In the previous part of our series on Gatekeeper, we explored its features and options that can be configured within System Preferences, as well as how to explicitly allow apps to run. Now, let's take a look at how Gatekeeper can be further managed from the command line.
spctl (man page) offers a non-graphical way of interacting with Gatekeeper, providing a way of enabling or disabling the service, as well as managing exceptions.
Checking the Status of Gatekeeper
The results for this command will either be assessments enabled or assessments disabled, depending on whether Gatekeeper is set to only allow apps from the Mac App Store and identified developers, or apps from anywhere.
Enabling or Disabling Gatekeeper
To alter the state of Gatekeeper, you must run the command as root.
sudo spctl --master-disable sudo spctl --master-enable
The first command will set Gatekeeper to allow apps from anywhere. The second command will change this to allow apps from only the Mac App Store and identified developers.
Interestingly, enabling Gatekeeper from the command line will always allow apps form the Mac App Store and identified developers, it will not set it to the most restrictive option of allowing only apps from the Mac App Store.
Viewing Approved Apps
OS X doesn't provide a graphical interface for viewing apps that have been explicitly allowed to run. This doesn't mean we can't see what this list of approved apps, however, as we can use
spctl to list what apps have been explicitly approved.
The above command will list all apps, installers and plug-ins that Gatekeeper has allowed.
Despite the wall of text that the command outputs, we can see that apps we've explicitly approved are listed at the bottom with the label UNLABELED.
To make it easier to see just the apps that we've explicitly allowed, we can add a little extra to the command:
spctl --list | grep UNLABELED
This filters the list to just the apps that we've approved.
Alternatively, you can check if an individual app has been allowed to run by using:
spctl -a /Applications/MyApp.app
If Gatekeeper isn't allowing the app to run, the message /Applications/MyApp.app: rejected is displayed.
Approving or Blocking Apps
Finally, we can approve or block apps using the command line. Rather than allowing individual apps on a case-by-case basis,
spctl works by creating rules, organised by labels. This provides a way of organising separate lists of apps that can be approved or blocked en-masse.
To allow an app to run, we first assign it a label:
spctl --add --label "ApprovedApps" /Applications/MyApp.app
Next, we tell Gatekeeper that we want to approve all apps with the label ApprovedApps:
spctl --enable --label "ApprovedApps"
Gatekeeper will now allow any apps to run that would otherwise be blocked form doing so, provided they have the label ApprovedApps assigned.
Now that we have rule that allows apps of a specific label name, we can repeat the process and assign the same label to other apps that might be blocked:
spctl --add --label "ApprovedApps" /Applications/AnotherApp.app
Only this time, we don't need to enable the label again.
Now, what if MyApp.app turned out to actually be malicious? As OS X prove provides no graphical interface for managing apps that have been approved, it would still be allowed to run.
We can block the entire label by using
spctl --disable --label "ApprovedApps"
While this would certainly prevent MyApp.app from being opened again, we've also blocked every other app that has the label ApprovedApps assigned.
A better way would be to create a custom label specifically targeted to apps that you want to block.
First, specify a rule that blocks apps with the label BlockedApps:
spctl --disable --label "BlockedApps"
Next, remove the ApprovedApps label from MyApp.app:
spctl --remove --label "ApprovedApps" /Applications/MyApp.app
Finally, add the label BlockedApps to MyApp.app:
spctl --add --label "BlockedApps" /Applications/MyApp.app
This process will block just MyApp.app by changing its label to one that is blocked at all times. You can use this label as a quarantine list, moving offending apps into it as and when needed.
As you saw earlier, some of the apps we explicitly allowed by either control-clicking to open or via System Preferences are not assigned any label. You can still assign a label in the same way as we've just covered.
Gatekeeper is far more customisable and flexible than it first appears, mostly thanks to the command line. For most users, there really isn't any need to go into Terminal, though Mac Admins will likely be interested in the increased control that can be levied when it comes to protecting their user base.
You can purchase the complete guide to Gatekeeper Fundamentals as an ebook in ePub and PDF format for just $0.99.