Following on from John’s Gatekeeper Podcast. I thought I would blog about something that I’ve been asked about a few times whilst teaching Apple’s Support Essentials course which is, how to remotely manage Gatekeeper using Command Line.
As John mentioned in his podcast, the spctl command line tool manages the security assessment policy subsystem which maintains and evaluates rules that determine whether the system allows the installation, execution, and other operations on files on the system.
spctl can therefore be used to manage Gatekeeper. Gatekeeper is enabled by default and I strongly recommend leaving Gatekeeper enabled for security reasons.
However, you may require Gatekeeper to be disabled if, for example, its rejecting applications that you require to run within your organisation.
Or perhaps you need to ensure that it is enabled.
If you need to remotely enable or disable Gatekeeper, this can be performed by using spctl via the SSH protocol, or by using the Terminal or even through Apple Remote Desktop (available on the Mac App Store or the Online Apple Store).
These commands should be executed as the root System Administrator user since administrator authentication is required to configure Gatekeeper.
If we imagine that the computer we need to remotely enable Gatekeeper on is called ‘applemac1’ and the user admin account is ‘admin’, if this computer is on the same network as your own computer, you can use the following to SSH remote login to the computer and manage Gatekeeper :
Step 1)
Enable Remote Login on the applemac1 computer within Sharing preferences:
Step 2)
On your own computer, open the Terminal utility and enter:
ssh admin@applemac1.example.com
(This command assumes that the user account is ‘admin’, that the computer’s domain name is ‘applemac1.example.com’).
Step 3)
When asked if you are sure you want to continue connecting to this remote host, enter:
yes
then press the enter key.
Step 4)
Now enter the password for the admin user that you wish to remotely authenticate as and press the enter key.
Step 5)
The Terminal prompt should now have you logged in as the admin user on the remote applemac1 computer.
Step 6)
To remotely enable Gatekeeper, enter the following, then press by the enter key:
sudo spctl --master-enable
The below displays the result of this command in the Security and Privacy preferences pane:
To remotely disable Gatekeeper, enter the following, then press the enter key:
sudo spctl --master-disable
Below displays the result of this command in the Security and Privacy preferences pane:
Step 7)
Authenticate, if required, with the admin user’s password and press the enter key.
Step 8)
To verify your changes, enter the following, followed by the enter key :
spctl --status
If Gatekeeper is enabled the status will respond with ‘assessments enabled’, for successful disabling of Gatekeeper the response will be ‘assessments disabled’.
For further information on the spctl command, read the manual for spctl by typing, man spctl into the Terminal Utility.
For more information on OS X management and deployment, why not attend one of our Advanced Deployment courses
For more information on how to configure and use SSH Remote Login, why not attend one of our Support Essentials courses.
Disclaimer:
While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. Amsys will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.
This feature has been tested using OS X v10.8.3 which was the latest Mac OS release at the time of writing and also using the latest Internal and external Apple keyboards.