Pick the path that matches your bypass pattern.

Pick the recipe that matches your real bypass pattern

Do not start with the most complex setup. Start with the weakest setup that would actually stop you during a weak moment. If that fails, move up one recipe.

Recipe A: simple first setup

Use this if you need a maintainable first layer and are not ready for trusted-person lockout.

1. Pick the device you use most often when bypassing.
2. Finish the matching built-in setup in Guardrails.
3. Remove extra browsers and apps you do not need.
4. Turn on app-install approval or block new app installs.
5. Add family-safe DNS on the device or router from Friction.
6. Run Test your setup.
7. If you can undo it alone, move to the trusted-person steps.

Recipe B: iPhone or iPad only

1. Open Settings -> Screen Time and turn Screen Time on.
2. Turn on Content & Privacy Restrictions.
3. Set Web Content to Limit Adult Websites, or use Allowed Websites Only for whitelist mode.
4. Set Installing Apps to Don't Allow.
5. Set Deleting Apps to Don't Allow if deleting a blocker or browser is a bypass.
6. Set Account Changes, Passcode Changes, and Cellular Data Changes to Don't Allow where available.
7. Remove browsers, VPNs, proxy apps, and apps with unfiltered embedded browsers that you do not need.
8. Install a DNS profile only if you understand who can remove it. For stronger control, use supervision or MDM.
9. Have the trusted person set the Screen Time passcode and control the Apple Account recovery path.
10. Test on Wi-Fi, mobile data, Safari, every remaining browser, and in-app browsers.

Recipe C: Android phone or tablet

1. Set up Google Family Link with a parent or trusted-person account.
2. Use the managed Google Account on the device. Remove extra Google accounts that can install apps or change settings.
3. In Family Link, set Chrome and Web to Try to block explicit sites or Only allow approved sites.
4. Require approval for new Google Play installs and purchases.
5. Remove extra browsers, VPNs, proxy apps, Tor, alternate app stores, and remote desktop apps.
6. Set Android Private DNS to a family-safe hostname if that fits your setup.
7. Turn off developer options if enabled. If the phone is rooted, treat local controls as weak.
8. Have the trusted person control the parent Google Account, password recovery, and backup codes.
9. Test Chrome, any remaining browser, YouTube, Google Search, Wi-Fi, and mobile data.

Recipe D: Windows laptop or desktop

1. Use a standard account for daily use.
2. Create a separate administrator account for maintenance.
3. Have the trusted person hold the administrator password if you need lockout.
4. Use Microsoft Family Safety if Edge filtering is acceptable for your setup.
5. Remove extra browsers or lock them down with browser policy.
6. Block app installation from the daily account.
7. Set filtered DNS and flush DNS.
8. Use AppLocker or Windows Defender Application Control if your Windows edition and skill level support it.
9. Store BitLocker recovery keys away from the daily user if drive recovery is a bypass.
10. Run the browser, install, DNS, and recovery tests.

Recipe E: Mac laptop or desktop

1. Turn on Screen Time and Content & Privacy restrictions.
2. Create a standard daily account.
3. Keep a separate administrator account for maintenance.
4. Have the trusted person hold the admin password and Screen Time passcode.
5. Remove extra browsers, VPNs, proxy tools, package managers, and remote desktop tools you do not need.
6. Use a DNS profile or MDM profile only when the removal path is controlled by the trusted person.
7. Use browser policy for Chrome, Edge, or Firefox if those browsers remain installed.
8. Store FileVault recovery keys away from the daily user if disk recovery is a bypass.
9. Test installing apps, changing Screen Time, changing DNS, and recovering admin access.

Recipe F: technical user who keeps undoing filters

This recipe assumes you know enough to defeat ordinary blocks. The target is not more reminders. The target is removing unilateral control.

1. Stop using an admin/root/sudo-capable account for daily browsing.
2. Move administrator, root, owner, parent, router, DNS-dashboard, and MDM credentials to the trusted person.
3. Remove saved passwords, recovery codes, screenshots, notes, exported vaults, and emergency kits from your own access.
4. Disable or control browser DoH/DoT with policy.
5. Use allowlists where blocklists fail.
6. Enforce filtered DNS at the router and on mobile devices.
7. Block or require approval for VPNs, proxies, Tor, alternate browsers, developer tools, package managers, and remote desktop tools.
8. Handle factory reset and external boot paths with device management, disk encryption, recovery-key handoff, or physical controls.
9. Use Recovery audit and Trusted person handoff worksheet.
10. Run Test your setup and give the failed items to the trusted person to review.

Recipe G: whole-home router and DNS setup

1. Choose one filtering provider or local resolver: OpenDNS FamilyShield, CleanBrowsing, Cloudflare Families, NextDNS, AdGuard Home, or Pi-hole with appropriate blocklists.
2. Set router DHCP DNS to the chosen resolver.
3. Set IPv6 DNS too, or disable IPv6 if you cannot secure it and you understand the tradeoff.
4. Block or redirect outbound TCP/UDP port 53 from client networks.
5. Block outbound port 853 if you do not want clients using DNS-over-TLS.
6. Disable browser DoH with browser policy where possible.
7. Apply the same rules to guest Wi-Fi, IoT VLANs, and extra SSIDs.
8. Have the trusted person own the router admin password, DNS dashboard, ISP account recovery, and Wi-Fi mesh app.
9. Run DNS and network tests from every device type.

Next pages to use