Jamf Nation Community

adrianw82 · ‎08-14-2023

This is a weirdly specific situation and I'm just trying to figure out if there's a way to do what I want via a more targeted shell script versus a master override. Also, sorry in advance...you'll probably hear from me a lot about weirdly specific situations because they seem to gravitate to me. Anyway...

I work at a school using various types of audio and video software and their related plug-ins. We have a class in a lab of about 14 computers (so, at least not a lot of machines...) using Reaper and Max among others. With these two apps, they happen to be using a bundle of third-party plug-ins that all appear individually within the folder and thus, kick off Gatekeeper for every single file in that folder- right when Reaper or Max tries to scan them upon first launch.

So basically, about 12 popups occur giving you the third-party app warning about Gatekeeper, which in a few occasions has also crashed or required me to force-quit Reaper (which is part of the problem).

So that's why I thought, okay, override Gatekeeper temporarily so they can be scanned- problem solved. I did it via Terminal within our admin account to make sure it worked (and then reenabled, and then ran the status command to make sure Gatekeeper was reenabled).

But then I realized, this will happen to every user the first time they log in and launch Reaper. So now I'm wondering, if there *is* a workaround or a better way to do this other than going over there and getting everybody set up individually, 1) how much of it involves Reaper versus these specific plug-ins versus Gatekeeper being Gatekeeper, 2) is there a script that would disable Gatekeeper only upon first launch of the app (so it can scan these plug-ins) and then a second script to reenable, and 3) is this writeable as a policy or something that could be packaged as an installer in such a way that I could avoid this?

Otherwise, I guess I can just write something up for the students (their accounts have local admin access)...but I'm not 100% sure that solves everything anyway because like I said, Reaper will often crash when this happens.

Has anyone run into anything similar? What would you say is my best option here?

junjishimazaki · ‎08-14-2023

Hi there, I think the best option is to create a configuration profile and add the system extension for each of the plugins with the teamID and maybe include a PPPC if each of the plugsin require any additional access.

jamf-42 · ‎08-14-2023

can't give a solution, but why are the plugins pinging gatekeeper? are they not signed?

adrianw82 · ‎08-14-2023

Oh sorry, I left that part out. Yeah, guess not. My other thought was to contact the developer.

AJPinto · ‎08-15-2023

If its gatekeeper, there is an issue with the applications notarization. The correct "fix" is to reach out to the app developer and make them fix their certificate and redistribute the app. As we all know that is not happening, you can look in to using xattr to add the app's to gatekeepers whitelist with a script.

adrianw82 · ‎08-16-2023

Not familiar with xattr but I just looked it up...think you're onto something.

AJPinto · ‎08-16-2023

xattr -d com.apple.quarantine {path to app or binary}

Jamf Nation Community

disabling Gatekeeper only upon first launch of an app- third-party plug-ins with Reaper and Max