How to enhance Mac security with Gatekeeper and UEM

If you are a Mac user, I am sure that you might have heard the name Gatekeeper at least once in your life. Most Mac users have heard the name Gatekeeper but have very little idea about what it is or what it does. As the name suggests, Gatekeeper acts like a security guard for apps. But before we get into the details about Gatekeeper, we must know what file quarantine in Mac devices means.

File quarantine in macOS

The process of tagging apps or files or documents downloaded from the internet is known as file quarantining. The tag also called the quarantine flag is given to the files by the app that downloads the file, like web browser, mail app, etc. But the process of flagging the files is not a mandatory process and many 3rd –party app stores and installers don’t flag the files downloaded by them.

The main idea of flagging the files is to let the device know that the files are downloaded from unknown sources and might be harmful. When a user tries to open a quarantined file, the system warns the user that the file is from an unknown source and might contain malicious entities associated with it. The file can only be opened if the warning is acknowledged by the user.

File quarantine was introduced in 2007, along with the OS X 10.5, Leopard update. File quarantine on its own was not that effective because the users were only given a warning and on acknowledging it the files could be opened. But with consequent updates, more features were introduced that used the file quarantine function and Gatekeeper was one of those features.

What is macOS Gatekeeper and what does it do on Mac?

Gatekeeper was introduced with the OS X 10.8 Mountain Lion update. This feature essentially allows users to specify what type of apps can be installed on their Mac devices (Store apps or apps downloaded from third-party apps). Using the settings, users could restrict app installation to only app stores or also include identified developers.

Gatekeeper becomes active when apps are allowed to be downloaded from outside the Mac App Store. When a third-party app, plug-in, or even an installer package is downloaded from outside the store and tried to be opened, the Gatekeeper becomes active. Gatekeeper allows 2 major settings: 1) Allow apps only from the App Store and 2) Allow apps from App Store and identified developers. In the earlier versions of macOS there was another setting, Allow apps from anywhere.

By default, the setting would be in the Allow apps from App Store and identified developers. But the most restrictive setting would be the Allow app from App Store. Apps from the App Store are often considered the most secure apps and it is always safe to be used because before its approval the app is tested by Apple itself for malware and any other malicious entities.

That is not the case for third-party apps. But Apple is not willing to endanger the safety of devices to run malicious apps. So, to check third-party apps, the apps have to be code signed, meaning the app has to be signed with the developer ID and also provided with a certificate that is issued by Apple for trusted developers.

When third-party apps are opened on Mac devices, the Gatekeeper checks the app for the code sign and allows its execution only if the details are verified. If Gatekeeper fails to verify the details, then a warning message is shown saying the app is not from a trusted source and cannot be installed.

With the introduction of notarization by Apple, users can now be more confident while installing third-party applications. This is because notarization is the process by which Apple checks out an app for known malicious threats and verifies the code signature. If apps pass the notarization process the app is given a notarized badge which can be associated with the app when it is distributed.

When third-party apps, plug-ins, extensions, etc. are opened on a Mac for the first time the Gatekeeper checks for the notarization badge/ticket. If it is present the Gatekeeper allows the app/file to be opened instantly and won’t raise any warning messages. When the file misses a notarization ticket, the Gatekeeper verifies the integrity of the code signature.

How to configure Gatekeeper settings

To configure the Gatekeeper, you have to follow these steps:

1. Go to the Apple menu.
2. Select System Preferences → Security & Privacy.
3. In the General tab, click on the lock icon at the bottom left part and enter the administrator credentials.
4. Select an option from Allow apps downloaded from: App Store or App Store and identified developers.

How to bypass Gatekeeper?

Although it is not recommended, Gatekeeper can be bypassed in multiple ways. Bypassing Gatekeeper lets users install apps downloaded from anywhere and not even a warning message will be displayed if Gatekeeper is switched off.

1. Bypass Gatekeeper using right-click or control-click
   If you want to open an app without disabling Gatekeeper the best way is to open the app from Finder using a control-click. For this find the app in Finder and control-click it. From the options select open and in the warning message click open. This should help you open the app even if the most restrictive settings are applied.
2. Bypass Gatekeeper using System Preferences
   You can also bypass the Gatekeeper using System Preferences. For this, first, you have to identify the details of the blocked app from under the Allow apps from App Store and identify developer settings. Then use the Open Anyway button to open the app without any interference.
3. Bypass Gatekeeper using Terminal
   Using the Mac Terminal, the Gatekeeper can be switched off completely. There was an anywhere option available for Gatekeeper but Apple decided to remove it. But using Terminal this option can be enforced. For this make sure that System Preferences is switched off. Then open Terminal and enter the following command:

Press return. Enter the admin credentials if asked and press return again. Now the Anywhere option will be available and selected under Allow apps from in the General tab of System Preferences.

Is macOS Gatekeeper alone enough to save your device from malware?

In the early stages of its launch, Gatekeeper used to work only on the files/executables that were quarantine flagged. This was not enough to keep devices safe as a file without the quarantine flag could easily walk past the Gatekeeper. Downloading files without a quarantine flag is not that much of a challenge. Even removing quarantine flags is not that big of a task.

Later on, Gatekeeper was upgraded so that it could check all apps irrespective of their source. But problems were still getting reported. Minor bugs and exploitable flaws were reported by cybersecurity experts through which malware could be easily manipulated into a system.

Gatekeeper doesn’t do runtime checks on apps and this might cause serious issues if a malicious app posing to be an innocent one gets past the initial check. Also, it keeps an eye out only for known threats and not newer ones.

But Apple doesn’t compromise on safety issues, so a lot of Gatekeeper updates have been released by them and each update resolved the existing bugs. Apple is trying to make Gatekeeper a standard for app-level security.

How to configure macOS Gatekeeper settings remotely?

In an organization that has over 10-20 devices, setting up the Gatekeeper in each device one by one is not an easy task. That is where a UEM like Hexnode comes in. With UEMs it is simple to configure the Gatekeeper settings for multiple devices very easily. All it takes to configure Gatekeeper settings for a few 100 to a few 1000 is a few clicks.

Featured Resource

A complete guide to Mac device management

Organizations can use UEMs to configure and manage endpoints while increasing staff productivity. Learn how to leverage Hexnode's Mac management features to make the most out of your Mac endpoints.

Download White paper

Not only can Gatekeeper be switched on using a UEM but it can also be switched off completely. This comes in handy when organizations use a lot of in-house apps. In-house apps are those built for use inside the organization and most of them don’t mind code signing them or notarizing them.

Apple usually allows third-party kernel or system extensions only if they are notarized. But kernel and system extensions pushed to devices using a UEM need not be notarized. This proves useful because organizations need not wait for the necessary extensions to be notarized to be used inside the organization. This can save a lot of time for organizations.

So, in conclusion, even though Gatekeeper might be annoying at times, it helps you keep your device safe at least from known threats. It is always recommended to switch on Gatekeeper and not try to bypass it unless it is absolutely necessary.