way of doing it, here are my instructions for downloading a video using the (free, multi-platform) VLC Media Player:
Once it's installed you can pick Media → Convert / Save... from the menu; in the dialog pick the "Network" tab and paste in the URL of a Youtube video and press the "Convert / Save" button.

The next dialog is complicated: you have to pick the video output format under the "Profile" dropdown, and you may have to try several times while choosing different options. Probably start with one of the "MP4" ones. Unfortunately the result can be that you're actually able to watch the video but the saved file doesn't work, or you can get a file that will open in VLC but not another media player (sometimes VLC itself or another tool can be used to convert to a playable format in this case.)

Next you pick a file name and press the "Start" button, and if nothing else after a few moments you should see the time in the progress bar start ticking along. If everything's still frozen after a minute or two somethings gone wrong and you can close everything and try again with different settings.
I can envision a few different possible problems, but if this sounds like a viable option we can provide more details.
posted by XMLicious at 7:22 AM on November 6, 2020 [5 favorites]

I was also going to suggest just downloading the required videos and then blocking YT altogether. Another great tool for downloading is youtube-dl.
posted by trig at 7:38 AM on November 6, 2020 [1 favorite]

Our solution to this was the circle device/app by disney.

On the app you create a profile (we have separate ones for each kid), put the kids devices in it and block everything you can/need to. When they need to watch a youtube video you can unblock youtube for X min and then block it again (circle doesn't let you set the time, but I religiously rely on timers during DL). It also shows you all the traffic for the device. This is of limited use, you can def see when it's a youtube vid but there's so much ad shit/3rd party stuff on many sites that a lot of times it's impossible to say if it was the child or the site doing something.

it's not perfect but overall it's helped quite a bit. I have heard rumors that it doesn't always play nice with VPNs but the only problem we've had is that sometimes we have to make the profile more permissible for some of the school resource sites, but even then we can make it an 'adult' profile but still block youtube and games, etc.
posted by snowymorninblues at 7:47 AM on November 6, 2020 [2 favorites]

You should be able to find a tool for the main router that records every page visited, and the device that visited it. Then use Parenting to apply consequences. You are surely not the only parent experiencing this, maybe post on a facebook or nextdoor page affiliated with the school.
posted by theora55 at 7:48 AM on November 6, 2020

One other issue we've add with the circle app - occasionally they are able to play you tube vids even when you tube is blocked and I still haven't figure out how/why. Unfortunately Circle's support article about this suggests clearing your browser's cache, which seems easy/peasy except the district has locked it down. I ended up on the call with the head of IT for the district and he couldn't see a way around it for us but did say he thought he might be able to clear a single chromebooks cache remotely. So I also do sweeps where I check for extra open but minimized tabs, etc. I also turned off notifications w/my son's profile so they don't have that distraction.
posted by snowymorninblues at 8:01 AM on November 6, 2020

I wasn't able to discriminate between school and crap traffic from youtube, but I do set strict limits on the time these machines are able to connect to the internet.

When I walk by where they are working, I peek in to see they are still on track.

We have had clear talks about what is acceptable to be doing during school time.
posted by nickggully at 8:15 AM on November 6, 2020

Youtube-dl is a really good command-line tool for downloading YouTube videos for offline viewing.

The Video DownloadHelper browser extension also works well if you prefer to point and click. VDH requires (and helps) you to install an open-source companion app to let it actually save files from inside the browser; as far as I can tell this is harmless. There isn't a Chrome OS version of that companion app as far as I know, so you'd need to use a non-Chromebook to do the actual downloading.

If you do choose to go the route of downloading the teacher's linked videos and blocking YouTube altogether during school hours, you might well find that your router has some kind of parental controls facility that does an adequate job of that. Blocking whole sites by domain name and/or IP address is easily done by an internet gateway router and requires no HTTPS-defeating shenanigans. About the only way a kid is ever going to work around a block like that is by hotspotting or tethering a phone, thereby getting internet access that's independent of the house LAN.
posted by flabdablet at 8:28 AM on November 6, 2020

I don't know about technological solutions, but you suggest that it's harder than normal because it's a school-owned Chromebook.

Would a "throw-money-at-it" option be to buy your kid a new Chromebook that you own and control?
posted by MangoNews at 8:38 AM on November 6, 2020 [2 favorites]

I don't know where I came across this document (I think from Kottke) but it has a lot of very good information about how to add parental controls on a school owned Chromebook.

As most school districts are using Covid-19 as the catalyst to finally go one to one (a device for every child), what is happening in your house is going to become a more widespread issue.
posted by momochan at 9:14 AM on November 6, 2020

My town's schools route all IP traffic to their web filter, so a Pi-Hole is no good to me: all of the DNS queries get handled & filtered at the school department. I can't block malware or ads, nor can I (as parent) filter their web browsing: no MITM solution is even possible, and it makes me nutty.

(When the schools all suddenly had to ramp up to full-time DL last spring, performance really sucked some days; I am assuming that they beefed up their connectivity over the summer. I still wired up a second wifi access point in my house, and ran extra ethernet to a few devices, to minimize the effect of wifi at home.)

It's frustrating as a tech-savvy parent, but I do admire the simplicity.
posted by wenestvedt at 11:34 AM on November 6, 2020

Mango News: Would a "throw-money-at-it" option be to buy your kid a new Chromebook that you own and control?

This, yes -- and run a Pi-Hole on your home network to filter out ads, malware, pr0n, ad-tracking, and other junk that slows down your life.
posted by wenestvedt at 11:35 AM on November 6, 2020

Possible technical solution of having your child chromecast their screen (not tab) to a centrally located tv in the house that you can see and check in on. This might slow down their computer. You would need to have a chromecast attached to the tv. I think it would be easy to cast from the device without needing the school to allow other software.

Sigh, still dealing with this with my 18 year old who watches phone videos during class so learn from my mistakes of not dealing with this better.

I found the Circle too labor intensive and I'm technical enough. I now use our Internet provider's portal to block all Internet during sleeping time.
posted by RoadScholar at 2:19 PM on November 6, 2020

Would checking in on your kid's viewing history at the end of the day and applying Parenting as needed be a viable solution? If you can get their Google account enrolled in Family Link, as described in the doc momochan shared above, you can look at their activity and see if there are videos that aren't school related. If your child is tech-savvy, you would be wise to disable your kid's ability to clear viewing history.
posted by .holmes at 4:05 PM on November 6, 2020

I am a current K-12 district admin and the answer is not what you want to hear: You can’t fix a behavior problem with technology. You can use technology up to a certain point but as dr. Ian Malcolm said on Isla Nubar, “Life, um, finds a way.”

TL;DR VERSION is make rules with your kids and use your own device that you lock down if you have to, otherwise life becomes a frustrating game of Whack-a-mole trying to block all the things your kids want to get to.

Here is what I tell our families who struggle with this in their homes:

You absolutely do not have to let your child use the school issued device if you can provide one. Everything is done online so any device that can get to the resources works. Yes some are better than others but it’s your house and your kid so you set the rules.

About rules - depending on the age of the kid, it’s important to set boundaries WITH your kids so that they have some say in what is considered acceptable behavior and what are appropriate consequences for not adhering to said behavior. Allowing kids to help make the rules makes it a bit easier to enforce because they participated in the practice. Unfortunately, the conversation about what’s acceptable and what the consequences are is a conversation you have to have over and over because things will change as they get older. What is acceptable for a 14 year old isn’t always acceptable for a 10 year old. It’s also important for all the adults in the family to stick to consequences and provide a unified front cuz kids will pit you against each other. The goal is to teach kids how to make healthy choices with regards to technology. Talk with them about what’s appropriate and ask them what they think should qualify as appropriate and make an agreement to follow those rules. Let them know in order to check on them you’ll need to check their history so they should give you their username and password. There is no reason for you not to have it. Make consequences you’re willing to follow up with that you both think are fair and stick to them.

Last thing I’ll mention is that our district uses a specific tool called GoGuardian that allows teachers to see in real-time what kids are doing on their computers and let’s admins review a kid’s history and searches and videos. GoGuardian now has a parent app that gives some control to parents over the school device. Other districts use Securly which also gives parents some control of the school device. Ask your kid’s teacher or principal to get you in contact with the IT department to see if your district offers something similar.

Honestly it’s a little unfair to send these black boxes home and not work with parents to give them some tools to help keep kids focused on school work. See if the school will help you out and if not, get your kid a device you control and use some of the advice above to lock it down. And have the talk. Again and again, with each kid.
posted by inviolable at 6:49 PM on November 6, 2020 [6 favorites]

As an ex admin and current parent, I fully endorse every point that inviolable just made.
posted by flabdablet at 1:46 AM on November 7, 2020 [1 favorite]

Have you considered a productivity Chrome browser extension, such as StayFocsd?

With StayFocusd you can set daily time limits for specific sites. Once the user exceeds that daily time limit, the sites are inaccessible for the day. One option would be to set, say a ten-minute time limit for YouTube, during school hours. It's not a perfect solution, as you would need to grant enough of a time buffer so that school-related YouTube viewing wouldn't be blocked, but it would prevent the excess YouTube browsing that YouTube's algorithm excels at. I have used StayFocusd when I need to really get stuff done.

These MakeUseOf and FindFocus articles have good overviews of StayFocusd.
posted by cursed at 9:54 AM on November 7, 2020

« Older Songs for "just coasting"   |   Who can I donate to to specifically fight voter... Newer »
This thread is closed to new comments.