Home > Mac administration, Mac OS X > Gatekeeper automatically re-enables after 30 days on Yosemite and later

Gatekeeper automatically re-enables after 30 days on Yosemite and later

On OS X 10.10.x and later, disabling Gatekeeper does not mean it is permanently off. After a set amount of time (currently 30 days), Gatekeeper will automatically re-enable itself with the Allow apps downloaded from: Mac App Store and identified developers setting.

Screen Shot 2015 07 31 at 4 49 06 AM

I was able to track down which part of the OS this was coming from and it looks like it’s defined as part of syspolicyd:


Screen Shot 2015 07 31 at 7 00 01 AM


After doing some research, it looks like Gatekeeper’s automatic re-enablement function can be disabled by running the following command with root privileges:

defaults write /Library/Preferences/com.apple.security GKAutoRearm -bool false

This would allow Gatekeeper to be set to Allow apps downloaded from: Anywhere and have it stay that way.

Screen Shot 2015 07 31 at 4 48 58 AM


For those who want to set this with a management profile, I’ve created a .mobileconfig file and posted it here on Github:


Update – 7-31-2015: My colleague Tom Burgin points out that this may not be manageable via a profile after all, due to the way Apple has set the value that it’s reading:

If a management profile isn’t being respected, the defaults command listed above is the way to apply this to machines.

I’ve filed a bug report about this. For those interested in duping this bug, the bug report ID is 22094327. I’ve also cross-posted it to OpenRadar:


  1. July 31, 2015 at 5:10 pm

    Rich, as you probably know, there’s an Apple provided profile setting for managing gatekeeper. Are you saying even that gets overridden by this mechanism, requiring an additional setting to be added to a profile to prevent the re-arming?

    This would explain the reports I’ve gotten from techs claiming gatekeeper was enabled and greyed out even though I’m disabling with a profile. The work around has been to delete the profile, then disable gatekeeper again. I guess I just need to add this additional key.

    • August 5, 2015 at 12:43 pm

      @patgmac Can confirm. I assumed (without any investigation on my part) that it was software updates or something re-enabling it!

      Awesome find Rich!

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: