Skip to main content
Question

How to programmatically check and modify the gatekeeper status


Forum|alt.badge.img+3

I wanted to check the current gatekeeper status using a bash script preferably to find out whether the status is set to:

1. App Store

2. App Store and identified developers

3. Anywhere

By running below commands will enable Gatekeeper with "App Store" only and but does not help to change it to "App Store and identified developers"

 

 

spctl --master-enable defaults write /Library/Preferences/com.apple.security GKAutoRearm -bool true

 

 
Kindly suggest how to achieve both these tasks.

10 replies

pete_c
Forum|alt.badge.img+16
  • Honored Contributor
  • 252 replies
  • February 5, 2024

If you look at a computer record > Security, there's already a field for Gatekeeper, and this can be used as a criteria for an Advanced Computer Search or a Smart Group.

If you'd like to enforce this setting, consider a Configuration Profile with a Security & Privacy > General payload.

 


Forum|alt.badge.img+3
  • Author
  • New Contributor
  • 4 replies
  • February 5, 2024
  • computer record > Security, there's already a field for Gatekeeper
    Yes, It does;
    But my question is about how to check the gatekeeper statut via programmatic way not via UI

  • enforce this setting, consider a Configuration Profile with a Security & Privacy > General payload.
    I tried 
    Could you please provide an example?

 

/usr/sbin/spctl --disable --rule {7,6} #setting Gatekeeper to App Store" /usr/sbin/spctl --enable --rule {8,7,6,5,4} #for setting Gatekeeper to App Store and identified developers​

 

But this did not seem to update the gatekeeper status to required values. 
MacOS version was Sonoma 14.3

 


AJPinto
Forum|alt.badge.img+26
  • Legendary Contributor
  • 2717 replies
  • February 5, 2024

I use an Extension Attribute to monitor the status for easy reporting. An if statement could be added to run the command to set the gatekeeper status based on the result of the command, but I would suggest just configuring it with a Configuration Profile. 

Edit: I totally spaced on Apples MDM framework not preventing gatekeeper from being disabled for some stupid reason. You can also target a policy to run the command to enable gatekeeper to devices with it disabled.

 

 

#!/bin/bash ##Get Results for GateKeeper Status GateKeeper_Status=$(spctl --status) ##Write resutls of GateKeeper Status for JAMF Reporting echo "<result>GK: $GateKeeper_Status</result>"

 


Forum|alt.badge.img+3
  • Author
  • New Contributor
  • 4 replies
  • February 5, 2024

No; This script would always display `assessments enabled` and does not help us to figure out whether the status is set to

  • 'App Store'
  • 'App Store and identified developers'

AJPinto
Forum|alt.badge.img+26
  • Legendary Contributor
  • 2717 replies
  • February 5, 2024
harshagv wrote:

No; This script would always display `assessments enabled` and does not help us to figure out whether the status is set to

  • 'App Store'
  • 'App Store and identified developers'

App Store vs App Store and Identified Developers should be configured with a Configuration Profile. If this is done correctly with a Configuration Profile the user cannot change it even with Admin Access.

 

 


mvu
Forum|alt.badge.img+20
  • Jamf Heroes
  • 892 replies
  • February 5, 2024

Can't recall who I got this from. But thanks.

EA:

#!/bin/sh

GTvers=$( /usr/libexec/PlistBuddy -c "Print CFBundleShortVersionString" /private/var/db/gkopaque.bundle/Contents/Info.plist )

echo "<result>$GTvers</result>"


Forum|alt.badge.img+3
  • Author
  • New Contributor
  • 4 replies
  • February 5, 2024
AJPinto wrote:

App Store vs App Store and Identified Developers should be configured with a Configuration Profile. If this is done correctly with a Configuration Profile the user cannot change it even with Admin Access.

 

 


User with admin access can still disable or modify gatekeeper status

 

spctl --master-disable

 


AJPinto
Forum|alt.badge.img+26
  • Legendary Contributor
  • 2717 replies
  • February 5, 2024
harshagv wrote:

User with admin access can still disable or modify gatekeeper status

 

spctl --master-disable

 


Correct, I pointed this out in my original comment. I would just target a policy at devices with Gatekeeper disabled with a command to enable. There is still a window where Gatekeeper would be disabled as it takes time for Jamf to be aware a client changed happened. The only way to totally close this hole is to remove admin access.

spctl --master-enable

 


Forum|alt.badge.img+3
  • Author
  • New Contributor
  • 4 replies
  • February 5, 2024
mvu wrote:

Can't recall who I got this from. But thanks.

EA:

#!/bin/sh

GTvers=$( /usr/libexec/PlistBuddy -c "Print CFBundleShortVersionString" /private/var/db/gkopaque.bundle/Contents/Info.plist )

echo "<result>$GTvers</result>"


this script just displays gatekeeper version 


mvu
Forum|alt.badge.img+20
  • Jamf Heroes
  • 892 replies
  • February 5, 2024
harshagv wrote:

this script just displays gatekeeper version 


Misread. 


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings