How to Work With and Around Gatekeeper

Gatekeeper, part of the Mac’s security system for ensuring files you download or install on your Mac are safe to use, has been around in one form or another for quite a while. Primarily intended to prevent various forms of malware from infecting the Mac, Gatekeeper has been guarding the Mac since OS X Leopard, though it originally went by the name File Quarantine.

Security & Privacy icon.

Gatekeeper does its job quite well, standing guard and helping to keep your Mac safe. But sometimes, this tireless security system can get in the way of apps and extensions you need to run but don’t meet the sometimes strict requirements for getting past Gatekeeper.

In this Rocket Yard guide, we’ll look at how Gatekeeper operates, best use, and how to get around some of the restrictions Gatekeeper imposes.

Gatekeeper: A Bit of History

With the introduction of OS X Leopard, Apple added a new file quarantine service to protect users from various types of malware, with Trojan horses being a common issue back then. 

Files downloaded to the Mac were marked as quarantined, and prevented from running until the user acknowledged that they had indeed intentionally downloaded the file and wished to run the app. This prevented malicious sites from downloading and running apps without the user knowing about them. It was a very basic security measure, but over time, Apple developed it into the Gatekeeper system that is installed on all Macs today.

With Snow Leopard, Apple added the ability to check files against known instances of malware. The system could also check web plug-ins and block them from functioning, including zero-day exploits that had been discovered.

OS X Lion saw the Gatekeeper name applied to the set of security technology Apple had been developing, and was the first time that developers needed to sign their apps to allow them to get past the Gatekeeper guard.

Gatekeeper warning of a blocked app.
Gatekeeper’s default settings only allow apps downloaded from the App Store to be installed.

File Quarantine System

Although Gatekeeper has advanced to become a robust guardian, it still makes use of the File Quarantine system to identify known malware. File Quarantine is essentially a blacklist of malware signatures that Gatekeeper uses to identify a downloaded file that includes any known malware.

Apple updates the File Quarantine system on a regular basis, and downloads the updates to your Mac along with other system and security updates. There was a time when some users experienced multiple File Quarantine updates so often that it was reducing system performance, or at least performance while performing Internet-related activities, such as browsing, email, and messaging. Although those issues seem to be long gone, there was a means to force the updates to File Quarantine to halt.

While there doesn’t seem to be a reason today to prevent the updates, it can still be done with these steps:

OS X Mountain Lion and earlier: Open System Preferences and select the Security & Privacy preference pane.

Click the lock and enter an administrator name and password.

Click the Advanced button.

In the sheet that drops down, place or remove the checkmark in the “Automatically update safe download list” item.

OS X Mavericks through macOS High Sierra: Open System Preferences and select the App Store icon.

Place or remove the checkmark from the “Install system data files and security updates” item.

macOS Mojave and later: Open System Preferences and select the Software Update preference pane.

Click the Advanced button. In the sheet that drops down, place or remove the checkmark in the “Install system data files and security updates” box.

Note: I don’t advise preventing File Quarantine updates. However, if you’re experiencing a problem when installing or restoring to an older version of the OS, it can be helpful to delay some updates until you have the system fully configured. 

Option for installing system data files and security updates in macOS Catalina.
In Mojave and Catalina, the options for security updates relating to Gatekeeper are located in the Software Update preference pane.

Gatekeeper and Opening Apps

Gatekeeper is designed to prefer only to allow trusted apps to be installed on the Mac. Trusted apps are those downloaded from the App Store. Software from the App Store has been scanned for known malware, and the developer has digitally signed the app to confirm that it came from an authorized Apple developer. This helps to ensure the app hasn’t been tampered with or altered in any way.

Of course, many Mac users make use of apps that are directly available from developers, which have additional features built into the app that may not be allowed in the App Store. Gatekeeper can be configured to allow these types of apps that still come from an authorized Apple developer but aren’t distributed via the App Store.

Gatekeeper can also be set to not block apps from being installed, essentially letting you install apps from anywhere created by anybody, Apple developer or not.

You can adjust Gatekeeper’s settings using the following methods:

Open System Preferences by clicking on its icon in the Dock or selecting System Preferences from the Apple menu.

Select the Security & Privacy preference pane.

Click on the General tab.

You’ll find the Gatekeeper settings in the “Allow apps downloaded from:” section.

Depending on the version of the Mac OS you’re using, you’ll see either two or three options:

  • App Store
  • App Store and identified developers
  • Anywhere

The “Anywhere” entry is usually only seen in earlier versions of the operating system. However, it can be forced to be available using a Terminal command we will outline below.

Gatekeeper settings.
An older version of the Mac OS with all three Gatekeeper settings displayed.

To make changes to the Gatekeeper settings:

Click the lock icon, and then enter your administrator name and password.

With the lock unlocked, you can now select which Gatekeeper level you wish to use.

Note: Although it’s tempting to set Gatekeeper to Anywhere, it isn’t advisable for most users, since it negates most of the benefits of Gatekeeper’s security system. If you do need to run an app from developers who haven’t signed their apps, there’s a safe way, outlined below.

Make any changes you wish, after which you can quit System Preferences.

Forcing the Anywhere Option in Gatekeeper

The Anywhere option in Gatekeeper is usually hidden, but it can be enabled with a Terminal command. If you’re not familiar with using Terminal, you may find the Rocket Yard guide: Tech 101: Introduction to the Mac’s Terminal App, Part One helpful.

Make sure System Preferences is closed.

Open the Terminal app, located at /Applications/Utilities.

At the Terminal command prompt, enter the following:

sudo spctl --master-disable

Press enter or return

Enter your administrator password, if asked, then press enter or return again.

Terminal command to disable Gatekeeper.
Use Terminal to make the Gatekeeper Anywhere option available in the Security & Privacy preference pane.

Anywhere will now appear as an option in the Security & Privacy preference pane. In addition, Anywhere will be the selected level in Gatekeeper. You can confirm this by opening the Security & Privacy preference pane.

To remove Anywhere as a Gatekeeper option, make sure System Preferences is closed, then launch Terminal and enter the following:

sudo spctl --master-enable

Press enter or return.

Enter your administrator password, if asked, then press enter or return again.

The Anywhere option will be removed. Be sure to open the Security & Privacy preference pane and confirm that Gatekeeper is set to the correct option for you.

Opening Gatekeeper Blocked Apps

Apps that are blocked by Gatekeeper can be opened without having to set Gatekeeper to the Anywhere option; it just requires a few extra steps.

macOS Mojave or later: There’s an easy way to launch apps that Gatekeeper has blocked without having to resort to Terminal to enable the Anywhere option.

The Gatekeeper section of the Security & Privacy preference pane will list recently blocked apps and provide an option for opening the apps. Blocked apps you open from the Security & Privacy preference pane are added as an exception to the Gatekeeper settings, and you’ll be able to open the app in the future using the normal double-click method from the Finder.

Open the Security & Privacy preference pane and select the General tab.

You should see the app that was blocked from being opened in the Gatekeeper section of the preference pane.

Click on the Open Anyway button next to the app’s name.

A dialog box will open, asking if you’re sure you want to open the selected app, even though it’s from an unknown developer. 

“By opening this app, you will be overriding system security, which can expose your computer and personal information to malware that harm your Mac or compromise your privacy.”

Select the Cancel button to not open the app or the Open button to proceed with launching the app.

Open blocked app using the Security & Privacy preference pane.
Mojave and Catalina will list recently blocked apps in the Gatekeeper section of the Security & Privacy preference pane.

macOS Catalina and earlier: You can open a Gatekeeper blocked app with the following trick. 

Locate the blocked app in the Finder, then right-click on the app’s name.

From the popup menu, select Open.

A dialog box will open, saying the app is from an unidentified developer, are you sure you want to open it? Click the Open button to proceed.

Tip: Although Mojave and Catalina have additional means to open blocked files, you can still use the right-click open method listed above to launch blocked apps.

More Gatekeeper Terminal Tricks

The Gatekeeper user interface is limited to using the Security & Privacy preference pane to set the Gatekeeper level, but it can do quite a bit more. To give you a taste of what you can do, I’ve included a couple of simple Terminal tricks:

List apps from unknown sources you’ve approved for use: In Terminal enter:

sudo spctl --list | grep UNLABELED

Press enter or return.

Enter your administrator password, if asked, then press enter or return again.

Ever wonder which apps you have overridden from Gatekeeper’s blocks? The list option of the spctl command can tell you.

Delete unlabeled (unknown source) apps from Gatekeeper’s exception list: Apps that Gatekeeper would normally block, but that you’ve approved for use, can be removed from the Gatekeeper exception list with the following Terminal command:

sudo spctl --remove /path to application

Where “path to application” is the complete path to the location of the application. An easy way to enter the pathname is to open a Finder window to where the app is located, then enter the –remove command and drag the app from the Finder window to the Terminal window. This will copy the full pathname to Terminal for you. As an example:

sudo spctl --remove /Applications/KStars.app

Press enter or return.

Enter your administrator password, if asked, then press enter or return again.

Note: If you remove an app from the Gatekeeper exception list, the next time you try to use the app it will be blocked. You can use the tricks in the Opening Gatekeeper Blocked Apps section, above, to launch the app.

Keep the Gatekeeper

Although we’ve shown you how to bypass Gatekeeper, I highly recommend that you leave Gatekeeper enabled, either to App Store or to App Store and identified developers. Turning Gatekeeper off by using the Anywhere setting will prevent the checking of downloaded apps for malware. If you need to run a blocked app, make sure you know where the app came from, who the developer is, and then if you’re sure about the app, use the options above to run the app without disabling Gatekeeper.



LEAVE A COMMENT


  • I can’t seem to get “sudo spctl –remove ” to work on 10.14.6? Are there any alternate ways to achieve the same thing? I also tried “sudo spctl –disable “. Both results in the Terminal saying: ” no matches for search or update operation”, yet I am sure I got the path to the application correct (dragged the app to the Terminal). The app also shows up when I do “spctl -a /Applications/*.app”, saying “” rejected”, however, the app still launches. It’s almost as though it’s registered in some other “allowed” list now.




  • Great information presnted to a useful depth. Hope to never have to use it, but you never know.




  • Thanks for all the info. Is there a way to make Gatekeeper stop blocking files from opening? This happens from time to time with mp3 files that I copy from an external drive – Quicktime will not open them, claiming they are apps, and I have to override for every file with a key commando. Any idea why this happens?




  • Awesome article. Thanks!