Apple @ Work

Apple @ Work: Gatekeeper on macOS ensures safety and security on all apps – even non–App Store apps

Bradley Chambers | Jun 4 2022 - 5:30 am PT

Apple @ Work is brought to you by Jamf, the only company in the world that provides complete management and security solutions that are enterprise secure, consumer simple, and protect personal privacy. Today, more than 62,000 organizations trust Jamf to manage and secure more than 27 million devices worldwide. Learn more.

In Apple’s dream world, the only way to install apps on macOS would be through the Mac App Store. Apple loves the control that the app store model gives them, but they also love the security it brings users. On iOS, Apple got its wish with an App Store-only world (for now), but it’s not possible on macOS as sandboxing isn’t possible on many different types of applications. So in order to bring security and safety to Mac users everywhere, macOS Gatekeeper was invented, and it’s been a resounding success.

About Apple @ Work: Bradley Chambers managed an enterprise IT network from 2009 to 2021. Through his experience deploying and managing firewalls, switches, a mobile device management system, enterprise-grade Wi-Fi, 100s of Macs, and 100s of iPads, Bradley will highlight ways in which Apple IT managers deploy Apple devices, build networks to support them, train users, stories from the trenches of IT management, and ways Apple could improve its products for IT departments.

Downsides of Mac App Store for business apps

Is there a downside to putting your app on the Mac App Store outside of sandboxing rules? Business-wise, yes, there is. When you’re in the Mac App Store, you’ll rely on Apple to approve updates. If your app is paid, you’ll pay the “Apple tax” of 30% for any paid downloads. Your options for upgrade pricing are limited as well.

Benefits of the Mac App Store

For enterprise apps, being part of the Mac App Store makes it a lot easier for your customers to deploy apps to their fleet of Macs. The Mac App Store is built into Apple Business Manager and Apple School Manager, so it’s turnkey to deploy these apps to the mobile device management system of your choice. If you change MDMs in the future, it’ll be trivial to migrate these app licenses as well.

From a security perspective, Apple reviews each app on the Mac App Store before it’s released and signs it to ensure that the code hasn’t been tampered with or altered. If there’s ever a problem with an app, Apple can quickly remove it from the store.

Enter macOS Gatekeeper

A few years ago, Apple released a piece technology called macOS Gatekeeper that’s designed to ensure that only trusted software runs on your Mac. Unlike the Mac App Store, Apple doesn’t have to approve your app or future updates. macOS Gatekeeper allows you to sell your app on your website, offer a download for a SaaS app, or whatever distribution method works best.

Starting with macOS Catalina and later, the default experience requires software to be notarized by Gatekeeper. macOS Gatekeeper allows IT managers and home users to be confident that the software you run on their Mac doesn’t contain known malware. Unlike access to the Mac App Store developer portal, Gatekeeper signing is completely free for developers by requesting a Developer ID.

Are there downsides to forcing macOS Gatekeeper on end-users?

From an IT perspective, I can think of no reason not to force a macOS Gatekeeper requirement as the only option. For unmanaged Macs, it’s possible to disable it, but turning it off on Macs managed by an enterprise IT department, you’re getting very little return on this change. You’re opening up your Macs to malware when the vast majority of popular Mac apps are going digitally signed with macOS Gatekeeper.

When Apple released macOS Gatekeeper, many people in the Apple community thought this was the beginning of the end of non–App Store apps, but Apple has continued to invest in technology that gives safety and security to non–Mac App Store apps.