• Guides
  • Ebooks
  • About
  • Follow
  • Contact
Menu

The Instructional

  • Guides
  • Ebooks
  • About
  • Follow
  • Contact
gatekeeper-hero.jpg

Gatekeeper Fundamentals, Part 1

February 10, 2014

As the Mac becomes ever more popular, it becomes increasingly targeted by potentially malicious apps. To offer additional protection against this, Apple introduced a security feature within Mountain Lion that helps prevent these unscrupulous apps from being launched, called Gatekeeper.

Although designed to be as simple as possible, Gatekeeper does include some options for further configuration.

How it Works for Users

Gatekeeper is available within OS X Mountain Lion and above, as well as the most recent update to OS X Lion, 10.7.5.

Gatekeeper isn't an app or utility as such, it's settings tucked away within System Preferences as part of the Security & Privacy preferences, under General. Although it's a widely advertised feature of OS X, it isn't actually referred to by name, though searching for it within System Preferences will still take you to the right preference pane.

System Preferences

By default, Gatekeeper will only allow apps to run that have been digitally signed. This includes apps from the Mac App Store as well as apps downloaded from the internet from a registered developer who have digitally signed their apps.

Apps that have been created by an unregistered developer cannot be verified and will not launch.

Gatekeeper for Developers

Any developer who wishes to submit an app to the Mac App Store is required to register as part of the Mac Developer Program. Outside of the Mac App Store, developers are encouraged to register, but are not required to.

The Mac App Store is just one way of downloading apps for your Mac. Unlike iOS, Mac users are not restricted to only using Apple's App Store ecosystem. Many developers have apps that are available on both the Mac App Store and their own site, or perhaps have apps that cannot meet the restrictions that Apple impose on Mac App Store submissions.

Registration provides developers with a unique developer ID that can be used to digitally sign their app, allowing for Gatekeeper to verify that an app hasn't been tampered with (such as replacing some of the files that the app uses). All Mac App Store submissions require this, but the benefit to developers outside of the Mac App Store make it worthwhile.

This is where the benefit for developers comes in since registering ensures their apps will run on any Mac out of the box. More importantly, users will be less likely to trust an app that their Mac cannot identify and verify, even if the app is completely harmless.

Configuring Gatekeeper

The potential for harm to user's personal data can be great, should a malicious app finds its way on to their Mac, so Apple have designed Gatekeeper with just one setting. You can choose to have Gatekeeper allow the following types of apps.

Mac App Store

Selecting this option will only allow the user to launch apps that have been purchased from the Mac App Store. Even if you download an app from a well-known and registered developer's website, Gatekeeper will prevent the Mac from running it.

While inherently more secure, there are many popular apps that are simply not listed on the Mac App Store. Adobe Photoshop and Microsoft Office 2011, for example, wouldn't be able to run if this option was enabled before installation.

Mac App Store and Identified Developers

In addition to Mac App Store purchases, this options will allow apps created by registered developers to run. It's the default option of Gatekeeper within OS X and, for many users, the best.

Anywhere

This disables Gatekeeper from running, allowing any unsigned apps from unidentified developers from running. In most cases, it's not advisable to switch to this option, even for experienced Mac users. In fact, there is pretty much no need to use this option as Gatekeeper has a clever way of allowing unidentified apps you might need to run or install on a case-by-case basis, without having to continually change its settings and risk running into problems on your Mac.

If you increase the security of Gatekeeper, any apps that don't meet the requirement you have already been using will still work. Changes made to Gatekeeper only apply to new apps that are download and installed. So if you've been using Microsoft Office 2011 and change Gatekeeper's settings to allow only Mac App Store purchases, Word and Excel will still open.

Gatekeeper Exceptions

As more developers register and their apps are able to be identified by Gatekeeper, the likelihood of stumbling across and app that isn't digitally signed has decreased quite significantly. Still, there are certain situations where it's unavoidable and you need to run an app that Gatekeeper can't identify. Examples of this are:

  • Apps created using Automator or AppleScript Editor
  • Older apps or drivers for discontinued devices
  • Custom installers created for internal use

From what you've read so far, it'd be logical to assume that the only way to run these types of apps would be to disable Gatekeeper.

Fortunately, this isn't the case. Whether you want to run an app that wasn't downloaded from the Mac App Store or need to run install some old drivers from a developer that hasn't digitally signed their installer, OS X provides a way of allowing apps to run that Gatekeeper would normally block.

Gatekeeper's Standard Behaviour

Here's an app I'm attempting to run on a Mac with Gatekeeper's default settings. As you can see, Gatekeeper is blocking it from running.

Unsigned App

To install this, we could disable Gatekeeper and then try again. It would certainly work, though we would need to remember to change Gatekeeper's settings back to the previous restriction, otherwise we run the risk of leaving our Mac unprotected against malicious apps.

Alternatively, we can explicitly approve apps and prevent them from being challenged by Gatekeeper. This provides a suitable middle ground where we can still keep our Mac protected, but have the option to launch an app that would otherwise be blocked.

Explicitly Approving an App

There are two methods to allowing a blocked app to run without having to disable Gatekeeper. The first is to try and run it normally (as we have done already), and then open Gatekeeper's settings within System Preferences > Security & Privacy.

Open Anyway

Gatekeeper will remember the last app it blocked, providing the user with the option to override it by clicking Open Anyway.

Instead of simply double-clicking the app, right-click it and select Open from the contextual menu. By using this method, OS X acknowledges we're explicitly wanting to launch the app.

Launching an app using the contextual menu

After confirming the app is to be launched, Gatekeeper will remember this exception and allow it to launch without hinderance.

Confirm Open

Wrapping Up

Gatekeeper offers an additional level of protection that helps ensure the apps you're wanting to run are from trusted sources, blocking apps it cannot identify, while providing the flexibility to give you the ultimate decision about whether an app can be launched, even if Gatekeeper would rather it didn't.

Read the second part of this series where we look at how Gatekeeper can be managed from the command line.

You can purchase the complete guide to Gatekeeper Fundamentals as an ebook in ePub and PDF format for just $0.99.

Permalink

Save:
Instapaper
Pocket
Readability
In Mac Tags security, gatekeeper
← Gatekeeper Fundamentals, Part 2Information at a Glance with Status Board →

Categories

  • Highly Recommended (2)
  • General (5)
  • Offsite (20)
  • iOS (23)
  • Mac (43)

Archives

  • October 2020 (4)
  • September 2020 (1)
  • July 2015 (1)
  • September 2014 (4)
  • August 2014 (6)
  • June 2014 (10)
  • May 2014 (12)
  • April 2014 (8)
  • March 2014 (11)
  • February 2014 (11)

© 2015-2022 The Instructional. Trademarks and brands are the property of their respective owners. Chimney Pool