Gatekeeper and Notarization on macOS
Understanding macOS code signing, Gatekeeper enforcement, Apple notarization, and managing them in enterprise environments
Overview
Gatekeeper is macOS’s first line of defense against untrusted software. It verifies that apps downloaded from the internet are signed by a known developer and have been checked by Apple through the notarization process. For Mac admins, Gatekeeper enforcement shapes how you deploy software, manage developer tool exceptions, and maintain security compliance across your fleet.
What Gatekeeper Does
When a user attempts to open an application downloaded from the internet, macOS checks for the com.apple.quarantine extended attribute. If present, Gatekeeper performs several checks before allowing execution:
- Code signature validation – Is the app signed with a valid Apple Developer ID?
- Notarization check – Has the app been submitted to Apple and cleared by their automated security scan?
- XProtect scan – Does the app match any known malware signatures?
- Path randomization – On first launch, macOS may run the app from a randomized read-only path to prevent dylib hijacking
If any check fails, macOS blocks the application and presents the user with a warning dialog.
Levels of Trust
Historically, macOS offered three Gatekeeper settings in System Preferences:
| Setting | Description | Status |
|---|---|---|
| App Store only | Only apps from the Mac App Store | Available |
| App Store and identified developers | Apps signed with a valid Developer ID | Default |
| Anywhere | No Gatekeeper enforcement | Removed in macOS Sierra |
The “Anywhere” option was removed from the GUI in macOS Sierra (10.12). While it can technically be re-enabled via spctl --master-disable, doing so is strongly discouraged in any managed environment.
Code Signing Basics
Code signing uses cryptographic certificates to verify:
- Identity – The developer is who they claim to be
- Integrity – The app has not been tampered with since it was signed
You can verify code signatures using the codesign utility:
# Verify an application's code signature
codesign -v --verbose=4 /Applications/Slack.app
# Display detailed signing information
codesign -dv --verbose=4 /Applications/Slack.app
# Check the signing authority chain
codesign -dv --verbose=4 /Applications/Slack.app 2>&1 | grep Authority
A valid signature chain should show the developer certificate, an intermediate Apple certificate, and the Apple Root CA.
Apple Notarization
Notarization is an automated process where developers submit their app to Apple before distribution. Apple scans the app for malicious components, known malware, and code signing issues. If the app passes, Apple issues a notarization ticket that is stapled to the app or hosted online.
When Gatekeeper checks an app, it contacts Apple’s servers (or reads the stapled ticket) to confirm notarization status. This happens transparently to the user.
Note: Notarization is not App Review. Apple does not evaluate the app’s functionality or quality – it only performs automated security checks. Developers can notarize apps distributed outside the Mac App Store.
Managing Gatekeeper with spctl
The spctl (Security Policy Control) utility lets admins query and manage Gatekeeper policies:
# Check Gatekeeper status
spctl --status
# Assess whether an app would be allowed by Gatekeeper
spctl --assess --verbose=4 /Applications/SomeApp.app
# Assess a disk image
spctl --assess --type install --verbose=4 /path/to/installer.pkg
# Disable Gatekeeper entirely (NOT recommended)
sudo spctl --master-disable
# Re-enable Gatekeeper
sudo spctl --master-enable
Warning: Disabling Gatekeeper with
--master-disableremoves a critical security layer. In managed environments, use MDM configuration profiles to manage exceptions rather than disabling Gatekeeper entirely.
Dealing with “Cannot Be Opened” Errors
When users encounter the message “cannot be opened because the developer cannot be verified,” there are several approaches depending on the scenario:
For Individual Macs
Users can right-click (Control-click) the app and select Open, which presents an option to bypass the Gatekeeper check for that specific app. This grants a one-time exception.
Removing the Quarantine Attribute
As a last resort, you can strip the quarantine flag manually:
# Remove quarantine attribute from an application
sudo xattr -d com.apple.quarantine /Applications/SomeApp.app
# Remove quarantine recursively (for app bundles with nested components)
sudo xattr -rd com.apple.quarantine /Applications/SomeApp.app
This should only be done when you have independently verified the legitimacy and safety of the software.
Enterprise Management via MDM
In managed environments, the proper way to handle Gatekeeper exceptions is through MDM configuration profiles rather than manual workarounds:
Configuration Profile Options
- Allow identified developers – Set the default Gatekeeper policy fleet-wide
- Allow specific apps by Team ID – Whitelist software from specific developers without weakening overall Gatekeeper enforcement
- Prevent users from overriding – Lock Gatekeeper settings so users cannot add exceptions
Deploying Unsigned or Non-Notarized Software
When you need to deploy in-house tools or legacy software that is not signed or notarized:
- Package the software via your MDM – Apps installed by MDM do not receive the quarantine attribute, bypassing Gatekeeper checks
- Sign it yourself – Obtain an Apple Developer ID and sign your internal tools
- Notarize it – Even internal tools can be submitted for notarization using
notarytool
# Submit an app for notarization via command line
xcrun notarytool submit /path/to/app.zip \
--apple-id "developer@company.com" \
--team-id "TEAMID123" \
--password "@keychain:AC_PASSWORD" \
--wait
# Staple the notarization ticket to the app
xcrun stapler staple /path/to/YourApp.app
Verifying Notarization Status
You can check whether an app has been notarized:
# Check notarization status of an app
spctl --assess --verbose=4 --type execute /Applications/SomeApp.app
# Check stapled ticket
stapler validate /Applications/SomeApp.app
Key Takeaways
Gatekeeper and notarization form a critical trust layer in macOS security. For Mac admins, the goal should be to keep Gatekeeper enabled at its default setting, use MDM to manage any necessary exceptions, and push developers of internal tools toward proper code signing and notarization. Avoid spctl --master-disable and xattr -d com.apple.quarantine as standard practice – they should be reserved for troubleshooting, not workflow.