How to manage OS X Gatekeeper from the command line

Apple provides three basic settings for Gatekeeper in OS X Mountain Lion, but you can manage this service in finer detail if needed.

Topher Kessler MacFixIt Editor
Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.
Topher Kessler
4 min read

Gatekeeper is a new security measure introduced in OS X Mountain Lion that allows the system to prevent the execution of code that does not meet certain criteria, such as possessing a valid digital signature from Apple's developer community. When setting up GateKeeper in the Security system preferences, you can set it so that only approved applications from the Mac App Store are allowed to run, additionally allow programs from approved developers to run, or you can set no restrictions and allow everything to run.

When the restrictions are set, you can still run unapproved programs by right-clicking them and choosing Open from the contextual menu followed by confirming that you would indeed like to execute this file. With this setup, the system ensures that the program cannot be executed on its own without explicit approval from you.

Gatekeeper settings in OS X
By default Apple provides these three options for setting up Gatekeeper in OS X (click for larger view). Screenshot by Topher Kessler/CNET

These restrictions by Gatekeeper are implemented through a group-based rule paradigm. By default Gatekeeper will look for a Mac App Store signature in the program and then has a group rule called "Mac App Store" that allows programs with this feature to run. In addition, Gatekeeper has another built-in rule called "Developer ID" that will allow programs with valid developer IDs to run.

This rule-based approach is how Gatekeeper works, so if you have decided to keep Gatekeeper enabled for security purposes, you can use some fairly simple Terminal commands using the "spctl" utility to manage Gatekeeper, not only to enable or disable it but also to create custom groups of programs and allow or deny them execution rights.

Enabling and disabling Gatekeeper

Gatekeeper status in the OS X Terminal
This system has Gatekeeper enabled (click for larger view). Screenshot by Topher Kessler/CNET

While the easiest way to enable or disable Gatekeeper is through the system preferences, you can also do so from the OS X Terminal with the following commands:

spctl --master-enable
spctl --master-disable

In addition to enabling or disabling, you can check whether Gatekeeper is running using the status option with this command:

spctl --status

Determine if an application is allowed

With Gatekeeper enabled, you can have the system check a specific application package to see whether it has privileges to run. To do so, simply type "spctl -a" in the Terminal followed by a single space, and then drag the application of choice to the Terminal window to complete the full path to the program package so it looks like the following:

spctl -a /Path/To/program.app

The program can be an application bundle, a shell script, or any other executable file. When you execute this command on the targeted file, Gatekeeper will assess the file's eligibility to run and output the results to you.

Adding a rule to allow an application

Gatekeeper authentication dialog box
When you add an application to a Gatekeeper rule, the system will require authentication and warn you with this dialog box (click for larger view). Screenshot by Topher Kessler/CNET

If you find one of your installed applications is not allowed to run by Gatekeeper, then you can manually add a rule to allow it to run. This is a two-step process where you first need to create a rule to which you assign one or more applications, and followed by enabling this group in Gatekeeper.

  1. Create a rule for the application
    In the following command, we are adding a program (specified by the program path) to the rule called "MyLabel." You can name the rule anything you wish, and as mentioned above you can complete the program's full path by dragging it to the Terminal window.

    spctl --add --label "MyLabel" /Path/To/program

    Think of the label as a group to which you are adding the application, so you can repeat the above command and specify a different program to assign it to the same rule label (or use a different label if you choose). Note that this step will require you to either run the command as administrator or provide your administrator password in the authentication dialog that pops up. Without this step, malicious programs could add their own rules to Gatekeeper and then run without restriction.
  2. Enable or disable the rule
    The next step is to enable the rule so the programs represented in it can run, which can be done by using the following commands:

    spctl --enable --label "MyLabel"
    spctl --disable --label "MyLabel"

Listing and deleting rules

Gatekeeper rule member applications list
In this case the programs MacPyMOL and Calibre are member applications governed by the "MyLabel" rule (click for larger view). Screenshot by Topher Kessler/CNET

With rules created for different applications, you can enable or disable them accordingly, but the "spctl" command also has options for managing them. To see a list of all the rules on the system, simply run the following command in the Terminal.

spctl --list

In the output for this list, you will see your custom labels among built-in rules like the "Developer ID" and "Mac App Store" labels. Optionally, you can list just the entries for a specific label by the following command:

spctl --list --label "MyLabel"

You can delete any unwanted Gatekeeper rules by issuing the command option to remove them:

spctl --remove --label "MyLabel"

The options covered here are basic approaches to managing application execution with Gatekeeper enabled, and can be used to set up groups of programs to enable or disable on a specific system. However, the spctl command has a number of additional options for prioritizing rules, and determining details such as whether or not a package can be installed, or if a program can install other files on the system.

Managing rules in this manner will not interfere with Gatekeeper's functions, but unless you know exactly what you are doing, be sure to not remove or edit any of the built-in rules that Apple supplies with Gatekeeper. These include the aforementioned "Developer ID" and "Mac App Store" labels, so provided that you only create and modify custom rules in Gatekeeper, then you should be good to go.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.