BlockMyself
Lockout

Make it hard to reverse alone.

This is the serious level. You are not just adding a filter. You are moving the keys, passcodes, recovery paths, and admin accounts away from the person who is trying not to bypass.

Trusted-person control Recovery off-device Admin separation

Before you start

  1. Finish Guardrails on the device.
  2. Add the relevant DNS, router, browser, and account steps in Friction.
  3. Pick one trusted person who is willing to say no.
  4. Make an inventory of every password, passcode, recovery key, parent account, router login, and admin account that can undo the setup.
  5. Move those recovery paths to the trusted person.
Lockout is not about complexity. It is about control. If you still hold the reset path, the setup is not a lockout.

The lockout checklist

Control Weak version Strong version
Device passcode or Screen Time code You set it and remember it. Trusted person sets it and stores it outside your devices.
Administrator/root account Your daily account is admin. Daily account is standard. Trusted person holds admin password.
DNS/router account You can log in and change DNS. Trusted person owns router login or DNS dashboard.
Recovery email/phone You can reset any password alone. Recovery goes to the trusted person or requires them to participate.
Factory reset or external boot You can reset the device and start over. Disk encryption keys, firmware passwords, MDM, and account recovery are not under your sole control.

iPhone / iPad lockout

Use Screen Time plus trusted-person recovery
  1. Complete iPhone / iPad Guardrails.
  2. Have the trusted person set the Screen Time passcode.
  3. Set Web Content to Limit Adult Websites or Only Approved Websites.
  4. Set app installing, deleting apps, account changes, passcode changes, and cellular-data changes to Don't Allow where available.
  5. Remove unneeded browsers, VPN apps, proxy apps, and alternate app stores.
  6. Do not store the Apple Account password in iCloud Keychain or Notes if you can use it to undo the setup.
  7. Have the trusted person control the Apple Account recovery route if the Screen Time passcode can be reset through that account.
  8. Add router or DNS filtering so Safari is not the only layer.
Use supervised device management when normal Screen Time is too weak
  1. Use this only if you are comfortable with Apple Configurator, MDM, or a managed-device workflow.
  2. Understand that manual supervision can require erasing the device.
  3. Use a DNS settings payload, web content filter payload, app restrictions, and profile restrictions through MDM where appropriate.
  4. Have the trusted person own the MDM admin account.
  5. Test whether the user can remove the profile, install a browser, add a VPN, change DNS, or reset the device.

Do not supervise or enroll a device you do not own or administer.

Android lockout

Move Family Link and recovery away from the phone
  1. Complete Android Guardrails.
  2. Have the trusted person own the parent side of Family Link.
  3. Keep the parent Google password off the managed phone.
  4. Require approval for app installs and purchases.
  5. Remove extra browsers, VPNs, proxy apps, private browsers, and alternate app stores.
  6. Set Private DNS to the family-safe hostname from Android Friction.
  7. Test on Wi-Fi and mobile data.
  8. Move Google Account recovery email and phone away from the managed device if those can reset the setup.
Rooted or highly technical Android devices
  1. If the phone is rooted, assume local filters and hosts files are reversible.
  2. Remove root if possible before relying on Family Link or Private DNS.
  3. Disable OEM unlocking and developer options if they are not needed.
  4. Use a router or DNS account controlled by the trusted person.
  5. Use a carrier or account-level solution if mobile data is the bypass.

Chromebook / ChromeOS lockout

Owner-account lockout
  1. Complete Chromebook Guardrails.
  2. Use the trusted person's account as the owner account when practical.
  3. Turn off guest browsing.
  4. Restrict sign-in to approved accounts only.
  5. Use Family Link on the daily account.
  6. Remove or block proxy, VPN, remote desktop, and alternate-browser extensions.
  7. Do not leave the owner password available to the daily user.
Managed ChromeOS path
  1. Use Chrome Enterprise, school management, or another legitimate managed-device setup when personal settings are not enough.
  2. Restrict guest mode, unmanaged sign-in, extensions, developer mode, and URL access.
  3. Use URL allowlists for the hardest setup.
  4. Have the trusted person or organization own the admin console.
  5. Test after powerwash or account removal attempts if your policy model permits those tests.

Windows lockout

Use standard daily account and separate admin
  1. Complete Windows Guardrails.
  2. Create or keep one administrator account for maintenance.
  3. Create a separate standard account for daily use.
  4. Move all daily browsing, work, and entertainment into the standard account.
  5. Have the trusted person change and keep the administrator password.
  6. Remove admin rights from the daily account.
  7. Keep Microsoft Family Safety active if you use a managed Microsoft account.
  8. Use Edge if you rely on Microsoft Family Safety web filtering.
Block app and browser bypasses
  1. Use browser policy from Windows Friction to disable browser DNS-over-HTTPS.
  2. Use AppLocker or Windows Defender Application Control where supported.
  3. Start application-control rules in audit mode.
  4. Block portable browsers, VPN clients, proxy tools, unapproved installers, and user-writable executable paths.
  5. Keep the rule-changing administrator account with the trusted person.
  6. Test from the standard account after every rule change.
Reduce offline reset and external-boot bypasses
  1. Turn on BitLocker on supported editions and hardware.
  2. Store the BitLocker recovery key with the trusted person, not in a place the daily user controls.
  3. Use Secure Boot where supported.
  4. Use a UEFI or firmware administrator password only if you understand how to recover it for your device model.
  5. Prevent booting from USB or external drives if your firmware supports that policy.
  6. Keep purchase receipts and OEM recovery information with the trusted person.

Firmware passwords and encryption recovery keys can create real lockouts. Store them carefully with someone reliable.

Mac lockout

Use standard daily account and separate admin
  1. Complete Mac Guardrails.
  2. Create a standard account for daily use.
  3. Keep one separate administrator account for maintenance.
  4. Have the trusted person change and hold the administrator password.
  5. Use Screen Time with the trusted person holding the Screen Time passcode.
  6. Remove extra browsers, VPN apps, proxy tools, and unneeded installers.
  7. Use DNS or browser policy from Mac Friction.
Use FileVault and startup security carefully
  1. Turn on FileVault if appropriate for your Mac.
  2. Store the FileVault recovery key outside the Mac and away from the daily user.
  3. Use startup security settings on supported Macs to reduce external-boot tampering.
  4. On managed Macs, use MDM to enforce profiles, content filtering, app restrictions, and browser policy.
  5. Keep MDM, local admin, and recovery-key control with the trusted person or organization.

Do not lose FileVault recovery. A strong lockout can also lock out legitimate recovery.

Linux lockout

Remove daily sudo access
  1. Create a non-sudo daily account.
  2. Have the trusted person hold root, sudo, or admin credentials.
  3. Configure DNS, hosts, firewall, and browser policy from Linux Friction from an admin account.
  4. Use the daily account only for normal work.
  5. Check that the daily account cannot edit /etc/hosts, change DNS, install browsers, start VPNs, or change firewall rules.
Protect against live-USB and offline edits
  1. Use full-disk encryption if appropriate.
  2. Store the encryption recovery passphrase with the trusted person.
  3. Use firmware boot restrictions where supported and recoverable.
  4. Block DNS at the router so the Linux machine is not the only layer.
  5. Do not keep unencrypted backups of the admin credentials on the same device.

Router and network lockout

Make the home network enforce the same rule
  1. Set family-safe DNS on the router.
  2. Block or redirect outbound DNS to other resolvers.
  3. Block DNS-over-TLS unless it goes to your chosen resolver.
  4. Handle IPv6 DNS.
  5. Disable or filter guest networks.
  6. Have the trusted person hold the router admin password.
  7. Have the trusted person hold the DNS provider, NextDNS, CleanBrowsing, AdGuard, Pi-hole, or firewall admin password.
  8. Store router recovery instructions with the trusted person.
Remember what the router cannot control
  • Mobile data.
  • A neighbor's Wi-Fi or public Wi-Fi.
  • A separate hotspot.
  • A device using a VPN or browser DoH profile unless you also manage that device.
  • A person with physical access who can reset the router and knows how to reconfigure it.

Third-party tools to consider

These are examples of categories to evaluate. They are not replacements for account separation and trusted-person control.

Hard blockers

Cold Turkey, Freedom, Focus, or similar tools can add scheduled app and site blocking. Use a trusted person for override credentials.

Accountability tools

Covenant Eyes, Accountable2You, Qustodio, or similar products can add reporting or device visibility. Check platform support before relying on them.

DNS and network tools

NextDNS, CleanBrowsing, AdGuard DNS, Pi-hole, and AdGuard Home can add category filtering, allowlists, logs, and router-level controls.

Managed-device tools

Apple MDM, Chrome Enterprise, Microsoft Intune, and similar platforms are appropriate when you need enforceable policy and can administer it correctly.

Reality check

A determined technical person with sole ownership of every account, recovery path, router, and device can eventually remove most blocks. Lockout works by removing sole ownership from the moment of temptation: the trusted person holds the reset path, the daily account lacks admin rights, and the network enforces the same rules.

After setup, ask: Can I install a new browser? Can I change DNS? Can I reset the account? Can I factory reset and regain control? Can I log into the router? Every yes answer is a remaining weak point.

Lockout references

Apple device supervision

Apple's documentation on supervised devices and managed control.

Apple FileVault recovery

Apple guidance for FileVault and recovery-key handling.

BitLocker recovery key

Microsoft's recovery-key reference for encrypted Windows devices.

AppLocker overview

Microsoft application-control guidance for supported Windows editions.

Chromebook sign-in controls

Google guidance for limiting who can sign in and turning off guest browsing.

ChromeOS device settings

Managed ChromeOS device policies for stricter environments.

Lockout worksheets

Recovery audit

Find every account, key, backup code, and reset path that can undo the block.

Trusted handoff worksheet

Print a clear inventory for the trusted person.

Urge plan

Use a prewritten plan for the moment when you want to bypass.

Use these when you need a checklist, a specific bypass closed, or a clearer handoff plan.

Test your setup

Browser, DNS, mobile data, recovery, and reset-path tests.

Setup recipes

Direct paths for phones, laptops, technical users, and whole-home setups.

Recovery audit

Find passwords, backup codes, router logins, and reset paths.

Browser policy

Chrome, Edge, and Firefox policy examples.

Mobile data

Close cellular, Private DNS, VPN, and hotspot gaps.

Apps and platforms

Search, YouTube, social apps, app stores, TVs, and in-app browsers.

Router recipes

DNS enforcement, guest networks, IPv6, Pi-hole, and AdGuard Home.

Urge plan

What to do before trying to bypass.

Trusted handoff worksheet

Printable inventory for passcodes, recovery paths, and refusal rules.

Glossary

Plain-language definitions for DNS, DoH, VPNs, MDM, recovery keys, and more.