anavem.
Back to Glossary
G

Gatekeeper (macOS Security Feature)

Gatekeeper is a macOS security feature that restricts the execution of applications to those from trusted sources, helping prevent the installation of malicious software.

What is Gatekeeper?

Gatekeeper is a built-in macOS security mechanism designed to protect users from running untrusted or malicious software. It verifies that applications are signed with a valid Apple Developer ID and notarized by Apple (when required), before allowing them to run on the system. Gatekeeper applies primarily to software downloaded from the internet, including DMG, PKG, and ZIP-based installers.

Why Gatekeeper matters

Gatekeeper plays a critical role in macOS security because it:

  • Blocks execution of unsigned or tampered applications
  • Reduces the risk of malware delivered via phishing or fake installers
  • Enforces Apple's code-signing and notarization ecosystem
  • Provides users with clear warnings before running risky software

In enterprise environments, Gatekeeper is a first line of defense against macOS malware.

How Gatekeeper works

When a user opens an application downloaded from the internet:

  1. macOS checks the file's quarantine attribute
  2. Gatekeeper verifies the digital signature
  3. Apple's notarization service is consulted (if applicable)
  4. Execution is either allowed, blocked, or warned

If any check fails, macOS prevents the app from launching by default.

Gatekeeper and notarization

Since recent macOS versions:

  • Most third-party apps must be notarized by Apple
  • Notarization involves automated malware scanning by Apple
  • Notarized apps can still be malicious if abused after approval

Gatekeeper relies on notarization but does not replace endpoint security tools.

Gatekeeper as a security control

Gatekeeper helps mitigate:

  • Malware distributed via trojanized DMG or PKG files
  • Drive-by downloads and fake software updates
  • Unsigned or altered binaries
  • Some supply-chain attacks involving tampered installers

However, Gatekeeper is not foolproof and can be bypassed under certain conditions.

Common Gatekeeper bypass techniques

Attackers may attempt to:

  • Trick users into manually overriding Gatekeeper warnings
  • Abuse signed but malicious applications
  • Exploit misconfigurations or older macOS versions
  • Use scripts or living-off-the-land techniques after initial execution

For this reason, Gatekeeper should be combined with EDR and MDM policies.

Gatekeeper vs XProtect vs SIP

These macOS security features complement each other:

  • Gatekeeper: controls app execution
  • XProtect: detects known malware signatures
  • System Integrity Protection (SIP): protects critical system files

Together, they form macOS's baseline security model.

Managing Gatekeeper in enterprise IT

Administrators can:

  • Enforce Gatekeeper settings via MDM
  • Restrict execution to App Store and identified developers
  • Monitor blocked application events
  • Combine Gatekeeper with device compliance policies

Disabling Gatekeeper globally is strongly discouraged.

Common misconceptions

  • "Gatekeeper blocks all macOS malware"
  • "Notarized apps are always safe"
  • "Gatekeeper replaces antivirus or EDR"
  • "Advanced users should disable Gatekeeper"