Gatekeeper question

AVmcclint
Honored Contributor

With more and more malware finding its way to the Mac world, how are other admins configuring their Gatekeeper settings to protect users? I have a policy in place to disable Gatekeeper and it runs monthly since Gatekeeper wants to rearm itself every month. The problem is that we use a lot of open source software or other legit software that isn't signed so Gatekeeper doesn't know it's legit.

I'd like to set our Gatekeeper to allow apps from known developers. I did a search in System Profiler > software > applications and sorted by the "Obtained from" column. Apps like GIMP, Cocoa Dialog, ADPassMon, Citrix Receiver, Junos Pulse and MANY MANY more show up as "Unknown" These are major apps we cannot live without. Citrix Receiver and Junos Pulse aren't no-name developers coding in their spare time either! I'm afraid that if I change the Gatekeeper security level to allow only known developers and mac app store apps, it will break a lot of what we use. I also have some apps I built with Platypus, and compiled Applescripts that I would love to implement, but creating a paid developer account and signing apps is out of the question.

How are you dealing with this situation? We currently have McAfee ePO to protect us but it's not exactly a gold medal winner. I also have Malwarebytes for Mac installed but that requires the users to manually launch and run a scan. So the potential for malware getting installed is still there with Gatekeeper disabled.

8 REPLIES 8

chisox1
New Contributor

I am coming across the same issue at my organization. With the upcoming release of Sierra I am stuck deciding if I should now enable gatekeeper or keep it turned off. It is a great feature to brag to security about if we enable it :)

CasperSally
Valued Contributor II

I used to disable it, we're enabling it now.

I'd lean on the side of ripping off the bandaid and enabling it at this point.

You can add programs to the allowed to run db by running command like this (we run this as command as part of install policy for scratch 2)
xattr -r -d com.apple.quarantine /Applications/Scratch 2.app

adamcodega
Valued Contributor

I'm hard pressed to find a good reason to disable Gatekeeper.

Just set your configuration profile to App Store and Known Developers, and make sure "Do not allow user to override Gatekeeper setting: Prevents the user from temporarily overriding the Gatekeeper setting by control-clicking to install any app" is unchecked. Then people can run unsigned apps by right clicking and choosing Open.

I don't believe apps like cocoaDialog would cause Gatekeeper warnings if being run by policies, either triggered or in Self Service.

"Citrix Receiver and Junos Pulse aren't no-name developers coding in their spare time either!"

You're right, and it astounds me that "big name" developers don't sign their apps like they are supposed to.

Nix4Life
Valued Contributor

hey @AVmcclint

Went all in late last year after finally reading Tim Sutton's article here
I know you are a frequent problem solver on Jamfnation, but I forget if you have a Reposado setup or not. If you choose to disable gatekeeper, you can download the pkgs from Reposado and have Casper push them out as a work around, but +1 on what @CasperSally and @adamcodega have stated.

AVmcclint
Honored Contributor

@LSinNY No, I don't have Reposado. I've been considering a Software Update server of some kind for a while but 1) management is reluctant to introduce any Mac servers at all other than Netboot, and 2) installing Reposado on any non-Mac server would make ME 100% responsible for the non-Mac server top to bottom and that's not a responsibility i need. However, I have been using a variation of the command to get XProtect data in Files and Processes for a while, but I like the one in Tim Sutton's article where Automatic checks are enabled then disabled.:

defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool true ; softwareupdate --background-critical ; defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool false

Since I've been getting XProtect updates on a weekly basis, I haven't been terribly worried but it would still be nice to be able to show our Security folks that the Macs are as secure as we can get them. Although I think I will increase the XProtect frequency to daily.

jaharmi
Contributor

For planning purposes, be aware that the spctl command, when run as root, can override the Gatekeeper settings defined in a device configuration profile. The profile still appears to be installed but its settings are not reapplied.

drew_duggan
New Contributor III
New Contributor III

From a security standpoint, it makes sense to keep the OS-defaulted Gatekeeper settings enabled. With some of the malware reports out there, they seem to all be from installing unsigned third-party packages. So, as long as apps are from the App Store or packages are signed with an Apple Developer certificate, you'll still be able to distribute the apps necessary for your organization. Even if there are third-party apps that you'd like to distribute, you can still install those on your managed clients, simply by packaging them up in Composer and signing them with your developer certificate.

That's the workflow that I'd recommend, and it's more of long term solution given the direction Apple has gone, and is continuing to go, as it pertains to deploying applications.

AVmcclint
Honored Contributor

Most of the useful tools our users have are from github or other developer friendly sites. Unfortunately very few open source apps are signed. And we are primarily a Java dev shop, so no Apple Developer Certificates. We can jump up and down and complain all day long to the big name developers to make signed apps, but they will do exactly what they want to do and nothing more... unfortunately, we are forever tied to Citrix and Junos. And if I use Platypus to whip up some quickie apps, there's no way I can get a Developer signature for that. While I understand the reasons behind gatekeeper and think it's great, we do have many reasons to disable gatekeeper.