MacMost Now 742: Understanding Gatekeeper

Gatekeeper is a new security feature of OS X in Mountain Lion. It allows you to prevent apps from being installed depending upon the source of the app. You can decide to only allow Mac App Store apps, or also allow signed apps, or turn off Gatekeeper if you don't want to use it. Learn how to set Gatekeeper and why it will help you keep your Mac more secure.

Video Transcript
Hi, this is Gary with MacMost Now. On today's episode let's take a look at the new Gatekeeper function in Mountain Lion.

So Gatekeeper is a new security measure that's in Mountain Lion that allows you to basically say only allow apps from the Mac App Store to be installed on this computer. Alternatively, you can say you will also allow apps that are signed by an official developer to be installed on the computer or your third option is to turn the Gatekeeper off and things will operate as they did in Lion and in any OS before that. Let me show you.

The Gatekeeper settings are found in Mountain Lion in System Preferences and you go to Security and Privacy and under General you will see them listed here. You have to unlock in order to access them.

So here are the three options. So if select the first one that means only software from the Mac App Store can be installed. If you try to download other software from another web site or you get software via email something like that it won't let you install it. However you can still install software from optical disks. So for instance if you buy something like Microsoft Office on disk and you want to install it on your iMac you can still do that. This only applies to the network for getting software off the internet.

Now the second option allows you to install software from the Mac App Store but in addition to that it allows you to install software from developer's web sites as long as the developer has signed up with the Apple's Mac developers program and they sign their apps with their unique identifier that Apple gives them. This provides accountability. Basically the developer has identified themselves with the software and it makes sure they are held accountable if the software is actually some sort of malware which is highly unlikely if they are signing up for this program and identifying themselves to Apple. In the extreme case if the software misbehaves then Apple has the ability to identify the piece of software and send out signals through its' malware protection software to actually disable it. Probably that will never happen as the accountability here is pretty strong. So it's kind of a second level and expect to see some developers use this. The Mac App Store has very strict restrictions on what software can do. For instance utilities that access the operating system and do various different things can't be in the Mac App Store. So some of the more tech geeky tools won't be in the Mac App Store but may be available from the developer on their site as a signed app and you will be able to install it if you have the second option selected.

Now the third option, and you see when I select it it is actually going to make sure that's what I want to do, sets everything up like every OS before. You can install software from anywhere. You can download from web sites, it doesn't need to be signed, and you can install it.

Malware protection is still in place. This is separate from malware protection. So everything you have in Lion is available including malware protection if you select Anywhere.

Now there may be some developers that don't want to be part of the Apple Developer Program but they are perfectly legitimate developers. You may also work in an environment where you have all sorts of software traded back and forth between say students in a university, part of a classroom work, at a work environment where apps are developed and used in-house and there is no need to actually go out to Apple and have them certified. So this might be useful for those folks.

Now it is easy to switch back and forth between these as you can see. So there is no harm in setting yourself to being Mac App Store only and then if you do need to install another piece of software you can temporarily change it and go ahead and then change it back after installing it.

The Mac App Store setting is ideal if you are maintaining your computer used by a non-tech savay family member. It makes sure they don't go installing things when you are not around and then running into trouble. So you can set it to that and then if they really need something you can go in and change the setting, help them install that software,and then set it back.

The best thing about Gatekeeper is that it is there if you want to use it and if you don't want it you can just turn it off.

Hope you found this useful. Until next time this is Gary at MacMost Now.

Comments: 9 Responses to “MacMost Now 742: Understanding Gatekeeper”

    Michael A.
    7/31/12 @ 11:15 am

    So if I turn off Gatekeeper, install unsigned software, and re-enable Gatekeeper, the unsigned software will run? I thought Gatekeeper would stop anything unsigned from running, regardless of how or when it was “installed”.

      7/31/12 @ 12:15 pm

      I think it may warn you, but it doesn’t stop you.

    Michael A.
    7/31/12 @ 11:20 am

    OK, Apple’s high-level Mountain Lion features page also says there is a “manual override” for Gatekeeper ( While this feature eliminates a lot of people’s objections to using Gatekeeper, it seems like it makes it a less effective malware repellent.

      7/31/12 @ 12:16 pm

      Well, there’s only so far it can go, right? I mean, you can also hit your Mac with a hammer — know what I mean? If you are warned over and over and you still want to install, then…
      Keep in mind that this is separate from Malware security. If something is registered or recognized as Malware, there’s a whole other system that kicks in and I don’t think you can bypass that so easily.

    8/11/12 @ 12:46 am

    Ok, I understand the function of Gatekeeper. But how does it work with OS X’s built in malware scanner (xProtect)? I have also heard that there is another application called “file quarantine” which also protects you from malware. Do all 3 of the applications work in a sequence or do they serve different functions? And are there any other applications after these 3 that provide additional layers of protection from malware? I have heard Mountain Lion has sandboxing and ASLR.

      8/11/12 @ 7:31 am

      It doesn’t work “with” it, it works “in addition to” it. They are separate systems.
      Never used file quarantine.
      The Mac App Store (not MLion, really) has sandboxing, but that only applies to apps that are in the Mac App Store and is really more of a stability thing, not anti-malware. If you download something from a third-party untrusted source, then they can put anything in their code, just as you can if you were a developer. Doesn’t mean it is bad. As a matter of fact, some great apps need to be sold outside of the Mac App Store to provide advanced functionality.
      It sounds like you are very concerned about this. Which is good and means you will probably have no problems as you’ll be investigating and contemplating each piece of software you install. The danger is really with the people that install tons of software without thinking about it.

    Mr Anthony Cotton
    10/3/12 @ 12:10 pm

    Sorry for the late reply,because i did notice it in my email. Then i looked at another email you sent,and it was in there. Yes and this video was very helpful. Gary

    Mr Anthony Cotton
    10/3/12 @ 1:55 pm

    I have just tried it again with the settings to any developer,but it does not work so i have just sent an email to the developer. Which it tells you to do if it does not work. I have completely trashed it. I get all of my downloads from C-Net,and my page is set for only Mac downloads. I believe they are a reputable website,and this is the first time an App has not worked. I am going to get a new download to see if that works. Gary

    Mr Anthony Cotton
    10/4/12 @ 11:59 am

    Yes it works great thats what the guy recommended to do, a new download of the YouTube Application,and it should work. Thanks again for pointing this out in the email you sent me Gary.

Comments Closed.