Let’s learn how you can enable Gatekeeper on macOS to block Unidentified Developers Apps. You can configure Gatekeeper from Intune on macOS to allow apps downloaded from Mac app store or identified developers and trusted software to run on your Mac.
Gatekeeper is a security feature in macOS that helps protect your computer from running potentially harmful applications. By default, Gatekeeper allows you to install and run applications only from the Mac App Store or from identified developers.
However, there might be situations where you want to enforce policies by blocking applications from unidentified developers. In this scenario, you can configure Intune to enable Gatekeeper to block such applications on macOS devices.
The safest place to get apps for your Mac is the App Store. Apple reviews each app in the App Store before it’s accepted and signs it to ensure it hasn’t been tampered. When you install Mac apps, plug-ins, and installer packages from outside the App Store, macOS checks the Developer ID signature to verify that the software is from an identified developer and that it has not been altered.
You can also use device configuration profiles to manage common Endpoint protection security features on devices, including FileVault Encryption, MacOS Firewall Security and Microsoft Defender and encryption.
- Manage System Integrity Protection For MacOS Devices Using Intune
- Configure MacOS Compliance Policy In Intune For Devices
Enable Gatekeeper on macOS to Block Unidentified Developers Apps from Intune
By following these steps, you can use Microsoft Intune to configure Gatekeeper on macOS devices, enhancing security by blocking applications from unidentified developers. This helps prevent the installation of potentially malicious or untrusted software on managed macOS devices.
- Sign in to the Microsoft Intune Admin portal https://intune.microsoft.com/.
- Select Devices > macOS > Configuration profiles under macOS policies, and click + New Policy.
If you are directly inside the macOS Configuration profile, The Platform, macOS will be automatically selected. Select Profile: Select Templates > Endpoint protection. Select Create to proceed next screen.
In Basics, enter a descriptive name for the policy. Name your policies so you can easily identify them later. Enter a description for the policy. This setting is optional, but recommended. Select Next.
Endpoint protection settings control security on macOS devices, such as FileVault encryption, Gatekeeper, and the Firewall. In Configuration settings, Scroll down to the Gatekeeper section and expand to configure these settings by using a macOS device configuration profile for endpoint protection in Intune.
- Allow apps downloaded from these locations – limit the apps a device can launch, depending on where the apps were downloaded from. The intent is to protect devices from malware, and allow apps from only the sources you trust.
- Not configured (default)
- Mac App Store
- Mac App Store and identified developers (Configured)
- Do not allow user to override Gatekeeper – Prevents users from overriding the Gatekeeper setting and prevents users from Control-clicking to install an app. When enabled, users can’t Control-click any app to install it.
- Not configured (default) – Users can Control-click to install apps.
- Yes (Configured) – Prevents users from using Control-click to install apps.
In Review + create, review your settings. When you select Create, your changes are saved, and the profile is assigned.
A notification will appear automatically if you see it in the top right-hand corner. You can see that the Profile “Enable Gatekeeper to Block Apps from Unidentified Developers” was created successfully. The policy is also shown in the profiles list.
Once the endpoint protection policy is created, it will take a few minutes to get pushed to the added macOS devices in the assignment group, You can get the deployment status on the list of targeted devices by clicking on profile inside macOS > Configuration profiles.
Once the user successfully log in to the macOS device, you can follow the steps below to check the profile status. You can also initiate the manual sync to speed up if the profile is not received.
- Click on the Apple icon at the top-left corner and select System Settings from the list of options.
- Search for Privacy & Security, and look here Gatekeeper. I used a quick search to find out the settings.
- In Security, “App Store and identified developers” should be selected under “Allow applications downloaded from:”
We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here –HTMD WhatsApp.
About Author – Jitesh, Microsoft MVP, has over six years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus is Windows 10/11 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.