Home > Bash scripting, Mac administration, Mac OS X > Gatekeeper Status Check Script

Gatekeeper Status Check Script

As of Mac OS X 10.7.5, Apple has now made Gatekeeper’s GUI functionality available on both Lion and Mountain Lion. Gatekeeper is disabled on Lion Macs by default, but users with admin privileges can turn it on.

Screen Shot 2012-09-20 at 12.10.37 PM

To help Mac admins monitor whether Gatekeeper has been enabled, I’ve written a script that checks spctl to see if Gatekeeper’s assessment system is enabled or disabled. When run with root privileges, this script checks 10.7 and 10.8 Macs to see if Gatekeeper is disabled. If Gatekeeper is disabled, script returns Disabled. Any other status will result in script returning Active.


#!/bin/bash

osvers=$(sw_vers -productVersion | awk -F. '{print $2}')

if [[ ${osvers} -lt 7 ]]; then
  echo "Gatekeeper Not Available For This Version Of Mac OS X"
fi

if [[ ${osvers} -ge 9 ]]; then
  echo "Future Not Known Yet. Revise Me In Mid-2013"
fi

# Checks Gatekeeper status on 10.7.x Macs

if [[ ${osvers} -eq 7 ]]; then
    gatekeeper_status=`spctl --status | grep "assessments" | cut -c13-`
   if [ $gatekeeper_status = "disabled" ]; then
      result=Disabled
   else
      result=Active
   fi
   echo $result
fi

# Checks Gatekeeper status on 10.8.x Macs

if [[ ${osvers} -eq 8 ]]; then
    gatekeeper_status=`spctl --status | grep "assessments" | cut -c13-`
   if [ $gatekeeper_status = "disabled" ]; then
      result=Disabled
   else
      result=Active
   fi
   echo $result
fi

This script is available here on my GitHub repo. I’ve also written a Casper Extension Attribute which is available here.

  1. themacdude
    September 20, 2012 at 7:00 pm

    Nice. Sounds like a good thing to check with a KACE appliance too.

  2. BAFF
    September 25, 2012 at 3:56 pm

    Hello, thank you for your script!

    Question: Why did you choose to write separate if…fi statements for OXS 10.7 and 10.8? Why not have a single statement like this:

    if [[ ${osvers} -eq 7 || ${osvers} -eq 8 ]]; then
    ….
    fi

    Thanks for any explanation.

    • September 25, 2012 at 4:06 pm

      I wanted to allow for any future additional spctl –status functionality. Any changes like that would likely be in 10.8.x and higher, but not backported to 10.7.x.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 167 other followers

%d bloggers like this: