I wanted to check the current gatekeeper status using a bash script preferably to find out whether the status is set to:
1. App Store
2. App Store and identified developers
3. Anywhere
By running below commands will enable Gatekeeper with "App Store" only and but does not help to change it to "App Store and identified developers"
spctl --master-enable
defaults write /Library/Preferences/com.apple.security GKAutoRearm -bool true
If you look at a computer record > Security, there's already a field for Gatekeeper, and this can be used as a criteria for an Advanced Computer Search or a Smart Group.
If you'd like to enforce this setting, consider a Configuration Profile with a Security & Privacy > General payload.
/usr/sbin/spctl --disable --rule {7,6} #setting Gatekeeper to App Store"
/usr/sbin/spctl --enable --rule {8,7,6,5,4} #for setting Gatekeeper to App Store and identified developers​
But this did not seem to update the gatekeeper status to required values.
MacOS version was Sonoma 14.3
I use an Extension Attribute to monitor the status for easy reporting. An if statement could be added to run the command to set the gatekeeper status based on the result of the command, but I would suggest just configuring it with a Configuration Profile.
Edit: I totally spaced on Apples MDM framework not preventing gatekeeper from being disabled for some stupid reason. You can also target a policy to run the command to enable gatekeeper to devices with it disabled.
#!/bin/bash
##Get Results for GateKeeper Status
GateKeeper_Status=$(spctl --status)
##Write resutls of GateKeeper Status for JAMF Reporting
echo "<result>GK: $GateKeeper_Status</result>"
No; This script would always display `assessments enabled` and does not help us to figure out whether the status is set to
No; This script would always display `assessments enabled` and does not help us to figure out whether the status is set to
App Store vs App Store and Identified Developers should be configured with a Configuration Profile. If this is done correctly with a Configuration Profile the user cannot change it even with Admin Access.
Can't recall who I got this from. But thanks.
EA:
#!/bin/sh
GTvers=$( /usr/libexec/PlistBuddy -c "Print CFBundleShortVersionString" /private/var/db/gkopaque.bundle/Contents/Info.plist )
echo "<result>$GTvers</result>"
App Store vs App Store and Identified Developers should be configured with a Configuration Profile. If this is done correctly with a Configuration Profile the user cannot change it even with Admin Access.
User with admin access can still disable or modify gatekeeper status
spctl --master-disable
User with admin access can still disable or modify gatekeeper status
spctl --master-disable
Correct, I pointed this out in my original comment. I would just target a policy at devices with Gatekeeper disabled with a command to enable. There is still a window where Gatekeeper would be disabled as it takes time for Jamf to be aware a client changed happened. The only way to totally close this hole is to remove admin access.
spctl --master-enable
Can't recall who I got this from. But thanks.
EA:
#!/bin/sh
GTvers=$( /usr/libexec/PlistBuddy -c "Print CFBundleShortVersionString" /private/var/db/gkopaque.bundle/Contents/Info.plist )
echo "<result>$GTvers</result>"
this script just displays gatekeeper version
this script just displays gatekeeper version
Misread.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.