Mac notarization: Everything Mac admins need to know
Mac notarization is a method of ensuring that apps and other executables are free of known threats.
Get fresh insights, pro tips, and thought starters–only the best of posts for you.
Dec 2, 2021
8 min read
If you are a Mac user, I am sure that you might have heard the name Gatekeeper at least once in your life. Most Mac users have heard the name Gatekeeper but have very little idea about what it is or what it does. As the name suggests, Gatekeeper acts like a security guard for apps. But before we get into the details about Gatekeeper, we must know what file quarantine in Mac devices means.
The process of tagging apps or files or documents downloaded from the internet is known as file quarantining. The tag also called the quarantine flag is given to the files by the app that downloads the file, like web browser, mail app, etc. But the process of flagging the files is not a mandatory process and many 3rd –party app stores and installers don’t flag the files downloaded by them.
The main idea of flagging the files is to let the device know that the files are downloaded from unknown sources and might be harmful. When a user tries to open a quarantined file, the system warns the user that the file is from an unknown source and might contain malicious entities associated with it. The file can only be opened if the warning is acknowledged by the user.
File quarantine was introduced in 2007, along with the OS X 10.5, Leopard update. File quarantine on its own was not that effective because the users were only given a warning and on acknowledging it the files could be opened. But with consequent updates, more features were introduced that used the file quarantine function and Gatekeeper was one of those features.
Gatekeeper was introduced with the OS X 10.8 Mountain Lion update. This feature essentially allows users to specify what type of apps can be installed on their Mac devices (Store apps or apps downloaded from third-party apps). Using the settings, users could restrict app installation to only app stores or also include identified developers.
Gatekeeper becomes active when apps are allowed to be downloaded from outside the Mac App Store. When a third-party app, plug-in, or even an installer package is downloaded from outside the store and tried to be opened, the Gatekeeper becomes active. Gatekeeper allows 2 major settings: 1) Allow apps only from the App Store and 2) Allow apps from App Store and identified developers. In the earlier versions of macOS there was another setting, Allow apps from anywhere.
By default, the setting would be in the Allow apps from App Store and identified developers. But the most restrictive setting would be the Allow app from App Store. Apps from the App Store are often considered the most secure apps and it is always safe to be used because before its approval the app is tested by Apple itself for malware and any other malicious entities.
That is not the case for third-party apps. But Apple is not willing to endanger the safety of devices to run malicious apps. So, to check third-party apps, the apps have to be code signed, meaning the app has to be signed with the developer ID and also provided with a certificate that is issued by Apple for trusted developers.
When third-party apps are opened on Mac devices, the Gatekeeper checks the app for the code sign and allows its execution only if the details are verified. If Gatekeeper fails to verify the details, then a warning message is shown saying the app is not from a trusted source and cannot be installed.
With the introduction of notarization by Apple, users can now be more confident while installing third-party applications. This is because notarization is the process by which Apple checks out an app for known malicious threats and verifies the code signature. If apps pass the notarization process the app is given a notarized badge which can be associated with the app when it is distributed.
When third-party apps, plug-ins, extensions, etc. are opened on a Mac for the first time the Gatekeeper checks for the notarization badge/ticket. If it is present the Gatekeeper allows the app/file to be opened instantly and won’t raise any warning messages. When the file misses a notarization ticket, the Gatekeeper verifies the integrity of the code signature.
To configure the Gatekeeper, you have to follow these steps:
Although it is not recommended, Gatekeeper can be bypassed in multiple ways. Bypassing Gatekeeper lets users install apps downloaded from anywhere and not even a warning message will be displayed if Gatekeeper is switched off.
sudo spctl --master-disable
Press return. Enter the admin credentials if asked and press return again. Now the Anywhere option will be available and selected under Allow apps from in the General tab of System Preferences.
In the early stages of its launch, Gatekeeper used to work only on the files/executables that were quarantine flagged. This was not enough to keep devices safe as a file without the quarantine flag could easily walk past the Gatekeeper. Downloading files without a quarantine flag is not that much of a challenge. Even removing quarantine flags is not that big of a task.
Later on, Gatekeeper was upgraded so that it could check all apps irrespective of their source. But problems were still getting reported. Minor bugs and exploitable flaws were reported by cybersecurity experts through which malware could be easily manipulated into a system.
Gatekeeper doesn’t do runtime checks on apps and this might cause serious issues if a malicious app posing to be an innocent one gets past the initial check. Also, it keeps an eye out only for known threats and not newer ones.
But Apple doesn’t compromise on safety issues, so a lot of Gatekeeper updates have been released by them and each update resolved the existing bugs. Apple is trying to make Gatekeeper a standard for app-level security.
In an organization that has over 10-20 devices, setting up the Gatekeeper in each device one by one is not an easy task. That is where a UEM like Hexnode comes in. With UEMs it is simple to configure the Gatekeeper settings for multiple devices very easily. All it takes to configure Gatekeeper settings for a few 100 to a few 1000 is a few clicks.
Not only can Gatekeeper be switched on using a UEM but it can also be switched off completely. This comes in handy when organizations use a lot of in-house apps. In-house apps are those built for use inside the organization and most of them don’t mind code signing them or notarizing them.
Apple usually allows third-party kernel or system extensions only if they are notarized. But kernel and system extensions pushed to devices using a UEM need not be notarized. This proves useful because organizations need not wait for the necessary extensions to be notarized to be used inside the organization. This can save a lot of time for organizations.
So, in conclusion, even though Gatekeeper might be annoying at times, it helps you keep your device safe at least from known threats. It is always recommended to switch on Gatekeeper and not try to bypass it unless it is absolutely necessary.
Sign up for a 30-day free trial with Hexnode and find out how Hexnode can help remotely configure Gatekeeper on Mac.Sign up