Mac OS X,  Mac Security,  Mass Deployment

Manage Gatekeeper from the Command Line in Mountain Lion

Gatekeeper is the new feature of OS X that controls what types of apps can be opened. To configure Gatekeeper, open the Security & Privacy System Preference pane. Click on the General tab and unlock to make changes. Here, you’ll see “Allow applications downloaded from:” along with the following 3 options:

  • Mac App Store: Only apps downloaded from the App Store can be opened.
  • “Mac App Store and identified developers”: Only apps downloaded from the App Store and those signed can be opened.
  • Anywhere: Any app can be opened.
Configuring Gatekeeper in Mountain Lion

Configuring Gatekeeper is as easy as selecting one of these options. Now, under the hood, the state of Gatekeeper is kept in /var/db/SystemPolicy-prefs.plist. There’s only one option there, though: enabled. So you could try and run defaults to disable Gatekeeper: defaults write /var/db/SystemPolicy-prefs enabled no. However, doing so is not really going to provide all the options available in the GUI. To configure the options, Apple has provided spctl, a command line tool used to manage Gatekeeper. In it’s simplest form, Gatekeeper can be enabled using the –master-enable and –master-disable options, which are pretty straight forward. Use –master-enable to enable Gatekeeper:

spctl --master-enable

And then use –master-disable to disable Gatekeeper:

spctl --master-disable

Whether Gatekeeper (assessments) is enabled or disabled can be returned using the –status option:

spctl --status

The -a option is used to assess an application to see if it will open or not:

spctl -a /Applications/GitHub.app

If an application passes and has a rule available then you’ll get no response. If there’s no rule for the application, you’ll get a response that:

/Applications/GarageBuy.app: unknown error 99999=1869f

You add rules about apps using the –add option. Each app gets a label, defined with the –label option. For example, to add GitHub:

spctl --add --label "GitHub" /Applications/GitHub.app

To then enable access to GitHub:

spctl --enable --label "GitHub"

Or disable:

spctl --disable --label "GitHub"

As with most things, there’s actually a rub. spctl doesn’t always work. I’ve had more than a few issues with getting the labels to apply just right. Sometimes the -a will report back that an app is rejected and it will still open. I think this is first gen technology and that prior to relying on it that it would be a really good idea to test very thoroughly before deploying.