Enable Gatekeeper on macOS to Block Unidentified Developers Apps using Intune

Let’s learn how you can enable Gatekeeper on macOS to block Unidentified Developers Apps. You can configure Gatekeeper from Intune on macOS to allow apps downloaded from Mac app store or identified developers and trusted software to run on your Mac.

Gatekeeper is a security feature in macOS that helps protect your computer from running potentially harmful applications. By default, Gatekeeper allows you to install and run applications only from the Mac App Store or from identified developers.

However, there might be situations where you want to enforce policies by blocking applications from unidentified developers. In this scenario, you can configure Intune to enable Gatekeeper to block such applications on macOS devices.

The safest place to get apps for your Mac is the App Store. Apple reviews each app in the App Store before it’s accepted and signs it to ensure it hasn’t been tampered. When you install Mac apps, plug-ins, and installer packages from outside the App Store, macOS checks the Developer ID signature to verify that the software is from an identified developer and that it has not been altered.

Patch My PC

You can also use device configuration profiles to manage common Endpoint protection security features on devices, including FileVault Encryption, MacOS Firewall Security and Microsoft Defender and encryption.

Enable Gatekeeper on macOS to Block Unidentified Developers Apps from Intune

By following these steps, you can use Microsoft Intune to configure Gatekeeper on macOS devices, enhancing security by blocking applications from unidentified developers. This helps prevent the installation of potentially malicious or untrusted software on managed macOS devices.

Adaptiva
  • Sign in to the Microsoft Intune Admin portal https://intune.microsoft.com/.
  • Select Devices > macOS > Configuration profiles under macOS policies, and click + New Policy.
Enable Gatekeeper on macOS to Block Unidentified Developers Apps using Intune Fig.1
Enable Gatekeeper on macOS to Block Unidentified Developers Apps using Intune Fig.1

If you are directly inside the macOS Configuration profile, The Platform, macOS will be automatically selected. Select Profile: Select Templates > Endpoint protection. Select Create to proceed next screen.

Enable Gatekeeper on macOS to Block Unidentified Developers Apps using Intune Fig.2
Enable Gatekeeper on macOS to Block Unidentified Developers Apps using Intune Fig.2

In Basics, enter a descriptive name for the policy. Name your policies so you can easily identify them later. Enter a description for the policy. This setting is optional, but recommended. Select Next.

Enable Gatekeeper on macOS to Block Unidentified Developers Apps using Intune Fig.3
Enable Gatekeeper on macOS to Block Unidentified Developers Apps using Intune Fig.3

Endpoint protection settings control security on macOS devices, such as FileVault encryption, Gatekeeper, and the Firewall. In Configuration settings, Scroll down to the Gatekeeper section and expand to configure these settings by using a macOS device configuration profile for endpoint protection in Intune.

  • Allow apps downloaded from these locations – limit the apps a device can launch, depending on where the apps were downloaded from. The intent is to protect devices from malware, and allow apps from only the sources you trust.
    • Not configured (default)
    • Mac App Store
    • Mac App Store and identified developers (Configured)
    • Anywhere
  • Do not allow user to override Gatekeeper – Prevents users from overriding the Gatekeeper setting and prevents users from Control-clicking to install an app. When enabled, users can’t Control-click any app to install it.
    • Not configured (default) – Users can Control-click to install apps.
    • Yes (Configured) – Prevents users from using Control-click to install apps.
Enable Gatekeeper on macOS to Block Unidentified Developers Apps using Intune Fig.4
Enable Gatekeeper on macOS to Block Unidentified Developers Apps using Intune Fig.4

In Review + create, review your settings. When you select Create, your changes are saved, and the profile is assigned.

Enable Gatekeeper on macOS to Block Unidentified Developers Apps using Intune Fig.5
Enable Gatekeeper on macOS to Block Unidentified Developers Apps using Intune Fig.5

A notification will appear automatically if you see it in the top right-hand corner. You can see that the Profile “Enable Gatekeeper to Block Apps from Unidentified Developers” was created successfully. The policy is also shown in the profiles list.

Enable Gatekeeper on macOS to Block Unidentified Developers Apps using Intune Fig.6
Enable Gatekeeper on macOS to Block Unidentified Developers Apps using Intune Fig.6

Once the endpoint protection policy is created, it will take a few minutes to get pushed to the added macOS devices in the assignment group, You can get the deployment status on the list of targeted devices by clicking on profile inside macOS > Configuration profiles.

Once the user successfully log in to the macOS device, you can follow the steps below to check the profile status. You can also initiate the manual sync to speed up if the profile is not received.

  • Click on the Apple icon at the top-left corner and select System Settings from the list of options.
  • Search for Privacy & Security, and look here Gatekeeper. I used a quick search to find out the settings.
  • In Security, “App Store and identified developers” should be selected under “Allow applications downloaded from:”
Enable Gatekeeper on macOS to Block Unidentified Developers Apps using Intune Fig.7
Enable Gatekeeper on macOS to Block Unidentified Developers Apps using Intune Fig.7

We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here –HTMD WhatsApp.

Author

About Author – JiteshMicrosoft MVP, has over six years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus is Windows 10/11 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.

2 thoughts on “Enable Gatekeeper on macOS to Block Unidentified Developers Apps using Intune”

  1. This is the new way:
    https://learn.microsoft.com/en-us/mem/solutions/end-to-end-guides/macos-endpoints-get-started?tabs=esso

    ✅ Configure Gatekeeper

    Gatekeeper makes sure that only trusted software runs on the device. The Gatekeeper settings are built into the Intune settings catalog and are available as compliance policies.

    So, you can configure Gatekeeper, check for compliance, and deploy the policies to your devices.

    To create these policies, in the Intune admin center, go to:

    Devices > Manage devices > Configuration > Create > New policy > Settings catalog > System policy > System Policy Control:

    Allow Identified Developer: Select True.
    Enable Assessment: Select True.
    Devices > Manage devices > Configuration > Create > New policy > Settings catalog > System policy > System Policy Managed:

    Disable Override: Select True.
    Devices > Manage devices > Compliance > Create policy > System Security > Gatekeeper

    For more information about Gatekeeper, go to:

    Use the settings catalog to configure settings in Microsoft Intune
    Gatekeeper and runtime protection in macOS (opens Apple’s website)

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.