Home > Mac administration, Mac OS X > Gatekeeper automatically re-enables after 30 days on Yosemite and later

Gatekeeper automatically re-enables after 30 days on Yosemite and later

July 31, 2015 Leave a comment Go to comments

On OS X 10.10.x and later, disabling Gatekeeper does not mean it is permanently off. After a set amount of time (currently 30 days), Gatekeeper will automatically re-enable itself with the Allow apps downloaded from: Mac App Store and identified developers setting.

Screen Shot 2015 07 31 at 4 49 06 AM

I was able to track down which part of the OS this was coming from and it looks like it’s defined as part of syspolicyd:

https://github.com/aosm/security_systemkeychain/blob/master/syspolicyd/syspolicyd.cpp#L295-L310

Screen Shot 2015 07 31 at 7 00 01 AM

 

After doing some research, it looks like Gatekeeper’s automatic re-enablement function can be disabled by running the following command with root privileges:

defaults write /Library/Preferences/com.apple.security GKAutoRearm -bool false

This would allow Gatekeeper to be set to Allow apps downloaded from: Anywhere and have it stay that way.

Screen Shot 2015 07 31 at 4 48 58 AM

 

For those who want to set this with a management profile, I’ve created a .mobileconfig file and posted it here on Github:

https://github.com/rtrouton/profiles/tree/master/DisableGatekeeperAutomaticReenablement

Update – 7-31-2015: My colleague Tom Burgin points out that this may not be manageable via a profile after all, due to the way Apple has set the value that it’s reading:

https://twitter.com/tomjburgin/status/627152906366676992

If a management profile isn’t being respected, the defaults command listed above is the way to apply this to machines.

I’ve filed a bug report about this. For those interested in duping this bug, the bug report ID is 22094327. I’ve also cross-posted it to OpenRadar:

https://openradar.appspot.com/22094327

Categories: Mac administration, Mac OS X
  1. Patrick Gallagher Jr (@patgmac)
    July 31, 2015 at 5:10 pm
    Reply

    Rich, as you probably know, there’s an Apple provided profile setting for managing gatekeeper. Are you saying even that gets overridden by this mechanism, requiring an additional setting to be added to a profile to prevent the re-arming?

    This would explain the reports I’ve gotten from techs claiming gatekeeper was enabled and greyed out even though I’m disabling with a profile. The work around has been to delete the profile, then disable gatekeeper again. I guess I just need to add this additional key.

    • ryanmanlyRyan
      August 5, 2015 at 12:43 pm
      Reply

      @patgmac Can confirm. I assumed (without any investigation on my part) that it was software updates or something re-enabling it!

      Awesome find Rich!

  2. Richard Glaser
    December 21, 2016 at 11:48 pm
    Reply

    Hello Rich, is this still an issue with macOS 10.12?

  1. No trackbacks yet.

Leave a comment