macOS - spctl command - disabled list with News.app - app still runs
I followed the guidance in this answer.
Ran the following commands:
sudo spctl --add --label "DeniedApps" /System/Applications/News.app
sudo spctl --disable --label "DeniedApps"
News app (to be sure, this is the native Apple "News" app) can still be launched from the administrator account and from a regular user account.
As I understand it, the above commands should have been sufficient to stop the app from running.
Also tried a restart. No go.
Mac OS 10.15.3
Solution 1:
I just don't think Gatekeeper (spctl
) will do you want it to do.
Gatekeeper only checks access restrictions the first time an app is run. So if you're trying to block an app that you've run at least one time before, it probably just isn't going to work at all. If you've ever tried to download and run an unsigned third party app from the internet, you've seen that you only get prompted the first time you try to run it.
Furthermore, the software that is bundled with macOS (like News.app) very likely has the signatures pre-loaded into the Gatekeeper database in a way that cannot be overridden. In other words, the whitelist seems to have precedence over the blacklist. Strangely, this built-in whitelist doesn't seem to be shown from spctl --list
. The best evidence I have for this theory is that the CDHash of News.app
doesn't seem to appear anywhere in the Gatekeeper SQLite database (/var/db/SystemPolicy
). Instead, it seems to be permitted to run because the certificate is signed by one of the trusted authority
root certificates.
You could probably disable Apple's built-in authority
certificates, but that would probably stop all kinds of software from running on your machine and end up being a real, real bad scene that ends with recovery.
There are probably ways to block News.app from running, but I don't think Gatekeeper will do it.
Solution 2:
Ended up setting chflags hidden for the apps I wanted to block.
Details are here (thanks to bogdanw):
https://forums.macrumors.com/threads/spctl-command-gatekeeper-disabled-list-with-news-app-app-still-runs.2226594/
Long and short:
- First, with admin account create aliases to apps that will be hidden.
- In recovery mode, set chflags hidden for app that are to be hidden.