Gatekeeper is a security feature of Apple’s macOS and iOS operating systems. It requires downloaded software to be digitally signed by Apple before it can be installed. It significantly reduces the chance that malware can be unintentionally installed on Apple devices. It was first introduced in macOS 10.7.3 (Lion), released on July 1, 2011.
How Gatekeeper works
Gatekeeper security applies only to applications downloaded from the Internet. Software installed from other sources, including network drives and removable media, are not checked by Gatekeeper.
- How Gatekeeper works.
- Gatekeeper on iOS.
- Changing Gatekeeper settings in macOS.
- Gatekeeper System Administration tools.
When you attempt to install a downloaded application, Gatekeeper behaves in one of three ways:
- If the application was downloaded from the App Store, Gatekeeper always allows it to install. All software in the App Store undergoes a code review by Apple engineers and is given a cryptographic digital signature that is verified by Gatekeeper.
- If the application was downloaded from outside the App Store (e.g., website), Gatekeeper checks the software for an Apple-assigned digital signature that identifies the developer. If a signature is found and verified by Gatekeeper, the installation may continue, if permitted in system preferences (see below).
- If a digital signature is not found, the OS will warn you that the developer is unidentified. The app cannot be installed, unless the user specifically permits it in system preferences (see below).
Gatekeeper on iOS
On iOS, Gatekeeper requires all apps to be installed from the App Store. Gatekeeper settings cannot be altered on iOS devices (iPhones and iPads) unless the device is jailbroken.
Gatekeeper protections only apply before the software is installed. After installation, the software continues to operate regardless of changes to security settings, or if its digital signature is revoked by Apple.
Changing Gatekeeper settings in macOS
In macOS, Gatekeeper settings are located in your System Preferences.
Apple does not condone jailbreaking iOS devices, and doing so automatically voids a device’s warranty.
To change these settings, your user account must have Administrator privileges.
Open the Apple Menu (on the left side of your menu bar). Choose System Preferences.
Choose Security & Privacy.
Select the General tab. In the lower-left corner of the window, click the lock (🔒) icon.
Enter your password.
Under Allow applications downloaded from, select your desired setting.
Mac App Store requires all installed apps to be downloaded from the App Store, which is the strongest level of protection.
Mac App Store and identified developers additionally allow apps to be installed from developers with a valid digital signature, which is the weaker level of protection. Your device could be at a low risk of malware infection.
Anywhere removes all restrictions, allowing you to install any downloaded application. This option disables Gatekeeper protections completely, putting your device at maximum risk of malware infection.
Gatekeeper System Administration tools
You can view and change Gatekeeper settings from the macOS command line with the spctl command. For more information, open a terminal and run:
man spctl
To work with code signatures, use the codesign command. For more information, run:
man codesign
To create customized Gatekeeper rules in a large organization, use Profile Manager in macOS Server. For details, visit Apple’s guide to macOS Server Profile Manager.
Apple terms, Secure enclave, Security terms
