👋We’re launching free support for BYOD Android devices and looking for early feedback. Interested?

Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Fleet logo An 'X' icon indicating that this can be interacted with to close the navigation menu.
Device management + MDM Orchestration + monitoring Software management + CVEs, usage, app library Integrations
Get started Guides Vitals Queries Policies Software OS settings Data tables API SUPPORT Chat Contribute Release notes "Why is Fleet on my computer?" Get your license
Stories
What people are saying News Ask around Take a tour Meetups COMPANY Origins   (Fleet & osquery) The handbook Logos/artwork Why open source?
Pricing Try it yourself
Gatekeeper enabled

Gatekeeper enabled

Checks to make sure that the Gatekeeper feature is enabled on macOS devices. Gatekeeper tries to ensure only trusted software is run on a mac machine.

Control

Create or edit a configuration profile with the following information:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>PayloadContent</key>
  <array>
    <dict>
      <key>EnableAssessment</key>
      <true/>
      <key>PayloadDisplayName</key>
      <string>System Policy Control</string>
      <key>PayloadIdentifier</key>
      <string>com.apple.systempolicy.control.6CA698CD-1DBB-445C-BDA3-60E35FBBF0E9</string>
      <key>PayloadType</key>
      <string>com.apple.systempolicy.control</string>
      <key>PayloadUUID</key>
      <string>6CA698CD-1DBB-445C-BDA3-60E35FBBF0E9</string>
      <key>PayloadVersion</key>
      <integer>1</integer>
    </dict>
  </array>
  <key>PayloadDisplayName</key>
  <string>Enable Gatekeeper</string>
  <key>PayloadIdentifier</key>
  <string>com.fleetdm.enablegatekeeper.DF30A9A2-C9F9-421D-A26A-6FAA7216E72F</string>
  <key>PayloadType</key>
  <string>Configuration</string>
  <key>PayloadUUID</key>
  <string>DF30A9A2-C9F9-421D-A26A-6FAA7216E72F</string>
  <key>PayloadVersion</key>
  <integer>1</integer>
</dict>
</plist>

Create or edit the following script and configure it to run when the check fails:

#!/bin/sh

## command to enable gatekeeper
/usr/sbin/spctl --master-enable

Check

Use the policy below to verify:

SELECT 1 FROM gatekeeper WHERE assessments_enabled = 1;
spctl --status | grep -q 'assessments enabled' && echo 1 || echo 0
An icon indicating that this section has important information

PowerShell commands are currently work in progress, contributions welcome.

An icon indicating that this section has important information

Bash commands are currently work in progress, contributions welcome.

Platform

macOSmacOS/apple

WindowsWindows

LinuxLinux

ChromeOSChromeOS

Docs REST API Guides A pencil iconEdit page