Gatekeeper: Securing the Enterprise One App at a Time Gatekeeper: Securing the Enterprise One App at a Time
Robert Hammen Tushaus Computer Services Apple Field Engineer What is Gatekeeper? What is Gatekeeper?
When I think of Gatekeeper… What is Gatekeeper?
Introduced in OS X 10.8 binary introduced in OS X 10.7.3, GUI in 10.7.5 Uses the quarantine system introduced in OS X 10.5 What is Gatekeeper?
Combination of certificates/app signing, and a database to control which applications are allowed to be opened/accessed on a system Developers can sign their apps OS X can tell if an app has been modified or tampered with More than just a “blacklist” of bad/rogue apps XProtect How To Configure Gatekeeper How to Configure Gatekeeper
System Preferences - Security - General How to Configure Gatekeeper
System Preferences - Security - General How to Configure Gatekeeper
Opening an unsigned app How to Configure Gatekeeper
Right/Control-click bypass How to Configure Gatekeeper
Confirming you want to bypass How to Configure Gatekeeper
Opening an unsigned Installer package How to Configure Gatekeeper
Confirming you want to bypass How to Configure Gatekeeper
App Store Only Error Message Diving Under the Hood: How Does It Work? How Does It Work?
spctl (system policy control) spctl --status spctl --master-disable to turn it of (i.e. Anywhere) spctl --master-enable to turn it on (last used setting) /var/db SystemPolicy-prefs.plist SystemPolicy .SystemPolicy-default syspolicyd codesign How Does It Work?
only works on items with the com.apple.quarantine bit set web downloads not via curl or afp/smb copy Once an app is allowed, it’s always allowed unless you reset the database or delete the rule How Does It Work?
Example Results How Does It Work?
Example Results Determining Gatekeeper Status Determining Gatekeeper Status
Extension Attribute Determining Gatekeeper Status
https://jamfnation.jamfsoftware.com/viewProductFile.html?id=135&fid=596
Results in Computer Inventory Disabling Gatekeeper Disabling Gatekeeper
Should you? “That Depends” Need to test in your environment Terminal - spctl --master-disable Profile Manager/Configuration Profile Script on JAMF Nation - https://jamfnation.jamfsoftware.com/ viewProductFile.html?id=135&fid=589 Signing Packages Signing Packages
Need to join Mac Developer Program ($99) Can apply for Application and/or Installer Certificates Also gets you access to Developer Seeds Also gets you access to devforums.apple.com Generate your Certificate Signing Request download generated certs onto your Mac import them into your Keychain Keep the files handy Signing Packages
Keychain Access - Certificates Signing Packages
productsign command productsign --sign 'Developer ID Installer: MyCompany' MyPackage.pkg MySignedPackage.pkg pkgutil command pkgutil --expand MyPackage.pkg MyPackage_edit pkgutil --flatten MyPackage MyNewPackage.pkg then productsign command if necessary Signing Packages
productsign Signing Packages
Verifying a package is signed Gatekeeper and the Casper Suite Gatekeeper and the Casper Suite
In general, Gatekeeper shouldn’t interfere with Casper in most use cases, except: QuickAdd packages placed on a website – should be signed by Recon Enrollment through the JSS (new in Casper 8.6 and later) – upload Developer Certificate to JSS Signing packages in Composer – generally a good practice Especially if used elsewhere (i.e. outside of Casper) Gatekeeper and the Casper Suite
Recon QuickAdd Package Settings Gatekeeper and the Casper Suite
JSS Enrollment Process Gatekeeper and the Casper Suite
Composer Preferences Java and Other Considerations Java and Other Considerations
Java Error Java and Other Considerations
Java with Gatekeeper Allow from Anywhere References References
http://support.apple.com/kb/HT5290 http://www.macworld.com/article/1167862/ up_close_with_mountain_lion_security.html http://krypted.com/mac-os-x/manage-gatekeeper-from-the- command-line-in-mountain-lion/ http://derflounder.wordpress.com/2012/08/13/creating-apple- developer-id-signed-casper-quickadd-installer-packages/ http://derflounder.wordpress.com/2012/09/26/removing-the- ofce-2011-installers-application-quit-function/ https://developer.apple.com/resources/developer-id/ http://krypted.com/mac-os-x/signing-installation-packages/ http://stackoverflow.com/questions/11665386/os-x-10-8- gatekeeper-and-java-applets Thank you!