GateKeeper allows me to install anything, no checks are done

apple.stackexchange https://apple.stackexchange.com/questions/86443

  •  12-01-2021
  •  | 
  •  

Question

I can download applications from custom websites, and run them, even when my gatekeeper settings are at "AppStore Only". This is my application -- it's not even signed.

What could be the reason for that? I can reproduce this behavior on all my 3 macs.

Was it helpful?

Solution

This is a status-by-design feature where an admin user can always override Gatekeeper and open an Application by right clicking the app in Finder.

An admin user can also change Gatekeeper settings or disable it entirely, so there's no real harm (in my eyes at least) in presenting a one-time white list dialog to ensure the admin user intends to allow a non-compliant (non-signed or non-Mac App Store) application to run.

Apple's training dialog for Gatekeeper - from support.apple.com/kb/HT5290

Now if you found a way for a non-admin user to bypass Gatekeeper, then I would expect filing a security vulnerability with Apple to get credit for finding a hole once they patch whatever implementation error was made to allow out of policy apps to run.

Apple documents this feature in depth on how to explicitly white list an application.

Gatekeeper is not malware protection and not a black list. It is a set of policies that allow first launch of properly signed applications and or validation of Mac App store receipts. If an admin user explicitly launches and then approves the running of non-compliant software, you have an education or policy problem as opposed to uncovering some flaw in Gatekeeper.

In detail, I have summarized (and mostly copied) the relevant sections of Apple's help on white listing any App so that Gatekeeper will allow it to run unhindered and unprompted:

How to open an app from a unidentified developer and exempt it from Gatekeeper

If you are confident the app downloaded from the Internet is the latest version and is from a source you trust, you can open an app from an unidentified developer by following these steps.

Important: Some Apple screened apps from developers that are in the process of acquiring Developer ID signatures will present the "Open" option when they are double-clicked.

Note: In most cases, you will only have to perform these steps once for all user accounts on the Mac:

  • In Finder, Control-click or right click the icon of the app.
  • Select Open from the top of contextual menu that appears.
  • Click Open in the dialog box. If prompted, enter an administrator name and password.

Note: If there is an app that presents multiple Gatekeeper dialog boxes, you can temporarily use Gatekeeper's "Always" option. Make sure to restore the Gatekeeper option that was there before to bring back Gatekeeper function.

You can easily control who can white list Applications by not handing out Administrator user names and passwords to users that are not aware of this functionality and you also can manage gatekeeper from the terminal or profile manager and other managed settings software like Casper from JAMF. You can also audit your machines for software that has been white listed to periodically reset the list of allowed apps and determine who is exercising this function in case you wish to change policy and habit.

OTHER TIPS

Downloading a file over SMB will not trigger quarantining, and since the app is not quarantined the gatekeeper policy never gets checked. I'm not sure why it's being marked as quarantined on your other computers...

To check for quarantining at any point, use the ls -ld@ command to look for the com.apple.quarantine attribute:

$ ls -ld@ /Applications/TextWrangler.app
drwxrwxr-x@ 3 gordon  staff  102 Apr 30  2012 /Applications/TextWrangler.app
    com.apple.FinderInfo     32 
    com.apple.quarantine     57

If that quarantine attribute is attached to the app, the gatekeeper policy will be checked; if not, it won't. The interesting question is why it got quarantined on your other computers, and if you use this command to check the application at various points as you distribute it, you can figure out when the attribute is getting attached (and therefore why it's getting attached).

EDIT: There's a note relating to this in the "Click here for more details" section of Apple's KB article #HT5290:

Important: Developer ID signature applies to apps downloaded from the Internet. Apps from other sources, such as file servers, external drives, or optical discs are exempt, unless the apps were originally downloaded from the Internet.

If you have enabled this hidden preference, it also disables Gatekeeper:

defaults write com.apple.LaunchServices LSQuarantine -bool false

Or OS X allows opening all applications regardless of the setting in System Preferences.

Gatekeeper prevents apps from being run by double-clicking, but you can always override it by selecting Open from the context menu.

If you can run downloaded unsigned apps by double-clicking, this is a problem with Gatekeeper. Files store their quarantine status in an extended attribute called com.apple.quarantine. If this attribute is cleared for some reason from your downloaded files, Gatekeeper will treat downloaded files as being no different from any other files on your computer. So I'd suggest that downloading a program and then using xattr -l filename in Terminal would be a good diagnostic tool if you have Xcode installed.

If you run them via the Open command from a menu, this is the designed behavior. Note that once you have run a program from the menu, it is forever enabled to be run by double-clicking, regardless of your Gatekeeper settings.

Licensed under: CC-BY-SA with attribution
Not affiliated with apple.stackexchange
scroll top