Gatekeeper advice

AdC
New Contributor

Hello,

I can't find an exact answer for this question so i'm sorry if the answer already exists but we are about to go live with Jamf Pro and our security team have a potential issue with Gatekeeper that I wonder if anyone else is able to advise on?

If we set Gatekeeper to "Mac App Store and identified developers", how are users without admin permissions able to install an app that is not covered by this setting but is approved by the organisation to be installed? Our security department are not happy with the "Anywhere" setting so they want some control of what users can install. Is there a configuration that can be applied to say that if a user tries to install something that is not in "Mac App Store and identified developers" that if informs IT and then the IT department can approve/deny?

I know that there is a temporary override function but this is only for admins?

Any advice much appreciated
Thanks

4 REPLIES 4

mschroder
Valued Contributor

What about making the apps in question available via the Self-Service. After all there shouldn't be that many unsigned and unnotarized apps around that users should be allowed to install. The MDM can install these even if you leave "Mac App Store and identified developers" on, which appears to be desirable.

mm2270
Legendary Contributor III

In general, most applications that are legitimate that you would want your end users installing from Jamf or from Jamf Self Service are going to be from verified developers and/or notarized apps. So I don't think this is as much of a concern as you might be thinking it is. If you know you have a lot of unsigned non-notiarized apps users have to install on their Macs that are going to run afoul of Gatekeeper settings, you may want to look at alternative solutions for those.

Your security team is right for not liking the Gatekeeper Anywhere setting, as that allows all kinds of installs of unverified products on the machines, which is a big vector for getting malware and other crap on the Macs.

AJPinto
Honored Contributor II

Gatekeeper does not have any baring on if admin access is needed or not to install applications. More or less gatekeeper is a certificate/notarization check to help prevent unaware users from installing malicious applications.

  • Mac App Store and identified developers: Means that in addition to Appstore apps, Applications where the developer has had the application notarized by apple can be installed by an admin.
  • Anywhere: basically waves that certificate check and allows an admin to install any* app, notarized or not.
    • ***Do not use Anywhere, if you see a notarization issue either have the vendor get with Apple to fix it or look in to using xattr to override for that one application***

The only way for non-admins to install Applications with JAMF is to have the application packaged, a policy built and placed in JAMF SelfService. From there the user can open SelfService and tell the App to install. The policy the user clicks in SelfService runs with root privileges which handles the admin access. The option to auto install without user interaction is also available. 

 

If you are wanting non-admins to be able to install applications you will need to look in to a privilege management tool. 

 

 

Security MDM payload settings for Apple devices - Apple Support (IN)

Gatekeeper and runtime protection in macOS - Apple Support (IN)

Security Settings on Managed Computers - Jamf Pro Security Overview 10.44.0 or Later | Jamf

Notarizing macOS software before distribution | Apple Developer Documentation

AdC
New Contributor

These are great answers, thank you.