macOS - spctl command - disabled list with News.app - app still runs

macos terminal unix

I followed the guidance in this answer.

Ran the following commands:

sudo spctl --add --label "DeniedApps" /System/Applications/News.app

sudo spctl --disable --label "DeniedApps"

News app (to be sure, this is the native Apple "News" app) can still be launched from the administrator account and from a regular user account.

As I understand it, the above commands should have been sufficient to stop the app from running.

Also tried a restart. No go.

Mac OS 10.15.3


Solution 1:

I just don't think Gatekeeper (spctl) will do you want it to do.

Gatekeeper only checks access restrictions the first time an app is run. So if you're trying to block an app that you've run at least one time before, it probably just isn't going to work at all. If you've ever tried to download and run an unsigned third party app from the internet, you've seen that you only get prompted the first time you try to run it.

Furthermore, the software that is bundled with macOS (like News.app) very likely has the signatures pre-loaded into the Gatekeeper database in a way that cannot be overridden. In other words, the whitelist seems to have precedence over the blacklist. Strangely, this built-in whitelist doesn't seem to be shown from spctl --list. The best evidence I have for this theory is that the CDHash of News.app doesn't seem to appear anywhere in the Gatekeeper SQLite database (/var/db/SystemPolicy). Instead, it seems to be permitted to run because the certificate is signed by one of the trusted authority root certificates.

You could probably disable Apple's built-in authority certificates, but that would probably stop all kinds of software from running on your machine and end up being a real, real bad scene that ends with recovery.

There are probably ways to block News.app from running, but I don't think Gatekeeper will do it.

Solution 2:

Ended up setting chflags hidden for the apps I wanted to block.

Details are here (thanks to bogdanw):

https://forums.macrumors.com/threads/spctl-command-gatekeeper-disabled-list-with-news-app-app-still-runs.2226594/

Long and short:

  • First, with admin account create aliases to apps that will be hidden.
  • In recovery mode, set chflags hidden for app that are to be hidden.

Related

Can this 800 MHz iMac G4 boot into Mac OS 9?
Copy spotlight comments into a text file?
Pandas fill nan values using rolling mean
SwiftUI changing navigation bar background color for inline navigationBarTitleDisplayMode
C# Do I use dispose() correctly?
Flutter TextField LabelText Center
Bigquery/Python: SQL Logic for identifying table direction using a column
issue with gradle andriod [closed]
Paramiko returns "Bad authentication type", but can connect manually [duplicate]
PySpark - how to replace null array in JSON file
trouble with utf-8 with julia and jupyterlab
How can I select all the default values that start with the character 'A'?