How to manage OS X Gatekeeper from the command line
Apple provides three basic settings for Gatekeeper in OS X Mountain Lion, but you can manage this service in finer detail if needed.
Gatekeeper is a new security measure introduced in OS X Mountain Lion that allows the system to prevent the execution of code that does not meet certain criteria, such as possessing a valid digital signature from Apple's developer community. When setting up GateKeeper in the Security system preferences, you can set it so that only approved applications from the Mac App Store are allowed to run, additionally allow programs from approved developers to run, or you can set no restrictions and allow everything to run.
When the restrictions are set, you can still run unapproved programs by right-clicking them and choosing Open from the contextual menu followed by confirming that you would indeed like to execute this file. With this setup, the system ensures that the program cannot be executed on its own without explicit approval from you.
These restrictions by Gatekeeper are implemented through a group-based rule paradigm. By default Gatekeeper will look for a Mac App Store signature in the program and then has a group rule called "Mac App Store" that allows programs with this feature to run. In addition, Gatekeeper has another built-in rule called "Developer ID" that will allow programs with valid developer IDs to run.
This rule-based approach is how Gatekeeper works, so if you have decided to keep Gatekeeper enabled for security purposes, you can use some fairly simple Terminal commands using the "spctl" utility to manage Gatekeeper, not only to enable or disable it but also to create custom groups of programs and allow or deny them execution rights.
Enabling and disabling Gatekeeper
While the easiest way to enable or disable Gatekeeper is through the system preferences, you can also do so from the OS X Terminal with the following commands:
In addition to enabling or disabling, you can check whether Gatekeeper is running using the status option with this command:
Determine if an application is allowed
With Gatekeeper enabled, you can have the system check a specific application package to see whether it has privileges to run. To do so, simply type "spctl -a" in the Terminal followed by a single space, and then drag the application of choice to the Terminal window to complete the full path to the program package so it looks like the following:
spctl -a /Path/To/program.app
The program can be an application bundle, a shell script, or any other executable file. When you execute this command on the targeted file, Gatekeeper will assess the file's eligibility to run and output the results to you.
Adding a rule to allow an application
If you find one of your installed applications is not allowed to run by Gatekeeper, then you can manually add a rule to allow it to run. This is a two-step process where you first need to create a rule to which you assign one or more applications, and followed by enabling this group in Gatekeeper.
- Create a rule for the application
In the following command, we are adding a program (specified by the program path) to the rule called "MyLabel." You can name the rule anything you wish, and as mentioned above you can complete the program's full path by dragging it to the Terminal window.
spctl --add --label "MyLabel" /Path/To/program
Think of the label as a group to which you are adding the application, so you can repeat the above command and specify a different program to assign it to the same rule label (or use a different label if you choose). Note that this step will require you to either run the command as administrator or provide your administrator password in the authentication dialog that pops up. Without this step, malicious programs could add their own rules to Gatekeeper and then run without restriction.
- Enable or disable the rule
The next step is to enable the rule so the programs represented in it can run, which can be done by using the following commands:
spctl --enable --label "MyLabel"
spctl --disable --label "MyLabel"
Listing and deleting rules
With rules created for different applications, you can enable or disable them accordingly, but the "spctl" command also has options for managing them. To see a list of all the rules on the system, simply run the following command in the Terminal.
In the output for this list, you will see your custom labels among built-in rules like the "Developer ID" and "Mac App Store" labels. Optionally, you can list just the entries for a specific label by the following command:
spctl --list --label "MyLabel"
You can delete any unwanted Gatekeeper rules by issuing the command option to remove them:
spctl --remove --label "MyLabel"
The options covered here are basic approaches to managing application execution with Gatekeeper enabled, and can be used to set up groups of programs to enable or disable on a specific system. However, the spctl command has a number of additional options for prioritizing rules, and determining details such as whether or not a package can be installed, or if a program can install other files on the system.
Managing rules in this manner will not interfere with Gatekeeper's functions, but unless you know exactly what you are doing, be sure to not remove or edit any of the built-in rules that Apple supplies with Gatekeeper. These include the aforementioned "Developer ID" and "Mac App Store" labels, so provided that you only create and modify custom rules in Gatekeeper, then you should be good to go.