GateKeeper allows me to install anything, no checks are done
Solution 1:
This is a status-by-design feature where an admin user can always override Gatekeeper and open an Application by right clicking the app in Finder.
An admin user can also change Gatekeeper settings or disable it entirely, so there's no real harm (in my eyes at least) in presenting a one-time white list dialog to ensure the admin user intends to allow a non-compliant (non-signed or non-Mac App Store) application to run.
Now if you found a way for a non-admin user to bypass Gatekeeper, then I would expect filing a security vulnerability with Apple to get credit for finding a hole once they patch whatever implementation error was made to allow out of policy apps to run.
Apple documents this feature in depth on how to explicitly white list an application.
- OS X: About Gatekeeper
Gatekeeper is not malware protection and not a black list. It is a set of policies that allow first launch of properly signed applications and or validation of Mac App store receipts. If an admin user explicitly launches and then approves the running of non-compliant software, you have an education or policy problem as opposed to uncovering some flaw in Gatekeeper.
In detail, I have summarized (and mostly copied) the relevant sections of Apple's help on white listing any App so that Gatekeeper will allow it to run unhindered and unprompted:
How to open an app from a unidentified developer and exempt it from Gatekeeper
If you are confident the app downloaded from the Internet is the latest version and is from a source you trust, you can open an app from an unidentified developer by following these steps.
Important: Some Apple screened apps from developers that are in the process of acquiring Developer ID signatures will present the "Open" option when they are double-clicked.
Note: In most cases, you will only have to perform these steps once for all user accounts on the Mac:
- In Finder, Control-click or right click the icon of the app.
- Select Open from the top of contextual menu that appears.
- Click Open in the dialog box. If prompted, enter an administrator name and password.
Note: If there is an app that presents multiple Gatekeeper dialog boxes, you can temporarily use Gatekeeper's "Always" option. Make sure to restore the Gatekeeper option that was there before to bring back Gatekeeper function.
You can easily control who can white list Applications by not handing out Administrator user names and passwords to users that are not aware of this functionality and you also can manage gatekeeper from the terminal or profile manager and other managed settings software like Casper from JAMF. You can also audit your machines for software that has been white listed to periodically reset the list of allowed apps and determine who is exercising this function in case you wish to change policy and habit.
Solution 2:
Downloading a file over SMB will not trigger quarantining, and since the app is not quarantined the gatekeeper policy never gets checked. I'm not sure why it's being marked as quarantined on your other computers...
To check for quarantining at any point, use the ls -ld@
command to look for the com.apple.quarantine attribute:
$ ls -ld@ /Applications/TextWrangler.app
drwxrwxr-x@ 3 gordon staff 102 Apr 30 2012 /Applications/TextWrangler.app
com.apple.FinderInfo 32
com.apple.quarantine 57
If that quarantine attribute is attached to the app, the gatekeeper policy will be checked; if not, it won't. The interesting question is why it got quarantined on your other computers, and if you use this command to check the application at various points as you distribute it, you can figure out when the attribute is getting attached (and therefore why it's getting attached).
EDIT: There's a note relating to this in the "Click here for more details" section of Apple's KB article #HT5290:
Important: Developer ID signature applies to apps downloaded from the Internet. Apps from other sources, such as file servers, external drives, or optical discs are exempt, unless the apps were originally downloaded from the Internet.
Solution 3:
If you have enabled this hidden preference, it also disables Gatekeeper:
defaults write com.apple.LaunchServices LSQuarantine -bool false
Or OS X allows opening all applications regardless of the setting in System Preferences.