OS X: About Gatekeeper

Gatekeeper helps protect your Mac from apps that could adversely affect it.

Some apps downloaded and installed from the Internet could adversely affect your Mac. Gatekeeper helps protect your Mac from such apps. Read this article to learn about Gatekeeper and its options.

Gatekeeper is a new feature in Mountain Lion and OS X Lion v10.7.5 that builds on OS X's existing malware checks to help protect your Mac from malware and misbehaving apps downloaded from the Internet.

The safest and most reliable place to download and install apps is via the Mac App Store. Apple reviews each app before it's accepted by the store, and if there's ever a problem with an app, Apple can quickly remove it from the store.

For apps that are downloaded from places other than the Mac App Store, developers can get a unique Developer ID from Apple and use it to digitally sign their apps. The Developer ID allows Gatekeeper to block apps created by malware developers and verify that apps haven't been tampered with since they were signed. If an app was developed by an unknown developer—one with no Developer ID—or tampered with, Gatekeeper can block the app from being installed.

Note: If you have an app that has not been signed with a Developer ID  to support Gatekeeper, contact the developer of the app to determine if they offer an update which supports Gatekeeper.

Click here for more details

Malware detection (not Gatekeeper) uses what is known as a "deny list" technique to prevent known malware from running on your Mac. Unique attributes of identified malware are added to this list. If you attempt to open an app on the deny list, you will see a message informing you about it.

Note: If an app with a revoked Gatekeeper certificate is already installed, it will continue to run.

Important: Developer ID signature applies to apps downloaded from the Internet. Apps from other sources, such as file servers, external drives, or optical discs are exempt, unless the apps were originally downloaded from the Internet.

Gatekeeper options

Gatekeeper gives you more control over what you install. You can choose the safest option and only allow apps that come from the Mac App Store to open. There is also the option of only allowing apps that come from the Mac App Store and identified developers. Or you can choose to allow any apps to open, just like previous versions of OS X.

Gatekeeper options are found in Apple menu > System Preferences… > Security & Privacy > General tab under the header "Allow applications downloaded from:"

Note: The default setting for Gatekeeper in OS X Lion v10.7.5 is "Anywhere".

Gatekeeper options are:

  • Mac App Store – Only apps that came from the Mac App Store can open.
  • Mac App Store and identified developers (default in OS X Mountain Lion) – Only allow apps that came from the Mac App Store and developers using Gatekeeper can open.
  • Anywhere – Allow applications to run regardless of their source on the Internet (default in OS X Lion v10.7.5); Gatekeeper is effectively turned off. Note: Developer ID-signed apps that have been inappropriately altered will not open, even with this option selected.

How to open an app from a unidentified developer and exempt it from Gatekeeper

If you are confident the app downloaded from the Internet is the latest version and is from a source you trust, you can open an app from an unidentified developer by following these steps.

Important: Some Apple screened apps from developers that are in the process of acquiring Developer ID signatures will present the "Open" option when they are double-clicked.

Note: In most cases, you will only have to perform these steps once for all user accounts on the Mac:

  1. In Finder, Control-click or right click the icon of the app.
  2. Select Open from the top of contextual menu that appears.

  3. Click Open in the dialog box. If prompted, enter an administrator name and password.

Note: If there is an app that presents multiple Gatekeeper dialog boxes, you can temporarily use Gatekeeper's "Always" option. Make sure to restore the Gatekeeper option that was there before to bring back Gatekeeper function.

Gatekeeper messages

  • Gatekeeper options set to "Mac App Store"
    • "App name" can't be opened because it was not downloaded from the Mac App Store
      • Your security preferences allow installation of only apps from the Mac App Store.
      • Safari downloaded this file Date from URL.

  • Gatekeeper options set to "Mac App Store and identified developers"
    • "App name" can't be opened because it is from an unidentified developer
      • Your security preferences allow installation of only apps from the Mac App Store and Identified developers.
      • Safari downloaded this file Date from URL.

  • "Damaged" app. – The app has been altered by something other than the developer. This message will appear no matter the Gatekeeper option chosen.
    • "App name" is damaged and can't be opened. You should move it to the Trash.
      • Safari downloaded this file on Date & Time from URL.

  • Control clicking app icon then selecting "Open" – Used to exempt Developer ID signature protection from a unidentified developer.
    • "App name" is from an unidentified developer. Are you sure you want to open it?
      • Opening "App name" will always allow it to run on this Mac.
      • Safari downloaded this file Date from URL.

Learn more

System administrators

Manage Gatekeeper policy

Gatekeeper uses rule based policies that can be modified for education and enterprise environments.

Use Profile Manager to customize Gatekeeper policies.

See man spctl for Terminal command methods to customize and inspect Gatekeeper policies. This will give you direct access to the System Policy Assessor.

See man codesign to examine code signatures.

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Risks are inherent in the use of the Internet. Contact the vendor for additional information. Other company and product names may be trademarks of their respective owners.

Published Date: