Citadel / Controls / GatekeeperEnabled

GatekeeperEnabled Control

What does this control check?

The GatekeeperEnabled control verifies that macOS Gatekeeper is enabled and actively protecting your Mac. Gatekeeper checks all applications you download and open to ensure they're from identified developers and haven't been tampered with by malware.

Important: Gatekeeper is your first line of defense against malicious software on macOS. When you download and try to open an application, Gatekeeper verifies it's been signed by an identified Apple developer and checks with Apple to ensure it hasn't been reported as malware. Without Gatekeeper, you could unknowingly run malicious applications that appear legitimate but have been modified to steal your data, install malware, or compromise your system. Disabling Gatekeeper is like removing the lock from your front door.

Why is this important?

🛡️

Malware Prevention

Gatekeeper blocks unsigned or malicious applications from running, preventing malware infections from downloaded software before they can compromise your Mac.

Developer Verification

Gatekeeper verifies that applications come from identified developers, ensuring you're running genuine software and not malware disguised as legitimate applications.

🔍

Tampering Detection

Gatekeeper checks that applications haven't been modified after being signed by their developers, protecting you from trojaned or backdoored versions of legitimate software.

How to fix this

Enabling Gatekeeper on macOS

Re-enabling Gatekeeper:

  1. Open Terminal (Applications → Utilities → Terminal)
  2. Type: sudo spctl --master-enable
  3. Press Enter
  4. Enter your administrator password when prompted (you won't see it as you type)
  5. Press Enter again
  6. Gatekeeper is now enabled

Verify Gatekeeper settings in System Settings:

  1. Click the Apple menu in the top-left corner
  2. Select System Settings (or System Preferences on older versions)
  3. Click Privacy & Security
  4. Scroll down to the Security section
  5. Under "Allow applications downloaded from:", select:
    • App Store and identified developers (recommended)
    • OR App Store (most secure, but some work apps may be blocked)
  6. Do NOT select "Anywhere" - this disables Gatekeeper protection
Note: On some macOS versions, the "Anywhere" option is hidden by default. This is intentional for security reasons.
⚠️ Important notes:
  • The recommended setting is "App Store and identified developers"
  • If you need to run an unsigned app temporarily, right-click it and select "Open" instead of disabling Gatekeeper
  • Gatekeeper may prevent some older or unsigned applications from running - this is intentional
  • Contact IT support if a work-related application is blocked by Gatekeeper

Verifying the fix

After enabling Gatekeeper, Citadel will automatically verify this control during its next check.

To verify Gatekeeper is enabled:

  1. Open Terminal (Applications → Utilities → Terminal)
  2. Type: spctl --status
  3. Press Enter
  4. You should see: "assessments enabled"
  5. If you see "assessments disabled", Gatekeeper is not enabled

Alternative: Check System SettingsPrivacy & Security and verify "Allow applications downloaded from" is NOT set to "Anywhere".