• Guides
  • Ebooks
  • About
  • Follow
  • Contact
Menu

The Instructional

  • Guides
  • Ebooks
  • About
  • Follow
  • Contact
gatekeeper-hero-2a.jpg

Gatekeeper Fundamentals, Part 2

February 12, 2014

In the previous part of our series on Gatekeeper, we explored its features and options that can be configured within System Preferences, as well as how to explicitly allow apps to run. Now, let's take a look at how Gatekeeper can be further managed from the command line.

The spctl command

The command spctl (man page) offers a non-graphical way of interacting with Gatekeeper, providing a way of enabling or disabling the service, as well as managing exceptions.

Checking the Status of Gatekeeper

spctl --status

The results for this command will either be assessments enabled or assessments disabled, depending on whether Gatekeeper is set to only allow apps from the Mac App Store and identified developers, or apps from anywhere.

spctl-status

Enabling or Disabling Gatekeeper

To alter the state of Gatekeeper, you must run the command as root. 

sudo spctl --master-disable

sudo spctl --master-enable

The first command will set Gatekeeper to allow apps from anywhere. The second command will change this to allow apps from only the Mac App Store and identified developers.

Interestingly, enabling Gatekeeper from the command line will always allow apps form the Mac App Store and identified developers, it will not set it to the most restrictive option of allowing only apps from the Mac App Store.

Viewing Approved Apps

OS X doesn't provide a graphical interface for viewing apps that have been explicitly allowed to run. This doesn't mean we can't see what this list of approved apps, however, as we can use spctl to list what apps have been explicitly approved. 

spctl --list

The above command will list all apps, installers and plug-ins that Gatekeeper has allowed.

List of approved apps

Despite the wall of text that the command outputs, we can see that apps we've explicitly approved are listed at the bottom with the label UNLABELED.

To make it easier to see just the apps that we've explicitly allowed, we can add a little extra to the command:

spctl --list | grep UNLABELED

This filters the list to just the apps that we've approved.

Using grep will filter the results

Alternatively, you can check if an individual app has been allowed to run by using:

spctl -a /Applications/MyApp.app

If Gatekeeper isn't allowing the app to run, the message /Applications/MyApp.app: rejected is displayed.

Approving or Blocking Apps

Finally, we can approve or block apps using the command line. Rather than allowing individual apps on a case-by-case basis, spctl works by creating rules, organised by labels. This provides a way of organising separate lists of apps that can be approved or blocked en-masse.

Approving Apps

To allow an app to run, we first assign it a label:

spctl --add --label "ApprovedApps" /Applications/MyApp.app

Next, we tell Gatekeeper that we want to approve all apps with the label ApprovedApps:

spctl --enable --label "ApprovedApps"

Gatekeeper will now allow any apps to run that would otherwise be blocked form doing so, provided they have the label ApprovedApps assigned.

Now that we have rule that allows apps of a specific label name, we can repeat the process and assign the same label to other apps that might be blocked:

spctl --add --label "ApprovedApps" /Applications/AnotherApp.app

Only this time, we don't need to enable the label again.

Blocking Apps

Now, what if MyApp.app turned out to actually be malicious? As OS X prove provides no graphical interface for managing apps that have been approved, it would still be allowed to run.

We can block the entire label by using --disable:

spctl --disable --label "ApprovedApps"

While this would certainly prevent MyApp.app from being opened again, we've also blocked every other app that has the label ApprovedApps assigned.

A better way would be to create a custom label specifically targeted to apps that you want to block.

First, specify a rule that blocks apps with the label BlockedApps:

spctl --disable --label "BlockedApps"

Next, remove the ApprovedApps label from MyApp.app:

spctl --remove --label "ApprovedApps" /Applications/MyApp.app

Finally, add the label BlockedApps to MyApp.app:

spctl --add --label "BlockedApps" /Applications/MyApp.app

This process will block just MyApp.app by changing its label to one that is blocked at all times. You can use this label as a quarantine list, moving offending apps into it as and when needed.

As you saw earlier, some of the apps we explicitly allowed by either control-clicking to open or via System Preferences are not assigned any label. You can still assign a label in the same way as we've just covered.

Wrapping Up

Gatekeeper is far more customisable and flexible than it first appears, mostly thanks to the command line. For most users, there really isn't any need to go into Terminal, though Mac Admins will likely be interested in the increased control that can be levied when it comes to protecting their user base.

Padlock image credit: Simon Cocks. Licensed under Creative Commons Attribution 2.0 Generic.

You can purchase the complete guide to Gatekeeper Fundamentals as an ebook in ePub and PDF format for just $0.99.

Permalink

Save:
Instapaper
Pocket
Readability
In Mac Tags gatekeeper
← Parental Controls With iOS RestrictionsGatekeeper Fundamentals, Part 1 →

Categories

  • Highly Recommended (2)
  • General (5)
  • Offsite (20)
  • iOS (23)
  • Mac (43)

Archives

  • October 2020 (4)
  • September 2020 (1)
  • July 2015 (1)
  • September 2014 (4)
  • August 2014 (6)
  • June 2014 (10)
  • May 2014 (12)
  • April 2014 (8)
  • March 2014 (11)
  • February 2014 (11)

© 2015-2022 The Instructional. Trademarks and brands are the property of their respective owners. Chimney Pool