Chapter 10
IN THIS CHAPTER
Understanding access levels
Adding, editing, and deleting user accounts
Restricting access and limiting accounts
Logging in, sharing, and encrypting
Everybody wants a piece. (Of your iMac, that is.)
Perhaps you live in a busy household with kids, significant others, grandparents, and a wide selection of friends, all of them clamoring for a chance to spend time on the Internet, take care of homework, or enjoy a good game.
On the other hand, your iMac might occupy a classroom or a break room at your office — someplace public, yet everyone wants their own Private Idaho on the iMac, complete with a reserved spot on the internal drive and their own hand-picked attractive Desktop background.
Before you throw your hands up in the air in defeat, read this chapter and take heart! Here, you find all the step-by-step procedures, explanations, and tips to help you build a safe multiuser iMac that’s accessible to all.
(Oh, and you still get to use it, too. That’s not being selfish.)
Okay, so you don’t have Cinderella, Snow White, or that porridge-loving kid with the trespassing problem. Instead, you have your brother Bob.
Every time Bob — you know, the only guy on the planet still using an ancient flip phone — visits your place, it seems he needs to do “something” on the Internet, or he needs a moment with your iMac to bang out a quick message with his web-based email application. Unfortunately, Bob’s forays onto your Mac always end up changing stuff, such as your Desktop settings, Contacts database, and Safari bookmarks.
What you need, good reader, is a visit from the Account Fairy. Your problem is that you have but a single user account on your system, and macOS Monterey thinks that Bob is you. By turning your aluminum supercomputer into a multiuser system and giving Bob his own account, Monterey can tell the difference between the two of you, keeping your druthers separate!
With a unique user account, Monterey can track all sorts of things for Bob, leaving your computing environment blissfully pristine. A user account keeps track of stuff such as
Also, Bob gets his own reserved Home folder on your iMac’s internal drive, so he’ll quit complaining about how he can’t find his files. Oh, and did I mention how user accounts keep others from accessing your stuff? And how you can lock Bob out of where-he-should-not-be, such as certain applications (including Messages and Mail)? Heck, you can even lock Bob out of specific websites (including that offshore Internet casino site he’s hooked on)!
User accounts affect just about everything you can do in macOS and on your iMac. The moral of my little tale? A Mark’s Maxim to the rescue:
Get one thing straight right off the bat: You are the administrator of your iMac. In networkspeak, an administrator (admin, for short) is the one who has the power to Do Unto Others, creating new accounts, deciding who gets access to what, and generally running the multiuser show. In other words, think of yourself as the monarch of macOS (the king or queen, not the butterfly).
In the following sections, I explain the typical duties of a first-class iMac administrator.
The two most common user account levels are
Another Mark’s Maxim is in order:
Standard accounts are quick and easy to set up, and I think they provide the perfect compromise between access and security. You’ll find that standard access allows your users to do just about anything they need to do with minimum hassle.
Accounts are highly configurable, so you can make sure that your kids don’t end up trashing the internal drive, sending junk mail, or engaging in unmonitored chatting. (Note: Attention, all parents, teachers, and anyone who designs a single public-access account for a library or organization: This means you.)
All right, Mark. Enough pregame jabbering. Show this good reader how to set up new accounts! Your iMac already has one admin-level account for you (created during the initial Monterey setup process). You need to be logged in to that account to add a user. To add a new account, follow these steps:
In the Users & Groups pane of System Preferences, click the New User button (plus sign) at the bottom of the accounts list.
The empty user record sheet shown in Figure 10-1 appears.
If the New User button is disabled and you can’t click it, click the padlock in the bottom-left corner of the System Preferences pane and enter your password to unlock the Users & Groups pane.
Choose the access level for this user from the New Account pop-up menu.
By default, the user receives a standard-level account. You can also choose an administrator account or a sharing-only account.
The sharing-only account allows the user to copy or open shared files from your iMac remotely (from another computer), but that user can’t directly log in to your Mac.
In the Full Name text box, type the name you want to display for this account (both in the Current User list and on the Login screen); then press Tab to move to the next field.
macOS automatically generates an account name in the Account Name field for use as your screen and buddy name in Messages and various network applications. The account name is also the name of the folder that macOS creates on the computer’s internal drive for this user. You can keep the default account name or type a new one, but this name can’t contain any spaces.
Type the password for the new account; then press Tab.
Click the button with the key icon next to the Password field, and Monterey is happy to display Password Assistant, complete with a suggestion. Open the Suggestion pop-up menu to see additional suggestions. You can choose the password’s length and choose among several types: letters and numbers; numbers only; completely random; or even FIPS-181–compatible (government-quality). Password Assistant automatically copies the password you’re considering into the Password and Verify text boxes.
As always, when you enter or verify a password, macOS displays bullet characters for security.
(Optional) If you decide to use the password-hint feature, you can enter a short sentence or question in the Hint text box.
The hint is displayed after three unsuccessful attempts to enter the account’s password.
From a security standpoint, password hints are taboo. (I never use ’em. If someone is having a problem logging in to a computer I administer, you’d better believe I want to know why.) Therefore, despite the recommendation that Monterey shows here, I strongly recommend that you skip this field. If you decide to offer a hint, keep it vague! Avoid hints like “Your password is the name of the Wookiee in Star Wars.” And don’t embed the password in the hint!
Click the Create User button to finish and create the account.
The new account shows up in the Current User list and the Login screen.
Each user’s Home folder has the same default subfolders, including Movies, Music, Pictures, Public, and Downloads. A user can create new subfolders within their Home folder at any time.
Here’s one more neat fact about a user’s Home folder: No matter what the account level, most of the contents of a Home folder can’t be viewed by other users. (Yes, that includes admin-level users. This way, everyone who uses your iMac gets their own little area of privacy.) In the Home folder, only the Public folder can be accessed by other users — and only in a limited fashion. (Read all about Home folders in Chapter 3.)
Next, consider the basic modifications you can make to a user account, such as changing existing information or selecting a new picture to represent that user’s unique personality.
To edit an existing account, log in with your admin account, display the System Preferences window, and click Users & Groups to display the account list. Then follow these steps:
In the list on the left side of the window, click the account you want to change.
If the accounts in the list are disabled and you can’t select one, you must unlock the Users & Groups pane. Click the lock in the bottom-left corner of the System Preferences pane and type your password, if prompted.
Edit the settings you need to change.
Examples include temporarily enabling administrator rights for an account (by selecting the Allow User to Administer This Computer check box) and changing the account password (by clicking the Change Password/Reset Password button).
Click the round picture well (the circle that displays the image) to specify the thumbnail image that appears in the Login list next to the account name.
Apple provides several good images in the Suggestions collection. Just click a thumbnail to select it. You can also drag a new image from a Finder window or the Photos window and drop it into the picture well. Monterey adds emojis, memojis, and simple monograms as choices for your image.
Note that some of these choices are available only when you’re using an Admin-level account:
Alternatively, you can click the picture well and then click the Camera entry to grab a picture from your iMac’s built-in FaceTime HD camera. When you’re set to take the photo, click the camera icon and then click Done to accept it. Most cool. (You can also use Photo Booth to take an account image.)
Every account on your iMac can be customized. Understandably, some settings are accessible only to admin-level accounts, and others can be adjusted by standard-level accounts. In the following sections, I introduce you to the things that can be enabled (or disabled) in a user account.
Note, however, that users with limits set may not have access to Account Settings, so they can’t make changes. (Read about this topic in the upcoming section “Managing an account’s access settings.”)
Not all user accounts last forever. Students graduate, coworkers quit, kids move out of the house (at last!), and Bob might even find a significant other who has a faster broadband connection. (Or he might finally invest in an iPhone.) We can only hope.
Anyway, no matter what the reason, you can delete a user account at any time. Log in with your admin account, display the Users & Groups pane in System Preferences, and then follow these steps to eradicate an account:
Click the Delete User button (which bears the Minus Sign of Doom).
macOS displays the confirmation sheet shown in Figure 10-3.
Note that the contents of the user’s Home folder can be saved as a disk image in the Deleted Users folder (just in case you need to retrieve something). Alternatively, you can choose to leave the deleted user’s Home folder as is, without removing it, but naturally you won’t regain any space, even though the user account is deleted.
If you’re absolutely sure that you won’t be dating that person again, select the Delete the Home Folder radio button (which doesn’t save anything in the Deleted Users folder). You regain all the drive space that was being occupied by the contents of the deleted user’s Home folder.
Time once again for a Mark’s Maxim:
Every account on your iMac can be customized. Understandably, some settings are accessible only to admin-level accounts, and others can be adjusted by standard-level accounts. In the following sections, I introduce you to the things that can be enabled (or disabled) in a user account.
Login items are applications or documents that can be set to launch or load automatically as soon as a specific user logs in, such as Apple Mail or Contacts. In fact, a user must be logged in to add or remove login items. Even an admin-level account can’t change the login items for another user.
To set login items for your account, follow these steps:
Click the Login Items tab to display the settings shown in Figure 10-4.
It bears repeating: You can change the Login Items for only the account that’s currently logged in, so be sure that the desired account appears below the Current User heading in the list on the left side of the dialog.
Navigate to the application you want to launch each time you log in, click it to select it, and then click Add.
If you’re in the mood to drag and drop, just drag the applications you want to add from a Finder window and drop them directly into the list.
Login items are launched in the order in which they appear in the list, so feel free to drag the items into any order you like.
Any account on your iMac can be limited or restricted as necessary. You can restrict access to many places in Monterey and your iMac’s applications. Note that you can use Screen Time with your administrator account as well.
To display the access controls for a standard account, start here:
Open System Preferences and click the Screen Time icon.
The Screen Time pane appears.
Select Downtime on the left side of the pane to display the schedule settings shown in Figure 10-5.
To set a downtime schedule, click the Turn On button in the top-right section of the pane; then use the controls on the right side of the pane to specify whether the schedule applies every day or on a specified range of days. Monterey restricts the use of your Mac according to your settings.
Select App Limits on the left side of the pane to limit the time spent on specified applications.
When you click the Turn On button in the top-right section of the pane, you can limit the use of all applications to a certain amount of time or click the Add button (which bears a plus sign) to specify certain applications to add to the list. To change the amount of time allowed, click the application to select it and then click Edit Limit. To remove a limited application, click it to select it and then click the Delete button (which bears a minus sign).
Click Always Allowed on the left side of the pane to specify applications and Contact entries that can be used at any time.
The selected applications and Contacts entries will always be available, even during downtime (and after limits on application use have been reached).
Click the Stores tab of the Content & Privacy pane and make the desired changes.
Specify whether the user can use the iTunes Store and the iBook Store, and (if desired) restrict the user’s ability to install applications, delete applications, or authorize in-app purchases.
Click the Content tab of the Content & Privacy pane (shown in Figure 10-6) to choose ratings limits.
Ratings limits are available for applications, movies, TV shows, books, and music across all the content available in Monterey. (This feature is some powerful stuff, parents!) Monterey offers three levels of control for websites from this screen:
Click the Other tab to set restrictions on a range of Monterey features.
Take note: If you want to prevent the user from removing the restrictions you’ve set within Screen Time, don’t forget to disable the Account Changes check box on the Other tab! (Disabling this check box locks the settings throughout Screen Time, requiring the passcode you set up in Step 5 to unlock them.)
When you’re hip to user accounts and the ways you can change them, you can turn to topics that affect all users of your iMac. These topics include how users log in, how they can share information with everyone else on the computer, and how each user account can be protected from unscrupulous outsiders with state-of-the-art encryption. (Suddenly, you’re James Bond! I told you that Monterey would open new doors for you.)
Hey, how about the login screen itself? How do your users identify themselves? It’s time for another of my “shortest books in the For Dummies series” special editions. (The title is practically longer than the entire book.)
Monterey offers four methods of logging folks in to your multiuser iMac, all of which you can access by clicking the Login Options button in any admin account:
Name and Password login: This screen is the most secure type of login screen you’ll see in Monterey, requiring you to type your account username and password. (A typical hacker won’t know all the usernames on your iMac.) Press Return to complete the process.
When you enter your password, you see bullets rather than your password because Monterey displays bullet characters to ensure security. Otherwise, someone could look over your shoulder and see your password.
Keep your iMac secure: Use the Name and Password login method, and always choose a password that’s tough to guess.
Fast User Switching: This feature allows another user to log in while the previous user’s applications are still running in the background. This feature is perfect for a fast email check or a scan of your eBay bids without forcing someone else off the iMac. When you turn on Fast User Switching, Monterey displays the active user’s name at the right end of the Finder Menu bar.
To switch to another account:
Monterey displays the login window, just as though the Mac had been rebooted.
The previous user’s stuff is still running, so you definitely shouldn’t reboot or shut down the computer!
To switch back to the previous user:
For security, Monterey prompts you for that account’s login password.
Auto Login: This option is the most convenient method of logging in but offers no security whatsoever. Monterey automatically logs in to the specified account when you start or reboot your iMac.
I strongly recommend that you use Auto Login only if
Working in a public environment? Never set an admin-level account as the Auto Login account. This is the very definition of an SDI (Supremely Dumb Idea).
To set up a username/password or list login, open System Preferences; click the Users & Groups icon; and then display the Login Options settings in the Users & Groups pane, as shown in Figure 10-8. (If necessary, click the lock icon in the bottom-left corner to confirm your access.)
Here’s a rundown of key login settings:
Logging out of Monterey all the way without Fast User Switching is a cinch. Just choose ⇒ Log Out or press ⌘ +Shift+Q. A confirmation dialog appears that automatically logs you off in 1 minute. And that 1 minute is important, because if someone walks up and clicks Cancel, they’ll be using your iMac with your account! Therefore, it’s a good idea to bypass the confirmation dialog by pressing Option while choosing Log Out from the menu (or by adding the Option key to the keyboard shortcut). Your iMac returns to the login screen, ready for its next victim. Heed this Mark’s Maxim:
You may wonder where shared documents and files reside on your iMac. That’s a good question. Like just about everything in Monterey, the answer is simple: The Users folder on your iMac has a Shared folder within it. To share a file or folder, place it in the Shared folder.
Each user account on your iMac also has a Public folder in that user’s Home folder. The Public folder is a read-only folder that other users on your iMac (and across the network) can access. They can only open and copy the files it contains. (Sorry, they can’t create new documents or change existing documents created by other users.)
Allowing others to use your Mac always incurs a risk — especially if you store sensitive information and documents on your computer. Although your login password should ensure that your Home folder is off limits to everyone else, consider adding an extra level of security to prevent even dedicated hackers from accessing your stuff. Have one forgetful moment in an airport or classroom, and your personal and business data is suddenly within someone else’s reach. Adequate security is a Supremely Good Thing!
To this end, Monterey includes FileVault, which automatically encrypts the contents of your iMac’s drive. Without the proper key (in this case, your login password, your Apple ID, or the FileVault recovery key), the data stored on your drive is impossible for just about anyone to read. (I guess that the FBI or CIA would be able to decrypt it, but they’re not likely to be problems at your place!)
The nice thing about FileVault is that it’s transparent to you and your users. In other words, when you log in, Monterey automatically decrypts your encrypted files and folders. You won’t know that FileVault is on the job (which is how computers are supposed to work).
To turn on FileVault protection for a specific account, follow these steps:
Specify whether your iCloud (Apple ID) account can be used to reset your password and unlock your disk; then click Continue.
For most iMac owners, the Allow My iCloud Account to Unlock My Disk option is probably fine, but if you’re security-conscious, or if you’ve shared your iCloud account information with others, click the radio button titled Create a Recovery Key and Do Not Use My iCloud Account.
If you decide to create a separate recovery key, write down the FileVault recovery key displayed by Monterey and store it in a safe place.
To avoid making mistakes, you can capture an image of your screen by pressing ⌘ +Shift+3. The screen shot appears on your Desktop as an image file. You can open that file and print a copy, or even copy an image file to a USB flash drive or another computer on your network for safekeeping. (Naturally, you’ll delete the image after it’s been printed or copied elsewhere.)
I love the FileVault feature and use it on all my Macs running Monterey. Yet a risk is involved (insert ominous chord here). To wit: Do not forget your login and iCloud account passwords (or make DOGGONE sure that you or your Admin user has access to a copy of that all-important FileVault recovery key)! macOS displays a dire warning for anyone who’s considering using FileVault: If you forget these safeguards, you can’t retrieve any data from your iMac’s drive. Even the smartest Apple support technician will tell you that nothing can be done. As Jerry Reed used to say, “It’s a gone pecan” (with pecan pronounced Southern style, as “puh-kahn”).
If necessary, click Enable User, provide the login password for each user on your account, and then click Continue.
Each user on your iMac has to be enabled to use the Mac after FileVault has been turned on. If you don’t know the login passwords for the other user accounts on your system, you have to ask each person to provide their password to continue. (If an account isn’t enabled, that person can’t access anything on the hard drive after it has been encrypted.)
Click the Restart button on the confirmation screen.
Your iMac automatically reboots and begins the encryption process. You can continue to use your Mac normally during encryption.
You’re done!