Enable Gatekeeper

What the Gatekeeper enforcer does

This Automox Worklet™ enables Gatekeeper on macOS endpoints to verify application signatures and block unsigned software. Gatekeeper is Apple's native security feature that validates whether applications come from trusted developers before allowing them to run.

The Worklet first checks the current status of Gatekeeper using the spctl --status command. If Gatekeeper is already enabled, the Worklet exits without making changes. If disabled, the Worklet automatically enables it using spctl --master-enable to restore code-signing enforcement.

Why enable Gatekeeper on your Mac fleet

When Gatekeeper is disabled, endpoints become vulnerable to malware and unauthorized software that users might accidentally run. Without signature verification, any unsigned application can execute, creating an entry point for ransomware, trojans, and other threats that exploit user trust. This exposure increases dramatically when users download software from non-App Store sources or fall victim to social engineering attacks.

This Worklet protects against common attack vectors where users are socially engineered into running unsigned applications or where malware attempts to execute without Apple's code-signing verification. Gatekeeper enforcement is fundamental to zero-trust security on macOS and meets compliance requirements for organizations adopting CIS Benchmarks and security frameworks.

How Gatekeeper enforcement works

1. Evaluation phase: The Worklet executes spctl --status to check if Gatekeeper is already enabled. If enabled, evaluation succeeds and no remediation is needed. If disabled, evaluation fails and triggers remediation.

2. Remediation phase: The Worklet runs spctl --master-enable to enable Gatekeeper. This immediately activates code-signing verification and prevents unsigned applications from launching unless explicitly approved by the user.

Gatekeeper enablement requirements

• macOS endpoint with administrator privileges to modify Gatekeeper settings

• Bash shell environment to execute the spctl command

• Compatible with all modern macOS versions (10.15 Catalina and later)

• No special configuration required; the Worklet operates with system defaults

Expected security state after enablement

After the Worklet executes, Gatekeeper will be enabled and the endpoint will enforce code-signing verification on all applications. Any unsigned applications or applications from unidentified developers will be blocked from running. Users can still approve specific applications through System Preferences if needed, but the default posture protects against execution of unauthorized software.

Verification: Run spctl --status on the endpoint, which will return "assessments enabled" if Gatekeeper is active. When a user attempts to launch an unsigned application, macOS displays a security dialog preventing execution unless the user explicitly overrides the protection in System Preferences > Security and Privacy. This validation confirms that code-signing enforcement is operational and protecting the endpoint from unauthorized software execution.

How to validate enable gatekeeper changes

1. Run this Worklet on a pilot macOS endpoint and review evaluation output for enable gatekeeper.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit, else.

4. Validate remediation effects from script operations such as exit, else, spctl, then rerun evaluation for compliance.

For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for enable gatekeeper. This supports repeatable security workflows, faster change control review, and auditable compliance evidence.

Useful script references for this Worklet include evaluation operations such as exit, else and remediation operations such as exit, else, spctl. Use these indicators to verify that endpoint changes match intended policy outcomes.