Choose a level
Start with the lowest level that could work. Add stronger layers only where the weaker setup fails.
Guardrails
Built-in controls first: Screen Time, Family Link, Microsoft Family Safety, Chromebook sign-in limits, and basic app install controls.
Open Guardrails Level 2Friction
DNS filters, router settings, browser secure-DNS controls, hosts-file blocking, standard-user accounts, and policy tools.
Open Friction Level 3Lockout
Trusted-person handoff, separated admin accounts, recovery keys kept off-device, device management, and network enforcement.
Open LockoutPlatforms
Use the device page first. Then add the network and lockout layers that apply to your situation.
iPhone / iPad
Screen Time, web content restrictions, app install limits, account-change locks, and supervised-device options.
Android
Family Link, Chrome filters, SafeSearch, Play approval, Private DNS, and app-install control.
Chromebook / ChromeOS
Family Link, guest browsing off, sign-in restrictions, child-account web settings, and enterprise management options.
Windows
Microsoft Family Safety, standard-user daily accounts, Edge filtering, browser policy, AppLocker, and BitLocker notes.
Mac
Screen Time, content restrictions, standard daily account, separate admin, FileVault, and profile/MDM options.
Linux
DNS, hosts files, firewall rules, immutable files, browser policy, and sudo/root separation.
Router / gateway
Whole-home DNS filtering, DNS interception, DoT/DoH considerations, Pi-hole, AdGuard Home, NextDNS, and guest network cleanup.
Trusted person
Exactly what to hand off: passcodes, admin passwords, recovery emails, router logins, and recovery keys.
More step-by-step guides
Use these when the basic device pages are not enough, or when you want a concrete recipe instead of building your own setup from scratch.
Test your setup
Browser, app install, DNS, mobile data, account recovery, and reset-path tests.
Setup recipes
Direct paths for iPhone, Android, Windows, Mac, technical users, and whole-home setups.
Recovery audit
Find the passwords, recovery codes, router logins, and reset paths that can undo the block.
Browser policy
Chrome, Edge, and Firefox policy examples for DoH, URL blocks, extensions, and guest/private modes.
Mobile data and hotspots
Close cellular, Private DNS, VPN, hotspot, and carrier-account gaps.
Apps and platforms
Search, YouTube, social apps, chat apps, stores, TVs, consoles, and in-app browsers.
Router recipes
UniFi, OpenWrt, pfSense, OPNsense, consumer routers, Pi-hole, and AdGuard Home checklists.
Urge plan
A practical plan for the moment when you want to bypass your own setup.
Trusted handoff worksheet
A printable inventory for passcodes, admin passwords, recovery paths, and refusal rules.
Glossary
Plain-language definitions for DNS, DoH, VPNs, MDM, recovery keys, and other technical terms.
Bypass map
A strong setup covers the specific escape paths that match your device. Use this as the checklist before calling a setup finished.
| Bypass path | Why it works | Where to harden it |
|---|---|---|
| Installing another browser | Some filters only cover one browser or one account. | Block app installs, remove extra browsers, use browser policy, and use router or DNS filtering. |
| Changing DNS | DNS filters fail if the device can choose a different resolver. | Use standard-user accounts, router DNS enforcement, Private DNS profiles, and trusted-person admin control. |
| VPN, proxy, Tor, iCloud Private Relay, or mobile hotspot | Traffic can leave through a path that does not use your filter. | Block app installs, restrict VPN/profile changes, use network rules where possible, and disable unneeded cellular/hotspot access. |
| Admin, root, or owner access | The person with admin can uninstall, change policy, edit hosts files, or reset settings. | Use a standard daily account and let a trusted person hold the admin password. |
| Factory reset or external boot | A local reset can remove device-level restrictions. | Use account recovery controls, device management where practical, disk encryption recovery keys off-device, router-level blocking, and physical access controls. |
| Saved recovery codes and password managers | You can undo the setup by recovering the parent, admin, DNS, or router account. | Run the Recovery audit and move recovery paths to the trusted person. |
| Cellular data and hotspots | Home router rules do not apply when traffic leaves through another network. | Use Mobile data and hotspots plus device-level controls. |
| In-app browsers and platform settings | Content can appear inside apps that do not use the managed browser path. | Use Apps and platforms and test each app directly. |
| Portable browsers, developer tools, and package managers | Technical users may run tools from Downloads, USB drives, Homebrew, winget, WSL, Docker, or other user-writable paths. | Use standard daily accounts, app allowlisting, browser policy, and trusted-person admin control. |
| Remote desktop and cloud workstations | The blocked device can become only a viewer for another unrestricted computer. | Block or approve remote-desktop tools, SSH, RDP, VNC, cloud IDEs, and unmanaged virtual desktops. |
| AI, chat, image, or roleplay tools | Risky content may appear inside broad-purpose apps instead of a known adult-content domain. | Use Apps and platforms, app blocks, account controls, and trusted-person recovery. |
| Old or shared devices | A spare phone, smart TV, console, tablet, or family computer may still have an unrestricted browser. | Inventory every screen you can access and include it in Recovery audit. |
What to do first
- Pick the device you actually use when you bypass.
- Complete the built-in guide for that device in Guardrails.
- Test the block in every browser and account that still exists with Test your setup.
- Add the DNS, router, and policy steps in Friction.
- Move passcodes, admin credentials, recovery keys, and router logins to the trusted person when you need Lockout.
Official resources
Menus change. These are useful reference points when a step name has moved.
Apple Screen Time for iPhone / iPad
Apple's web content, content restriction, and purchase restriction controls.
Apple Screen Time for Mac
Mac content, web, app, store, and preference restrictions.
Google Family Link
Chrome filters, SafeSearch, supervised accounts, and approved or blocked websites.
Chromebook supervised use
Family Link on ChromeOS, guest browsing, and managed sign-in rules.
Microsoft Family Safety
Website and search filters for managed Microsoft family accounts.
OpenDNS FamilyShield
A quick adult-content DNS filter for routers and devices.
Control who can use a Chromebook
Google's guest browsing and sign-in restriction steps.
YouTube Restricted Mode
Platform-level video filtering guidance.