Prevent Gatekeeper from Being Disabled
Block spctl from disabling macOS Gatekeeper protections, stopping attackers and social engineering attempts from weakening signature enforcement.
Idea
macOS Gatekeeper enforces signature and notarization policy when applications are first launched from a quarantined source. The spctl utility is the command-line interface to the underlying SecAssessment subsystem, and historically the easiest way for an attacker — or a user being socially engineered — to weaken or disable that policy.
This rule blocks spctl invocations that include any Gatekeeper-weakening flag while leaving read-only operations (--status, --assess, --global-enable) untouched.
Solutions
- Signing ID
- CEL Expression
- Custom Message
Mitre Attack
Tactics
Techniques
Tags
Deployment Notes
This rule is safe to deploy widely. If you're using Workshop, you can set up tags to enforce this across your fleet but allow exceptions for your dev team.
False Positive Guidance
Developers may occasionally need to disable Gatekeeper temporarily. Use Workshop tags to exempt specific hosts or users.