Use Timed Access Control to restrict when devices can connect to your Apple base station Wi-Fi

Your AirPort Extreme and Time Capsule router can block certain devices at certain times of day, based on the device's MAC address. Here's how to set it up.

Worried that your teen or tween is spending all night unwired to her or his iPhone, iPod touch, or iPad? Want your always-on Internet of Things device to be not-always-connected? While Mac OS X has timed access controls that let you specify during which hours a computer account may be used as well as a cumulative daily limit, iOS devices lack such options so many years into development, and only some third-party equipment lets you set active hours.

But if you have a network of all Apple Wi-Fi base stations, you can set timed access in a manner that sticks for wirelessly connected hardware. The Access Control option only lets you choose days of the week and times of the day to block usage, but it’s effective.

This option doesn’t work to restrict cellular access for iPhones or iPads with active data plans, which can rely on a mobile network. iOS has a Restrictions feature, but it doesn’t meet the bill. This method here will work with any Wi-Fi-connected Mac or other device—ethernet-connected hardware isn’t affected.

Uniquely identified devices

private i ios mac address

iOS puts its MAC address in General > About.

Timed Access Control relies on the unique network adapter identifier (called the MAC or Media Access Control address) that’s assigned to every ethernet and Wi-Fi adapter. In iOS, you find this identifier in the Settings app. Tap General > About. The value next to the Wi-Fi Address (something like D8:30:62:55:DE:B9) is what you need. In OS X, open the Network pane in System Preferences, click the Wi-Fi adapter in the left bar, click the Advanced button, and then the Hardware tab to get the MAC address.

private i find osx mac address

OS X puts the MAC address in a network adapter’s Advanced settings.

You can also retrieve these from AirPort Utility all at once:

  1. Launch AirPort Utility (found in /Applications/Utilities/).
  2. Select your base station, and then Option-click Edit. (Enter the base station’s password if prompted.)
  3. In the Summary tab, which is normally hidden, you’ll see a list of all active Wireless Clients in a list.
  4. Click the expand triangle next to each entry, which typically has the Bonjour or other identifying name, to view the Hardware Address.

Whatever your approach, type the MAC addresses into a text document, so you can copy and paste them later to set up access control. Both your regular network and guest networks are controlled by the same, single set of restrictions.

(While MAC addresses can be modified on computers through the use of command-line or other software—often to let one computer spoof the identify of another to access a network the user has no access to—the MAC address on an iOS device can’t be changed. This lets you use the MAC address as a reliable ID.)

Enable timed access to the network

To set up timed access, follow these steps:

  1. Launch AirPort Utility (found in /Applications/Utilities/).
  2. Select your base station, and click Edit. (Enter its password if prompted.)
  3. Click the Network tab.
  4. Check the Enable Access Control box, then click Timed Access Control.

Now you’re ready to configure restrictions. Figure out what restrictions you’ll want to have ahead of time. For instance, you might choose to disable access between 9 p.m. and 7 a.m. on weekdays and 10 p.m. and 6 a.m. on weekends.

(Note: You will have to restart the base station after configuring, so be sure that you’re ready to do so without damaging other operations in progress, like a sync, upload, or download.)

When you first view the Timed Access Control tab view after enabling access control, you see a prefilled entry placed there by AirPort Utility that reads “Unlimited (default)”. This entry is set to Everyday and All Day. In other contexts, you might call this default “allow everybody at all times.”

This sets a default policy for Timed Access for any machine for which a specific limit has not been set. The Unlimited entry can be used to ban or limit all access for MAC addresses that haven’t been entered into this list. You can modify this entry by selecting it and making changes under Wireless Access Times. You can even changes its name by clicking that name in the list.

To add more clients, click the plus sign under Wireless Clients, and enter a description and MAC address, which you can paste in. With that item selected, use the popup menus for day of week and time of day in the Wireless Access Times list. You can add any number of condition, and get pretty baroque, with multiple ranges of hours for every day of the week.

private i airport utility define time range

The Access Control screen lets you add entries for each device you want to limit, or set overall policies.

For instance, if you want to set access for a given device to 6 pm to 9 pm on weekdays and 8 am to 9 pm on weekdays, you’d add two conditions:

  • Weekdays, then Between, 6:00 PM, and 9:00 PM
  • Weekend, then Between, 8:00 AM, and 9:00 PM

When you’re done with all your entries, click Update, and the base station will restart with the new restrictions.

If you’ve managed somehow to lock out your own Mac, you can always connect to your router via ethernet to access AirPort Utility and fix the problem!

Limitations and propagation

This option has a lot of limitations, though it can meet the mark for common purposes.

  • There’s no temporary override. If you need to enable full access or restrict a device, you have to modify the entry and restart the base station.

  • It doesn’t limit by duration, only by times of day and days of the week.

  • You can’t create a policy and then assign a group of MAC addresses to it. Instead, every addresses has to have its own policy created separately. There’s not even a duplicate entry option.

One hidden feature? If all your base stations are 802.11ac models of the AirPort Extreme and Time Capsule with the latest firmware, and all are set up with the same Network Name, every time you restart the base station, the access control list will be propagated and updated to all the other base stations on the network.

If that doesn’t work for you or you have a mix of base stations, you can also use configurations export and import:

  1. In AirPort Utility with the Access Control enabled, select the base station, click Edit, and then select File > Export Configuration File.
  2. Select another base station in AirPort Utility in the same way, and select File > Import Configuration File.
  3. In the import dialog box, uncheck everything but Timed Access Control.
  4. Click OK.
  5. Click Update.
private i import device configuration airport

You can export then import Timed Access Control settings among base stations.

You can’t ensure that your kids get a good night’s sleep. But you can make sure a screen’s blue-tinged glow isn’t what’s keeping them up late.

Join the CSO newsletter!

Error: Please check your email address.

Tags Applerouters

More about AdvancedAppleClick

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Glenn Fleishman

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place