These guides are for your own devices and accounts, or for devices you are legally allowed to administer, such as a child’s device, a managed family device, or your own home network. Do not use these steps to control another adult’s device, accounts, passwords, or communications without consent. Keep a documented emergency path for medical, work, banking, travel, and safety needs.
Pick the right person
- Pick one person who is reliable, calm, and not easily pressured.
- Explain that their job is not to monitor everything. Their job is to hold recovery.
- Do not pick someone who will give the password back immediately when you ask impulsively.
- Agree on normal maintenance windows, emergency exceptions, and what counts as an emergency.
- Use a second backup person only for disaster recovery, not casual overrides.
Inventory what they should hold
Use this table as the handoff list. Anything that can undo the block belongs here.
| Item | Why it matters | Who should hold it |
|---|---|---|
| Screen Time passcode | Can change iPhone, iPad, or Mac web and app restrictions. | Trusted person. |
| Apple Account recovery | Can reset Screen Time or device controls in some setups. | Trusted person or shared recovery process. |
| Google Family Link parent account | Can approve apps, change Chrome filters, and alter Android or Chromebook settings. | Trusted person. |
| Microsoft family organizer account | Can change Family Safety, web filters, and app limits. | Trusted person. |
| Windows administrator password | Can install browsers, change DNS, edit hosts, and remove policies. | Trusted person. |
| Mac administrator password | Can install apps, remove profiles, change Screen Time, and edit hosts. | Trusted person. |
| Linux root or sudo credentials | Can undo DNS, hosts, firewall, and browser policy. | Trusted person. |
| Router admin login | Can change DNS, firewall, guest network, and Wi-Fi settings. | Trusted person. |
| DNS provider dashboard | Can disable filtering, change blocklists, or remove devices. | Trusted person. |
| BitLocker or FileVault recovery key | Can recover encrypted devices after hardware or account problems. | Trusted person, with careful backup. |
| MDM, Intune, Chrome Enterprise, or Apple Business/School admin | Can remove or change enforceable device policy. | Trusted person or organization admin. |
| Third-party blocker password | Can pause, uninstall, or weaken blocker apps. | Trusted person. |
Handoff steps
- Make a list of every device, account, router, DNS service, and blocker involved.
- Change each passcode or password while the trusted person is present.
- Have the trusted person enter the final password or passcode when possible.
- Store passwords in the trusted person's password manager, not yours.
- For recovery keys, use the trusted person's password manager, a sealed paper copy, or another storage method they control.
- Remove your copies from Notes, screenshots, iCloud Drive, Google Drive, email, browser password managers, and password-manager shared vaults you can still access.
- Move recovery email and recovery phone numbers away from your daily device when those routes can reset the setup.
- Test one harmless change that requires their approval so both of you understand the process.
- Document how to reverse the setup in a real emergency without giving you routine access.
Device-specific handoff map
iPhone / iPad
Trusted person holds Screen Time passcode, Apple Account recovery route if relevant, DNS profile account, and any MDM credentials.
Android
Trusted person holds Family Link parent account, Google recovery route, Play approval, Private DNS account, and any app-blocker password.
Chromebook
Trusted person holds owner account, Family Link parent account, managed ChromeOS admin account if used, and recovery options.
Windows
Trusted person holds administrator password, Microsoft family organizer account, BitLocker recovery key, router login, and policy-changing credentials.
Mac
Trusted person holds administrator password, Screen Time passcode, FileVault recovery key, profile/MDM credentials, and DNS provider account.
Linux
Trusted person holds root or sudo credentials, disk encryption recovery, firewall/router access, and DNS dashboard access.
Router / network
Trusted person holds router admin login, Wi-Fi admin app, ISP account if it can reset router settings, and DNS or filtering dashboard credentials.
Third-party blockers
Trusted person holds uninstall password, override password, account recovery email, and any billing or admin account that can cancel filtering.
Rules for maintenance
- Use scheduled maintenance windows instead of instant overrides.
- Make changes together on a call or in person so the trusted person can keep the password private.
- Do not let the trusted person type passwords while screen recording, remote control, or password reveal is active.
- After maintenance, sign out of admin accounts and clear any temporary passwords.
- Review the setup after major OS updates, new devices, new browsers, router changes, or phone upgrades.
- If the trusted person can no longer help, transfer the recovery path before removing them.
Privacy and logging
Filtering tools can create sensitive logs. DNS dashboards, router logs, accountability apps, parental-control reports, and browser-management tools may reveal searches, domains, app usage, or attempted bypasses.
- Use the least invasive tool that still works.
- Prefer trusted-person control of recovery over constant monitoring when that is enough.
- Decide in advance what the trusted person can see, what they should ignore, and what should trigger a conversation.
- Protect the trusted person’s dashboard with strong authentication.
- Review logging after major setup changes, new DNS providers, new routers, or new accountability tools.
Message template
Use or adapt this when asking someone to help.
I am setting up device guardrails because I do not want to be able to undo them impulsively.
I am asking you to hold the recovery path, not to monitor everything I do.
You would hold: [Screen Time passcode / admin password / router login / DNS account / recovery key].
Please do not give it back just because I ask quickly. I want changes to happen only during a planned maintenance window or a real emergency.Common failure modes
| Failure | Fix |
|---|---|
| You keep a screenshot or note with the passcode. | Delete it from every device and cloud location. Have the trusted person rotate the passcode. |
| You can reset the account through your own email or phone. | Move recovery to the trusted person or require their participation. |
| The trusted person gives the password back too easily. | Set clearer rules or choose someone else. |
| You can install another browser or VPN. | Remove admin rights and add app-install restrictions or application control. |
| The router filter works, but mobile data bypasses it. | Add device-level controls, carrier controls, Private DNS, or app restrictions. |
| The setup breaks legitimate work. | Use a planned maintenance window and add a narrow allowlist entry instead of disabling everything. |
What not to do
- Do not leave passwords in your own password manager if you are the person being blocked.
- Do not keep recovery keys only on the blocked device.
- Do not share a single admin account for daily browsing.
- Do not rely on one browser extension as the only layer.
- Do not lock yourself out of essential medical, work, banking, or safety access without a documented emergency process.
Trusted-person tools
More guides
Use these when you need a checklist, a specific bypass closed, or a clearer handoff plan.
Test your setup
Browser, DNS, mobile data, recovery, and reset-path tests.
Setup recipes
Direct paths for phones, laptops, technical users, and whole-home setups.
Recovery audit
Find passwords, backup codes, router logins, and reset paths.
Browser policy
Chrome, Edge, and Firefox policy examples.
Mobile data
Close cellular, Private DNS, VPN, and hotspot gaps.
Apps and platforms
Search, YouTube, social apps, app stores, TVs, and in-app browsers.
Router recipes
DNS enforcement, guest networks, IPv6, Pi-hole, and AdGuard Home.
Urge plan
What to do before trying to bypass.
Trusted handoff worksheet
Printable inventory for passcodes, recovery paths, and refusal rules.
Glossary
Plain-language definitions for DNS, DoH, VPNs, MDM, recovery keys, and more.