Gatekeeper

Updated: 06/22/2018 by Computer Hope
Illustration: macOS Gatekeeper.

Gatekeeper is a security feature of Apple's macOS and iOS operating systems. It requires downloaded software to be digitally signed by Apple before it can be installed. It significantly reduces the chance that malware can be unintentionally installed on Apple devices. It was first introduced in macOS 10.7.3 (Lion), released on July 1, 2011.

How Gatekeeper works

Gatekeeper security applies only to applications downloaded from the Internet. Software installed from other sources, including network drives and removable media, are not checked by Gatekeeper.

When you attempt to install a downloaded application, Gatekeeper behaves in one of three ways:

  • If the application was downloaded from the App Store, Gatekeeper always allows it to install. All software in the App Store undergoes a code review by Apple engineers and is given a cryptographic digital signature that is verified by Gatekeeper.
  • If the application was downloaded from outside the App Store (i.e. from a website), Gatekeeper checks the software for an Apple-assigned digital signature that identifies the developer. If a signature is found and verified by Gatekeeper, the installation may continue, if permitted in system preferences (see below).
  • If a digital signature is not found, the OS will warn you that the developer is unidentified. The app cannot be installed, unless the user specifically permits it in system preferences (see below).
Note

Gatekeeper protections only apply before the software is installed. After installation, the software will continue to operate regardless of changes to security settings, or if its digital signature is revoked by Apple.

Gatekeeper on iOS

On iOS, Gatekeeper requires all apps to be installed from the App Store. Gatekeeper settings cannot be altered on iOS devices (iPhones and iPads) unless the device is jailbroken.

Warning

Apple does not condone jailbreaking iOS devices, and doing so automatically voids a device's warranty.

Changing Gatekeeper settings in macOS

Note

To change these settings, your user account must have Administrator privileges.

In macOS, Gatekeeper settings are located in your System Preferences.

  1. Open the Apple Menu (on the left side of your menu bar). Choose System Preferences.

Screenshot: From the Apple Menu, choose System Preferences.

  1. Choose Security & Privacy.

Screenshot: In the System Preferences menu.

  1. Select the General tab. In the lower-left corner of the window, click the lock icon (🔒).

Screenshot: In Security And Privacy, choose the General tab, then click the lock icon.

  1. Enter your password.

Screenshot: Enter your password.

  1. Under Allow applications downloaded from, select your desired setting.

Screenshot: Under Allow apps downloaded from, choose your desired security option.

  • Mac App Store requires all installed apps to be downloaded from the App Store, which is the strongest level of protection.
  • Mac App Store and identified developers additionally allow apps to be installed from developers with a valid digital signature, which is the weaker level of protection. Your device could be at a low risk of malware infection.
  • Anywhere removes all restrictions, allowing you to install any downloaded application. This option disables Gatekeeper protections completely, putting your device at maximum risk of malware infection.

Gatekeeper System Administration tools

You can view and change Gatekeeper settings from the macOS command line with the spctl command. For more information, open a terminal and run:

man spctl

To work with code signatures, use the codesign command. For more information, run:

man codesign

To create customized Gatekeeper rules in a large organization, use Profile Manager in macOS Server. For details, visit Apple's guide to macOS Server Profile Manager.

Apple terms, Secure enclave, Security terms