Understanding Gatekeeper security in OS X Mountain Lion

Gatekeeper is a security feature introduced with OS X Mountain Lion. It is designed to protect Mac users from running malicious software by checking apps before they run for the very first time. Instead of asking you for permission to launch an app for the very first time, Gatekeeper will check your security settings to see what sort of apps are allowed to run.

The settings for Gatekeeper are under Security & Privacy preferences pane. Gatekeeper is a blanket name for this security feature and you will not find the word “Gatekeeper” in the preference pane. Instead the settings are under the lower portion of the “General” tab with “Allow applications downloaded from”:

osx-mountain-lion-gatekeeper

The three options for Gatekeeper are:

Mac App Store: with this choice, only apps downloaded from the Mac App Store will run without any prompt. 

Mac App Store and identified developers: apps downloaded from the Mac App Store and developers registered with Apple are allowed to run.

Anywhere: All apps are allowed to run. This is the same settings as with prior version of OS X.

OS X Mountain Lion will default to “Mac App Store and identified developers” and this is the recommended settings. When you try to run a file downloaded from the web or not from a developer registered with Apple, Gatekeeper will prevent you from running the file with a prompt:

gatekeeper1

In order to run this file, you can perform a quick temporary override of Gatekeeper settings by pressing the Control key while clicking on the file. OS X Mountain Lion will now present you with a different prompt that has an “Open” button to proceed with running the file.

gatekeeper2

Please note that Gatekeeper will only work when the file is run for the very first time. Once the file has been launched once, there will be no more Gatekeeper check. 

Developers are not forced to register with Apple to be identifiable by Gatekeeper. Apple only recently open the registration and it is still unknown if app developers will choose to register with Apple if they are not selling their apps via Mac App Store. Thus it does not mean that the app is not trustworthy to be run if it is not on the Mac App Store or not from an Apple registered developers. As of this writing, major developers such as Microsoft and Adobe do not sell their apps registered with Apple.

Gatekeeper is not meant to be the cure-all solution for preventing malicious software. It does however encourage you not to run apps that you don’t trust, and it brings awareness to you before malicious software is accidentally run.