Podcast: Gatekeeper

[embedvideo type=”youtube” id=”ycClUL7M9lQ”]

Hello and welcome to this Amsys Training podcast.  My name is John and today I will be talking you through one of the new features of Mountain Lion, Gatekeeper.
Gatekeeper is a new security feature that has been included in Mountain Lion, designed to protect your mac from inadvertently downloading and installing malware and other untrusted applications.
Gatekeeper is a rare example of Apple retroactively introducing a feature to a prior OS.  It was first introduced in 10.7.4 but was a hidden feature, solely there for developers to test with.  With the release of 10.7.5, it is now visible and works the same as mountain lion.
Gatekeeper is a rethink in the way security is handled within OS X.  Historically, the security approach has been to keep a list of known bad apps or malicious code which, when detected, will result in a warning within the OS.  With Gatekeeper, the opposite is now true.  By default all applications are blocked except for ones either downloaded from the Mac App Store or from an identified developer, which we will discuss further later on.
It is important to note that Gatekeeper only applies to applications downloaded from the internet.  Existing apps are not affected, nor are applications locally copied to the computer (e.g., from a USB drive or a local network share).  The reason for this is Gatekeeper only looks at items that have been quarantined by the system.  Quarantine only applies to downloaded items.
Gatekeeper is reliant on Code Signing to verify the identify of the application developer

So what is Code Signing?

Code Signing is a way of signing an application in such a way so that its developer can be identified and so that when the application is run, the system can check to make sure the application has not been tampered with or damaged in some way.
Potential developers can apply to Apple for a Developer ID.  This can then be used to sign their applications so that Gatekeeper in it’s default configuration will allow them to open.
If you are interested in obtaining a Developer ID certificate, it is a $99 a year subscription to the Mac Developer Program.  This allows you to develop Apps for sale on the Mac App Store as well as issuing you your Developer ID certificate.
If you want to view or change your Gatekeeper settings, we can manage these from the Security and Privacy system preference.  In the General pane, note that we must click on the padlock and authenticate as an admin user in order to be able to make any changes.  In the lower half of the screen, there is an option to Allow applications downloaded from.  Although not obvious, these are the graphical Gatekeeper settings.
The default setting is Mac App Store and identified developers.  If you want to make Gatekeeper more restrictive, you can choose Mac App Store only.  If you want to disable Gatekeeper completely, you can choose Anywhere, although this is not recommended by Apple.
If Gatekeeper blocks your application then you will see one of the following dialog boxes, giving you some information on the reason for the failure to open.
If as an Admin user you want to open an application that Gatekeeper has blocked, there is an easy way to bypass the current settings.  Simply control click, or right click, on the application in question and then choose open from the contextual pop up menu.  This will allow you to open the app without disabling Gatekeeper first.
To finish up, it is worth mentioning that there is a new command line tool included in Mountain Lion called spctl.  Used to manage system policy security, it can be used to interrogate an application to see if Gatekeeper will or will not allow an application to be opened.  Simply type spctl –assess followed by the path to the application to see whether Gatekeeper will allow it to open
I hope you have found this Podcast useful and informative.  Thanks for watching.