Gatekeeper is a security feature of Apple's macOS and iOS operating systems. It requires downloaded software to be digitally signed by Apple before it can be installed. It significantly reduces the chance that malware can be unintentionally installed on Apple devices. It was first introduced in macOS 10.7.3 (Lion), released on July 1, 2011.
How Gatekeeper works
When you attempt to install a downloaded application, Gatekeeper behaves in one of three ways:
- If the application was downloaded from the App Store, Gatekeeper always allows it to install. All software in the App Store undergoes a code review by Apple engineers and is given a cryptographic digital signature that is verified by Gatekeeper.
- If the application was downloaded from outside the App Store (e.g., website), Gatekeeper checks the software for an Apple-assigned digital signature that identifies the developer. If a signature is found and verified by Gatekeeper, the installation may continue, if permitted in system preferences (see below).
- If a digital signature is not found, the OS will warn you that the developer is unidentified. The app cannot be installed, unless the user specifically permits it in system preferences (see below).
Gatekeeper protections only apply before the software is installed. After installation, the software continues to operate regardless of changes to security settings, or if its digital signature is revoked by Apple.
Gatekeeper on iOS
Apple does not condone jailbreaking iOS devices, and doing so automatically voids a device's warranty.
Changing Gatekeeper settings in macOS
In macOS, Gatekeeper settings are located in your System Preferences.
- Choose Security & Privacy.
- Select the General tab. In the lower-left corner of the window, click the lock (🔒) icon.
- Enter your password.
- Under Allow applications downloaded from, select your desired setting.
- Mac App Store requires all installed apps to be downloaded from the App Store, which is the strongest level of protection.
- Mac App Store and identified developers additionally allow apps to be installed from developers with a valid digital signature, which is the weaker level of protection. Your device could be at a low risk of malware infection.
- Anywhere removes all restrictions, allowing you to install any downloaded application. This option disables Gatekeeper protections completely, putting your device at maximum risk of malware infection.
Gatekeeper System Administration tools
You can view and change Gatekeeper settings from the macOS command line with the spctl command. For more information, open a terminal and run:
To work with code signatures, use the codesign command. For more information, run:
To create customized Gatekeeper rules in a large organization, use Profile Manager in macOS Server. For details, visit Apple's guide to macOS Server Profile Manager.