Gatekeeper automatically re-enables after 30 days on Yosemite and later
On OS X 10.10.x and later, disabling Gatekeeper does not mean it is permanently off. After a set amount of time (currently 30 days), Gatekeeper will automatically re-enable itself with the Allow apps downloaded from: Mac App Store and identified developers setting.
I was able to track down which part of the OS this was coming from and it looks like it’s defined as part of syspolicyd:
After doing some research, it looks like Gatekeeper’s automatic re-enablement function can be disabled by running the following command with root privileges:
defaults write /Library/Preferences/com.apple.security GKAutoRearm -bool false
This would allow Gatekeeper to be set to Allow apps downloaded from: Anywhere and have it stay that way.
For those who want to set this with a management profile, I’ve created a .mobileconfig file and posted it here on Github:
Update – 7-31-2015: My colleague Tom Burgin points out that this may not be manageable via a profile after all, due to the way Apple has set the value that it’s reading:
If a management profile isn’t being respected, the defaults command listed above is the way to apply this to machines.
I’ve filed a bug report about this. For those interested in duping this bug, the bug report ID is 22094327. I’ve also cross-posted it to OpenRadar: