Jamf Nation Community

harshagv · ‎02-04-2024

I wanted to check the current gatekeeper status using a bash script preferably to find out whether the status is set to:

1. App Store

2. App Store and identified developers

3. Anywhere

By running below commands will enable Gatekeeper with "App Store" only and but does not help to change it to "App Store and identified developers"

spctl --master-enable
defaults write /Library/Preferences/com.apple.security GKAutoRearm -bool true

Kindly suggest how to achieve both these tasks.

pete_c · ‎02-05-2024

If you look at a computer record > Security, there's already a field for Gatekeeper, and this can be used as a criteria for an Advanced Computer Search or a Smart Group.

If you'd like to enforce this setting, consider a Configuration Profile with a Security & Privacy > General payload.

harshagv · ‎02-05-2024

computer record > Security, there's already a field for Gatekeeper
Yes, It does;
But my question is about how to check the gatekeeper statut via programmatic way not via UI
enforce this setting, consider a Configuration Profile with a Security & Privacy > General payload.
I tried
Could you please provide an example?

/usr/sbin/spctl --disable --rule {7,6}   #setting Gatekeeper to App Store"

/usr/sbin/spctl --enable --rule {8,7,6,5,4}     #for setting Gatekeeper to App Store and identified developers

But this did not seem to update the gatekeeper status to required values.
MacOS version was Sonoma 14.3

AJPinto · ‎02-05-2024

I use an Extension Attribute to monitor the status for easy reporting. An if statement could be added to run the command to set the gatekeeper status based on the result of the command, but I would suggest just configuring it with a Configuration Profile.

Edit: I totally spaced on Apples MDM framework not preventing gatekeeper from being disabled for some stupid reason. You can also target a policy to run the command to enable gatekeeper to devices with it disabled.

#!/bin/bash

##Get Results for GateKeeper Status
GateKeeper_Status=$(spctl --status)

##Write resutls of GateKeeper Status for JAMF Reporting
echo "<result>GK: $GateKeeper_Status</result>"

harshagv · ‎02-05-2024

No; This script would always display `assessments enabled` and does not help us to figure out whether the status is set to

'App Store'
'App Store and identified developers'

AJPinto · ‎02-05-2024

App Store vs App Store and Identified Developers should be configured with a Configuration Profile. If this is done correctly with a Configuration Profile the user cannot change it even with Admin Access.

harshagv · ‎02-05-2024

User with admin access can still disable or modify gatekeeper status

spctl --master-disable

AJPinto · ‎02-05-2024

Correct, I pointed this out in my original comment. I would just target a policy at devices with Gatekeeper disabled with a command to enable. There is still a window where Gatekeeper would be disabled as it takes time for Jamf to be aware a client changed happened. The only way to totally close this hole is to remove admin access.

spctl --master-enable

mvu · ‎02-05-2024

Can't recall who I got this from. But thanks.

EA:

#!/bin/sh

GTvers=$( /usr/libexec/PlistBuddy -c "Print CFBundleShortVersionString" /private/var/db/gkopaque.bundle/Contents/Info.plist )

echo "<result>$GTvers</result>"

harshagv · ‎02-05-2024

this script just displays gatekeeper version

mvu · ‎02-05-2024

Misread.

Jamf Nation Community

How to programmatically check and modify the gatekeeper status