Manage Gatekeeper from the Command Line in Mountain Lion
Gatekeeper is the new feature of OS X that controls what types of apps can be opened. To configure Gatekeeper, open the Security & Privacy System Preference pane. Click on the General tab and unlock to make changes. Here, you’ll see “Allow applications downloaded from:” along with the following 3 options:
Mac App Store: Only apps downloaded from the App Store can be opened.
“Mac App Store and identified developers”: Only apps downloaded from the App Store and those signed can be opened.
Anywhere: Any app can be opened.
Configuring Gatekeeper is as easy as selecting one of these options. Now, under the hood, the state of Gatekeeper is kept in /var/db/SystemPolicy-prefs.plist. There’s only one option there, though: enabled. So you could try and run defaults to disable Gatekeeper: defaults write /var/db/SystemPolicy-prefs enabled no. However, doing so is not really going to provide all the options available in the GUI. To configure the options, Apple has provided spctl, a command line tool used to manage Gatekeeper. In it’s simplest form, Gatekeeper can be enabled using the –master-enable and –master-disable options, which are pretty straight forward. Use –master-enable to enable Gatekeeper:
And then use –master-disable to disable Gatekeeper:
Whether Gatekeeper (assessments) is enabled or disabled can be returned using the –status option:
The -a option is used to assess an application to see if it will open or not:
spctl -a /Applications/GitHub.app
If an application passes and has a rule available then you’ll get no response. If there’s no rule for the application, you’ll get a response that:
/Applications/GarageBuy.app: unknown error 99999=1869f
You add rules about apps using the –add option. Each app gets a label, defined with the –label option. For example, to add GitHub:
spctl --add --label "GitHub" /Applications/GitHub.app
To then enable access to GitHub:
spctl --enable --label "GitHub"
spctl --disable --label "GitHub"
As with most things, there’s actually a rub. spctl doesn’t always work. I’ve had more than a few issues with getting the labels to apply just right. Sometimes the -a will report back that an app is rejected and it will still open. I think this is first gen technology and that prior to relying on it that it would be a really good idea to test very thoroughly before deploying.