Posted on 07-06-2022 07:20 AM
We have Jamf configured on 99% of Macs so Gatekeeper will only allow apps from "App Store" and "App Store and identified developers".
When we get an app from an unidentified developer and it's not signed we install it in the applications folder on a Mac that has Gatekeeper set to allow apps from "Anywhere" (the 1%). Click it to open, gatekeeper asks if we want to allow it and we click yes.
Once installed we then make a pkg of that app, (we don't sign it) upload to Jamf, create a policy and the 99% who couldn't install it previously now can.
My question is how does that work? Whats happened to the app to allow that to work? Thanks.
Posted on 07-06-2022 07:27 AM
If I am not mistaken once you clear quarantine on your packaging device that quarantine "break" follow the source files to the new device the package is installed on.
07-06-2022 11:15 PM - edited 07-07-2022 09:42 PM
The Gatekeeper settings can be found in System Preferences > Security & Privacy > General. The Gatekeeper options are located beneath “All apps downloaded from:” with the choice of “Anywhere” missing. Now, relaunch System Preferences and head back to the Gatekeeper settings.
Posted on 12-20-2022 07:36 PM
@user-MygFNHEclO Sorry if this sounds a bit obtuse, but are you using before and after snapshots or just dragging the app into Composer? Is the quarantine bit inside the app bundle or somewhere else? I have a whole bunch of specialized graphic apps (Signal Culture) requested by a department. They don't have .pkg installers--just the entire app bundle inside a dmg for drag-n-drop into the Apps folder. If I do that on a Mac and then do the whole "allow anyway" will that remove the quarantine bit and allow me to re-package and deploy so that the lab users can simply launch the app as if it was properly signed?
12-20-2022 07:40 PM - edited 12-20-2022 07:41 PM
@user-MygFNHEclO So basically you need a build Mac with the lower Security prefs "allow from anywhere," install the un-signed app, launch it, grant any approvals manually, then re-package/deploy with policy and the endpoints won't complain? Does this process require before and after snapshots to capture any filesystem changes outside the app or is the quarantine bit set to on/off inside the app bundle itself?