Apple has copied more and more security aspects from the mobile operating system for macOS since the introduction of iOS. With OS X Lion came Gatekeeper, which has continued to mature over the years.
In 2012, Apple for the first time placed a graphical threat rating view for app installs in System Preferences. Under “Security” since then is a selection of sources for which the user can allow the installation of apps.
- App Store
- App Store and Verified Developers
Before the name change from OS X to macOS, there was also an “Everywhere” option, but System Preferences no longer shows it by default.
The “Security” settings can be found in System Preferences:
To make changes, first click on the lock in the lower left corner and enter your password:
Differences between the categories
Apple wants to prevent malicious code from taking root on your Mac. All apps placed in the App Store are vetted behind the scenes by Apple itself and have only a limited amount of play in the operating system. By doing so, Apple precludes developers from gaining unnoticed access to private files.
Apps that can’t be found in the App Store can still get the Apple stamp of approval. Developers only need to join Apple’s developer program, pay 99 euros a year and deposit their data. After that, a digital signature can be created. Such apps are then classified as from a “verified developer” and can be opened directly depending on system settings.
So all apps that are not in the App Store (because developers may not want to abide by Apple’s restrictions or share revenue with Apple), but are still official app developers, fall under the second classification, “App Store and Verified Developers”.
However, this does not give Apple the verification already mentioned, so macOS will show a warning before opening such an application for the first time. So you need to be aware that the application you have just downloaded may contain malicious code. So, first of all, always check if the file was downloaded from an official website by the developer itself.
If you have chosen the more restrictive option and only allow apps from the App Store, you will not be able to directly launch apps that are not from the App Store. You will be shown a warning that the application is not from the App Store and therefore cannot be opened.
However, this warning does not have to prevent you from installing the downloaded program, for that you do not have to make any global changes either. The system settings under “Security” give you the option to confirm an exception for this developer.
The “Security” tab will show the app you last tried to open, and clicking “Open anyway” will set an exception. This is saved system-wide and from now on you can always launch the application with a double-click.
Unverified applications
If you are working with open source software, and developers can’t or don’t want to afford the 99 Euro per year, the applications fall under “Not Verified Developer”. In the latest versions of macOS there is no longer a default setting that allows the installation of this kind of applications.
After opening an application without a digital signature, a warning message appears, suggesting to put the application in the recycle bin. However, this is not the end of the story. As with the last setting, system-wide exceptions can be created. To do this, go back to the System Preferences at the bottom of the “Security” tab, and click on the “Open anyway…” button. Button. This way you can create one-time exceptions for applications you trust.
If you don’t want to go through the “Security” tab every time, a Terminal command helps bring the old “Everywhere” option back to life. Search for “Terminal” via Spotlight, select the application and a black window will appear after opening it. There you can use the command:
enter and confirm with Enter. Then you enter your password (the letters are not displayed) and confirm again with the Enter key. Now you can open the system settings again, and under our “Security” tab the option “Everywhere” is now available.
This is the most insecure option, but the system will leave you alone from now on and will no longer show any warnings when opening applications. To disable the option, just use the command:
sudo spctl –master-enable
After that the option disappears again. We recommend this only for professional users who work with many applications that are not verified and know exactly where the installed program comes from.
Recommended settings and procedures
Dynamically adding exceptions makes it easy to configure security settings as restrictively as possible. If you select only “App Store” in the “Security” tab, all apps that are not installed by the App Store will get a warning and will not open. You can bypass this via the “Open anyway…” button in System Preferences.
Not convenient, but secure. Especially when you consider that installing apps doesn’t take a lot of time. For example, when setting up the new Mac, it is possible to set the option to “App Store and verified developers”, and then switch to the “App Store” setting after opening and using the apps.
Here’s how to make sure you don’t accidentally open applications that don’t comply with the strictest security guidelines.
Password entry during installation
In addition to these basic restrictions, apps may require a password to be entered during installation. Complex apps often access or modify system-wide settings, or operate in system folders that regular users do not have access to.
If this is the case, the user must prove that he or she has the necessary rights on the Mac. Simpler applications can simply be placed in Applications folders and do not access any other files. These do not require an administrator password.
Summary
It is important to understand that no matter what settings you have chosen, any application can open directly through detours in the system settings. The restrictive “App Store” setting only allows to open applications from the App Store by default. Permanent exceptions for non-app store applications can be added via “Open anyway…” button.
The second most secure setting is “App Store and verified developers”. All apps created by developers with a digital signature from Apple can be opened. This is the case for all developers who pay 99 euros a year and created the application via Xcode. The app itself does not have to be from the App Store, and can be from a website or DVD.
It is important to understand that Apple cannot perform a direct malicious code check and you are at the mercy of the app accessing areas in the system that may or may not be to your disadvantage.
The third variant is “Everywhere”, which Apple has removed from the system settings. This can be reactivated with the terminal command. Afterwards you will not see any warnings anymore and all applications can be installed. If you work a lot with open source software, this can be an advantage. But afterwards you have to check for yourself which developers and sources you trust.