Gatekeeper

macOS security technology that enforces code signing and notarization requirements, ensuring only trusted software runs on the Mac.

What to Know

Gatekeeper is macOS’s first line of defense against malware and untrusted software, automatically verifying that apps downloaded from the internet are signed by identified developers and have been notarized by Apple. This prevents users from unknowingly running malicious software by requiring apps to meet minimum security standards before execution. Gatekeeper operates silently in the background for most users, only presenting warnings when potentially unsafe software is detected.

For enterprise environments, Gatekeeper settings directly impact software deployment strategies. Overly restrictive policies can block legitimate internal tools, while overly permissive settings undermine security posture. Understanding Gatekeeper’s enforcement levels (App Store only, App Store and identified developers, or disabled) allows IT to balance security with operational needs, and MDM can centrally manage these settings across the fleet.

Common Scenarios

Enterprise IT: IT deploys custom internal applications or developer tools that may not be notarized. Rather than weakening Gatekeeper globally, IT uses MDM to allowlist specific apps or configure Gatekeeper to permit identified developers while still blocking unknown software. This maintains security while supporting legitimate business tools.

MSP: When onboarding new clients, MSPs audit Gatekeeper settings to ensure devices aren’t configured to allow all apps without restriction. They standardize settings across client fleets and provide guidance on properly signing internal software to avoid Gatekeeper warnings that generate unnecessary support tickets.

Education: Schools typically maintain default Gatekeeper settings to protect student devices from unauthorized software. IT staff must coordinate with teachers when deploying specialized educational apps from smaller vendors that lack proper notarization, temporarily allowing specific apps while maintaining overall protection.

In Addigy

Addigy can deploy configuration profiles to manage Gatekeeper settings, including allowlisting specific apps or adjusting enforcement levels. Admins can view Gatekeeper status in device inventory and track which apps are being blocked. When software deployment fails due to Gatekeeper, Addigy’s logs clearly indicate the rejection reason, allowing admins to take corrective action such as properly signing the app or creating a targeted policy exception.