Gatekeeper is a security feature on macOS that is designed to protect your system from malicious software by limiting the apps that can be installed and run on your system. Only allowing apps that are downloaded from either the Mac App Store or from those who have signed their apps with a certificate issued by Apple.
While it’s extremely useful for keeping your macOS environment secure, there are times when a user may need to disable Gatekeeper temporarily.
My organization’s use-case for this is that we have a team of developers who are often running test builds of applications that are unsigned because they’re in development. So we have a process for user’s to go through to disable Gatekeeper temporarily.
However, we want to ensure that there are no gaps and that Gatekeeper will always be re-enabled across the environment.
To accomplish this, we leverage Jamf Pro’s Smart Groups to detect if Gatekeeper is disabled (the status of machines in this group will update after an inventory scan on each device) and a script deployed via a Jamf policy to re-enable it on the machines that show up in our smart group.
We’ll name the smart group Gatekeeper DISABLED and the criteria will be as displayed below:
Then we’ll want to add a script to Jamf Pro to enable Gatekeeper. You can do this by clicking the settings cog in the upper right-hand corner of Jamf Pro. Then either Computer Management > Scripts, or just search for Scripts in the search bar.
This script below enables Gatekeeper and runs and Inventory Update so that the machine is removed our smart group once the change is complete.
#!/bin/sh
# Enables Gatekeeper to only allow Apps from the App Store and identified developers
sudo spctl --master-enable
sudo spctl --enable --label "Developer ID"
# Runs a Jamf Inventory Update
sudo jamf reconWe can then create a policy and attach our script. You can modify the triggers as you see fit.
Make sure to scope this policy to the Gatekeeper smart group that you created earlier and then click save.
The membership of the smart group will change as machines run inventory updates. Machines that show up in the group will automatically be targeted by our policy and have Gatekeeper re-enabled.