Get to know Mac Gatekeeper, aka Windows 10's security model

Get to know Mac Gatekeeper, aka Windows 10's security model
Credit: Apple/Microsoft

Now that Windows has Device Guard, here's how to use its inspiration, Gatekeeper, on the Mac

Windows 10 is getting Mac religion, at least when it comes to how it manages apps. My colleague Fahmida Rashid recently explained the new Device Guard feature in Windows 10, a major step for the ubiquitous Microsoft desktop operating system to combat malware.

Apple introduced a similar technology called Gatekeeper in 2012's OS X Mountain Lion (and made its retroactive to the previous OS X Lion). Now that Microsoft has Device Guard, the two leading desktop operating systems have a similar approach to managing dubious apps -- and both let administrators control those settings.

It doesn't matter who had the technology first -- what matters is that there's now a consensus approach to managing computers to keep out malware. Most admins will quickly read up on how to use Device Guard for Windows, but few know how to use the Mac's Gatekeeper equivalent. They should. Here's what you need to know to take advantage of it in your organization. 

The origins of Gatekeeper (and Device Guard)

Adopting this approach was no easy feat for Microsoft. The issue was less technical and more practical. Windows's blessing and curse is that it can run an almost unlimited set of apps, from practically any source. That's why Windows PCs power everything from ATMs to spacecraft, not simply run productivity and design software on users' desktops. It's also let malware ravage Windows users.

Restricting the apps that can be installed would keep out malware, as well as thousand of legitimate apps. Getting all of those apps certified by Microsoft would have been near-impossible until Microsoft had its own app store and a more centralized approach to identifying developers.

By contrast, Apple has the advantage of a much smaller developer base, plus the dominance of its own Xcode development tool, which requires a developer ID be issued to use. Microsoft, in it support for a broad range of developers and development tools, did not.

It took a change in attitude at Microsoft to adopt Apple's approach, a change made easier by the introduction of the Windows Store in Windows 8 and Windows Phone and -- let's be honest -- by the steady decrease in PC sales in the last five years and the never-ending parade of Windows malware. Something had to give, and it finally did.

When Macs began to get popular in the early 2010s, Apple saw the potential for a similar malware problem in OS X -- malware attacks, especially from Internet links and poisoned websites. Then it got a wake-up call with the Flashback malware attack in 2012.

How Gatekeeper works

Out of that came Gatekeeper, which restricts app installation to apps from the Mac App Store and to apps whose developer ID is signed by Apple, meaning Apple knows who the developer is. (Device Guard does the same now for Windows.)

Apple heavily polices its app stores for malware. Although that heavy policing (er, curation) created harsh developer criticism in the early days, it has kept iOS in particular safe, and Apple hoped for similar safety in OS X. (Of course, some malware has gotten into the iOS App Store. In fact, this past weekend, Apple removed malware-infested apps that got into the iOS App Store after being created using a counterfeit version of its Xcode development tool. But the few iOS malware attacks pale in comparison to what the Android ecosystem experiences.)

But few OS X developers wanted to pay Apple's 30 percent cut for Mac App Store inclusion, so the Mac App Store has not taken off in a meaningful way, as the iOS App Store has. Thus, Apple adopted the notion of the signed developer ID for those non-Mac App Store apps.

Malware isn't likely to get a signed Apple developer ID, so Gatekeeper essentially keeps malware off Macs. And if malware is found using a signed developer ID, Apple can flag that ID as untrusted, so Gatekeeper won't install any of that developers' apps any more. (Sadly, it does not prevent already installed apps using that ID from running.)

There are legitimate reasons to install unsigned apps, mainly revolving around legacy apps created before developer IDs were available. But in the three years since Gatekeeper's introduction, there are fewer and fewer of those apps that haven't been updated to the current OS X versions, and many of those that have not been updated are incompatible with modern OS X versions because they depend on the Rosetta compatibility tool for PowerPC-based apps to run in OS X. Rosetta was retired in 2011, with its removal from OS X Lion and subsequent OS X versions.

I should note that Gatekeeper won't block apps installed from the network or from a CD or DVD, even if they don't have a developer ID. It's designed to block unsigned downloads, which is how most malware finds its way on to computers.

I should also mention Apple's method for limiting the damage caused by malware: app sandboxes. Every Mac App Store app must be sandboxed to prevent outside malware from infecting it. But that restriction is not imposed on non-Mac App Store apps, so developers can get away with  providing infectable apps. Please don't.

Managing Gatekeeper

Apple updates the blacklist daily and all Macs have that check enabled. But if users have administrator privileges (home users do, as do many corporate ones) users can disable the update installation in their Macs' App Store system preference. They can also bypass Gatekeeper by selecting the Anywhere option in the General pane of the Security & Privacy system preference or, more simply, by clicking the Open Anyway link that appears there after a user tries to install an unsigned app.

Gatekeeper isn't really a good solution after all, right? Wrong. IT can manage the policies around Gatekeeper to prevent users from working around it (just as Microsoft offers policy administration for Device Guard).

Apple's $20 OS X Server application for Macs is the cheapest way to manage Macs' policies, though I ironically find its user interface daunting to learn. With it, you can disable users' abilities to change Gatekeeper's settings, to override Gatekeeper for individual apps' installation, and/or to disable automatic security update installation.

You can also manage these OS X policies using mobile management tools from Centrify, Citrix Systems, Good Technology, MobileIron, and VMware -- Apple largely unified its iOS and OS X management APIs in OS X Mavericks and iOS 7, and the smarter mobile management providers realized they could easily bring Macs into their management folds as a result. (I suggest you check out Apple's guide on how to use policy management on Macs and iOS devices.)

Keep out the malware on all Macs and PCs

Gatekeeper and Device Guard both give IT a proactive way to keep out malware, while permitting the installation of legitimate software. Use them!

You should do so on your corporate-issued computers, of course, but I suggest you do the same for users' home computers, too (where feasible). After all, the same mixing of personal and work contexts that so concerns IT about mobile devices exists on computers -- and the risks are much higher. So many employees work from home that the use of policy management on their computers simply makes sense.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies