Sunday, February 11, 2018

Qustodio "parental" controls for iOS - no longer compatible with modern web

My Qustodio review [1] was delayed because I signed up for the School (professional) version rather than the Home version (long story, not interesting). The two versions seem to have a lot in common, but there important differences. The Home version has an iOS app for managing users, the School version must be managed by a desktop browser (no app, no support for iOS browsers).

Unfortunately I discovered fatal flaws to Qustodio’s approach that mean I won’t be testing their home version. The short version is that they route all traffic through a VPN that isn’t compatible with modern requirements for SSL connections. 

For reference here at the notes I prepared on reviewing school/professional version.

—————————-

The “School” version of Qustodio is marketed to small schools, non-profits and libraries. I signed up for the 5 device $10/month plan.

Like the Family (home) version the school version manages desktop and mobile devices, but I only looking at their iOS device support. I installed on 3 iPhones, two in active use by my Explorers, one a test phone for my book project. This is what I found.

How Qustodio (school) works

Qustodio uses Apple’s iOS device management technology. They install a “Configuration Profile” that  allows remote configuration of some of Apple’s built-in Restrictions. The installation is simply downloading the Profile from a link. Once installed all net traffic is routed through a Qustodio VPN. 

When Qustodio is installed the iOS VPN setting will be enabled. A user can toggle it off but this is really a UI error, it will turn itself back on.

Customer support and leaving Qustudio: C

I worked with customer support to see if I could switch my account from School to Home. Customer support was responsive but they are not native English speakers. They may be relying on translation software. They didn’t understand my question. (I’m pretty sure there’s no way to do that transfer.)

To leave Qustodio one must first delete the Profiles from each device. To delete one must know the password that was emailed to the account manager during installation. There’s no way to retrieve that password from the management panel (there must be a way for customer support to retrieve it!). [Update: It’s obscure, but if you go to Settings and Devices and delete a device you’ll see a warning dialog that shows the removal password for the device.]

The next deletion step is to find the Profiles. On one device the Profile was under the main Settings menu, in two others Profiles were under Settings:General:Profiles. I have no idea why there were two different locations, it didn’t seem to be related to the installation method.

The uninstall process doesn’t scale to a large number of users, the “school” product is aimed at very small schools.

The future of the product: D-

Google is slowly rolling out their own web based device management platform for families. They are responding to pressure from regulators. This could be a big deal, because Android’s built-in parental controls were lousy. Apple, again responding to pressure from Europe and even large investors, may also provide a web based way to manage devices. Even if Apple does a poor job these two developments may kill the home user market and Qustodio’s school solution is pretty limited.

Alas, there’s an even bigger problem - see Usage.

Installation: B

Installation isn’t too bad as long as you don’t try following the directions for the Home version! Create  user in the web management console, then either send an email to their device or use a browser on their device to navigate to www.qustodio.com/pro/downloads. Then click the links and complete the install. Just be sure not to save the management console password to their device when prompted.

Usage: F

Alas, the Qustodio VPN doesn’t handle SSL connections correctly. Google treats it as a “impersonating” connection, other sites produced an ERR_SSL_PROTOCOL_ERROR message. OS X parental controls had similar issues 5 years ago; since then SSL connections have become standard. Today nobody would consider this acceptable. The final nail in the coffin is Qustodio’s web site doesn’t address the problem. That suggests a limited future for their iOS product.

- fn -

[1] I’ve been spelling it “Qustudio”. It’s actually Qustodio. I wonder how they came up with that name. I’ve gone back and fixed up my old posts. 

Update 2/17/2018: Qustodio never responded to my questions about their VPN service. In addition to the issues above #1 son was being routinely asked for his VPN password. I removed all the phones from the service, and found when you delete a device you are given the device password. So it’s available, but obscure. Then I removed all accounts and closed my account. Account closure seemed to work, now I have to see if billing stops.