Deploy Apps from Unidentified Developers without turning off Gatekeeper

justinkallas
Release Candidate Programs Tester

I've looked through the forums for some info on this and so far am not finding anything. We would like to keep Gatekeeper enabled in our environment, however we have come across a few useful applications that are provided from unidentified developers. On my admin machine I turned off Gatekeeper so that I could create a package to deploy with Casper, however once we deploy it to the clients when they try to run it they still get the "This application can't be opened because it is from an unidentified developer". Is there any way we can get around this without changing the Gatekeeper option on the clients to allow apps from all sources?

Thanks!

6 REPLIES 6

mm2270
Legendary Contributor III

Edit: Never mind. I'm mistaken about what I previously wrote. GateKeeper does stop launching as well. I think I've had that setting set to Allow all for so long I'd forgotten how it worked.

I had bought though, that once Gatekeeper was bypassed during installation that the app would then launch from there on out. Maybe not? I'll need to do some tests.

Edit 2: Gatekeeper can be bypassed the first time for any application not signed by right clicking on the app, then choosing Open from the content menu. You'll still get a Gatekeeper warning dialog, but this time it will have an "Open" button on it they can click to launch the app. Afterwards, that app will always launch fine with a double click. The OS keeps a list of apps that have been manually bypassed in this way so it doesn't keep bugging you about them on every launch.

justinkallas
Release Candidate Programs Tester

Does this work even if the user is a non-admin?

calum_carey
Contributor

is there an xattr or something that can be added or removed via a script to achieve this mm2270? Or is there a database/plist that gatekeeper uses?

gregneagle
Valued Contributor

Remove the com.apple.quarantine xattr before deployment with Casper

xattr -dr com.apple.quarantine /path/to/app

If you get the Gatekeeper prompt with an application installed via package then you packaged the app with the com.apple.quarantine in place.

mm2270
Legendary Contributor III

@justinkallas][/url][/url - Unfortunately no. If a user tries that and isn't an admin, it will try to open it but they'll get an authentication dialog saying the "Finder' wants to allow an item to always run, asking for admin credentials to continue. I would like to say it may be possible to figure out what to modify to add apps in manually to this group, but I have a inking feeling its one of those pesky SQLite databases Apple seems fond of using lately, which would make it a pain to edit.
One thing that might work is a Self Service combo install and launch policy that auto authenticates the first launch for the user. I don't really know if that's possible though. Just thinking off the top of my head.

@calum_carey][/url][/url, I'm actually not sure, but I know that Gatekeeper does somewhat tie into the file quarantine system Apple has been using on OS X since around 10.5. You know, the message that you get the first time you open a file downloaded from the internet or sent to you via email that such and such file was downloaded from the Internet. Are you sure you want to open it? You could always remove the quarantine flag on a download or application, but thats not enough to get around that Gatekeeper setting, because Gatekeeper does more. It will check the application's developer certificate to see if its valid, or there in the first place. My understanding is it checks once a day to see if anything has been added, and just as importantly, added to a blacklist.

Edit: Ok, so looks like Greg provided the answer. Perhaps its all tied to that quarantine file after all.

evarona
New Contributor II

FWIW, we have GK setup to allow apps signed with an Apple root cert and then used a Config Profile to prevent the ctrl-click+Open bypass trick. I have an app that was signed but the installer wasn't (thank you HP…). One possibility I was considering was using scripts to change the status of GK.

spctl --status 
sudo spctl --master-enable  
sudo spctl --master-disable

I would have checked the status, disabled GK, installed my product and turned GK back on. Instead, I found it easier to just sign the stupid installer with my own Apple dev cert.