Unsigned apps and unidentified developers and Gatekeeper, working but how?

New Contributor III

We have Jamf configured on 99% of Macs so Gatekeeper will only allow apps from "App Store" and "App Store and identified developers".
When we get an app from an unidentified developer and it's not signed we install it in the applications folder on a Mac that has Gatekeeper set to allow apps from "Anywhere" (the 1%). Click it to open, gatekeeper asks if we want to allow it and we click yes.
Once installed we then make a pkg of that app, (we don't sign it) upload to Jamf, create a policy and the 99% who couldn't install it previously now can.
My question is how does that work? Whats happened to the app to allow that to work? Thanks.


Honored Contributor II

If I am not mistaken once you clear quarantine on your packaging device that quarantine "break" follow the source files to the new device the package is installed on.

New Contributor II

The Gatekeeper settings can be found in System Preferences > Security & Privacy > General. The Gatekeeper options are located beneath “All apps downloaded from:” with the choice of “Anywhere” missing. Now, relaunch System Preferences and head back to the Gatekeeper settings.

Lite Blue

Contributor II

@user-MygFNHEclO  Sorry if this sounds a bit obtuse, but are you using before and after snapshots or just dragging the app into Composer? Is the quarantine bit inside the app bundle or somewhere else? I have a whole bunch of  specialized graphic apps (Signal Culture) requested by a department. They don't have .pkg installers--just the entire app bundle inside a dmg for drag-n-drop into the Apps folder. If I do that on a Mac and then do the whole "allow anyway" will that remove the quarantine bit and allow me to re-package and deploy so that the lab users can simply launch the app as if it was properly signed? 

Contributor II

@user-MygFNHEclO So basically you need a build Mac with the lower Security prefs "allow from anywhere," install the un-signed app, launch it,  grant any approvals manually, then re-package/deploy with policy and the endpoints won't complain? Does this process require before and after snapshots to capture any filesystem changes outside the app or is the quarantine bit  set  to on/off inside the app bundle itself?