How Gatekeeper Protects Your Mac

In OS X you can use Gatekeeper to protect your Mac from malicious software. Most users should have it set to only allow apps from the Mac App Store. When you do so, it is easy to allow other apps on a case-by-case basis, so even export users should consider this setting as the default.
Video Transcript / Captions
Closed captioning for this video is available on YouTube: How Gatekeeper Protects Your Mac.

Hi, this is Gary with On this episode let me show you how you can use Gatekeeper in OS 10 to protect your Mac.

So what is Gatekeeper? Gatekeeper is something you will find in System Preferences. It is one of the main ways that your Mac protects you from malware.

Go to System Preferences and you search for Gatekeeper you will see that it points to Security & Privacy. When you go to Security & Privacy you won't find anything called Gatekeeper there. It is a little confusing because Apple took away the name but not the functionality in El Capitan. Before that you would see Gatekeeper as one of the options up here or be labeled down here.

This is the functionality right here. Allow apps downloaded from and it gives you three options in order to access those three options you need to unlock the panel with your password.

Now you can switch between three options here: to allow apps only from the Mac App Store, allow them from the Mac App Store but also from identified developers, or from Anywhere basically turning Gatekeeper off.

So what do these do? Well, this one is pretty obvious. You can only download software from the Mac App Store. But that is not exactly true. Gatekeeper will prevent you from easily installing software that's not from the Mac App Store but you can still install any software on your Mac. I'll show you how that works.

The second level allows you to download software from other websites and install it as long as the software has been signed by the developer with a certificate that they got from Apple. In other words Apple has a relationship with the developer and there is some identification of where that software comes from. Now this isn't a guarantee that the software won't contain anything bad but it is a guarantee that Apple can identify the software easily.

So, for instance, if the developer does something bad Apple can revoke their certificate and not allow them to publish signed software anymore. But more likely what this is going to be used for is if some piece of software gets on your computer and maybe on many Macs that has some malware, Apple can shut that down. They can update the security software in OS 10 and that security software is updated all the time online. Your version of Mac OS 10 is always calling in to Apple and finding out the latest security updates.

It can shut down that app maybe even before you know anything is wrong. So this can protect you from a case, where say, a developer itself is hacked and then unknowingly distributes software that has some malware in it. This has happened recently where a legitimate developer with a signed piece of software had distributed something with some malware in it. What happened was they were hacked and somebody else put that malware in their software. It only effected a very tiny number of people that used a certain client and downloaded in a certain way. So it's nothing that probably you need to worry about at all and the situation has been taken care of because Apple was able to revoke that signature so that identified developer then was able to then be turned off and the legitimate developer actually got a new identifier to use for future software.

Anywhere though, what's going to happen then, it's even going to give you a warning here, just allows you to install anything from anywhere. There is really no reason for anybody to have this turned on. Maybe if you were a software reviewer who writes reviews and you're installing stuff many times a day or you're a tester installing things many times a day. But even then it is so easy to allow Gatekeeper to install something, even if you are on one of these higher settings, that there is really no excuse to have this turned on.

I recommend everybody keep their setting on Mac App Store only. I'm going to keep it there now and am going to show you how you can still download software from a trusted developer.

Just as an example I've gone to the SmithMicro Software site. They've been around for decades and they are a trusted developer. They have this Stuffit Expander tool which will allow you to expand .sit files if you have any of those lying around from a long time ago. I'm going to download their free tool here and it will go into the downloads folder. I'm going to Hide Safari. Go into my Downloads folder and click on the disk image there and it's going to expand the disk image. So now I have this. This is the disk image here and what I need to do in order to use this is I can just run it from here or I can put it into my Applications folder.

So that's what I'm going to do. I'm going to drag and drop this into my Applications folder. So now I've added it in there. Now I'm going to go ahead and run it and see what happens because I didn't download this from the Mac App Store and yet I have my Gatekeeper settings set to Mac App Store only.

Okay I'm going to double click on the app and it's going to give me a warning, can't open it up because my security preferences only allow installation of apps from the Mac App Store. I'm going to hit OK. Now how do I get around that.

Well I could go back into System Preferences here and basically upgrade my security level, or downgrade it, to another thing and then it will allow me to run it. But I can also use this Open Anyway button. Notice that it knows that last app I tried to open that it blocked. It will allow me to open it anyway. But what Open Anyway does it only bumps a level up one amount.

So this is an app that not only is not from the Mac App Store but isn't signed by an identified developer because it is an old app. So if I say Open Anyway it still not going to work. It's still going to say can't do it because it actually needs to bump all the up to the Anywhere thing because not only is it not from the Mac App Store but it's not from an identified developer.

If I had my setting here then I can hit Open Anyway and even though it's not from an identified developer it will bump it up to the Anywhere level and it will ask me if I'm sure I want to open it. I say yes and it opens. You can see the little icon here from me to drop stuff on.

So to summarize, for most Mac users you want to have it just set to Mac App Store. Then only download apps from the Mac App Store or from developers you really trust. Use the Open Anyway button if you decide to download something else. Make sure you trust those developers.

For instance, you can download Office from Microsoft, you can download the Adobe software, you can download from other developers you really trust and you really know and you're sure you are at their actual website. Not downloading it from some other place.

Now if you want to do that then you want to set it here if you're going to do that often. But I would just keep it here and then just use that Open Anyway button to open that software that's signed by developers. I don't think that anybody should ever have their settings to Anywhere. If you're somebody that downloads lots of software from third parties that's not in the Mac App Store, use the middle setting, use the Open Anyway button after you're sure that you trust the software, and give yourself that one extra step to prevent you from accidentally opening something that maybe you should have thought twice about.

Comments: 22 Responses to “How Gatekeeper Protects Your Mac”

    3 years ago

    Hi, Thanks for a useful and informative article. I certainly gained a lot of useful information from it.
    Keep up the good work.
    Best wishes

    3 years ago

    Wow! Am I glad I listened, watched & made the necessary change! Thanks for
    the pre-need help.

    3 years ago

    Love the security of knowing this, and being able to control and protect my Mac even more. Thanks, Gary.

    3 years ago

    Just moved to El Capitan from Snow Leopard (!). I really appreciate getting this information. Just this week, I detected some malware (Nariabox and Montageobax). Glad to know about this setting.

    3 years ago

    C: If you somehow installed Nariabox and Montageobax (malware trojans, I believe) then you need to review your security procedures. See and also consider getting my Mac Security Book (link on the left side of page).

    Freddie Pineiro
    3 years ago

    I also found this very informative. By the way, there is another way to open those apps, you right click it and it gives the option to open the app and tell Gatekeeper to allow it to open in the future without having to change it settings.

    3 years ago

    Great advice Gary.

    3 years ago

    Thank you for sharing your knowledge. It makes a huge difference to my computing experiences..

    3 years ago

    Did not know about this. Good lesson to learn. Many thanks your videos are very informative

    3 years ago

    Really good advice. Could you go through all the rest of the Security and Privacy setting as well. I use Archicad and have it set to block incoming connections, but Archicad is behaving oddly. Why would it need to connect to the internet?

    John Roberts
    3 years ago

    Checked my security prefs to find the middle option already set. I have Macbook 2015 model. I haven’t change anything, Must have been shipped that way.
    John R

    3 years ago

    Raiford: Archicad?

    Jean H
    3 years ago

    Thanks Gary, This prompted me to check my security level. Apparently at some point I had chosen “anywhere”. Oops! It is now corrected.

    3 years ago

    I currently use Avast Free Antivirus (Mac Version). Not sure whether it provides real time protection or not. Hasn’t done any harm so far.

    3 years ago

    Good advice. Thank you!

    3 years ago

    Thank you so much for this information. I’m a new Apple user, and it’s really helpful to have things explained like this. I’m also really impressed with how Apple does this!

    3 years ago

    Good advice.Thanks

    Gary(not Rosenzweig)
    3 years ago

    For Macbook users: Keep in mind that Gatekeeper and other security features like xprotect do not get security updates while running on battery power. As far as I can tell from the messages in Console, they don’t even check for updates until you plug in the charger. Mavericks and Yosemite did it fairly soon after connecting power, El Capitan takes awhile longer to get around to checking. You can see what updates you have recently gotten by looking at the System Report under About This Mac.

    3 years ago

    Thank you Gary. Really informative.

    3 years ago

    VERY important information. Just using a Mac gives me a more secure feeling than if I were on another platform. I have Yosemite and the system preference is called “Security & Privacy” on older operating systems.

    3 years ago

    On Yosemite and earlier, I could just hold down the control key and click the app icon and then click the Open button. Doesn’t El Capitan allow that feature anymore? I enjoy all your useful knowledge. Thank you for sharing with us!

    Lazaro Jordan
    3 years ago

    This video was very useful. You are really good at explaining complex things in a simple matter, Thank you So Much!

Comments Closed.