--- title: "Prevent Gatekeeper from Being Disabled | Security Cookbook" description: "Block spctl from disabling macOS Gatekeeper protections, stopping attackers and social engineering attempts from weakening signature enforcement." doc_version: "1" last_updated: "2026-05-22" canonical: "https://northpole.security/cookbook/prevent-gatekeeper-disable" --- [Back](https://northpole.security/cookbook) ### Idea macOS Gatekeeper enforces signature and notarization policy when applications are first launched from a quarantined source. The `spctl` utility is the command-line interface to the underlying SecAssessment subsystem, and historically the easiest way for an attacker — or a user being socially engineered — to weaken or disable that policy. This rule blocks `spctl` invocations that include any Gatekeeper-weakening flag while leaving read-only operations (`--status`, `--assess`, `--global-enable`) untouched. ### Solutions ExecutionBlock Gatekeeper Disable Commands Prevent spctl from disabling Gatekeeper Signing ID platform:com.apple.spctl CEL Expression \[ '--global-disable', '--master-disable', '--disable', '--add', '--remove' \].exists(flag, args.exists(a, a \== flag || a.startsWith(flag + '=')) ) ? BLOCKLIST : ALLOWLIST Copy Custom Message Disabling Gatekeeper is not allowed ### Mitre Attack Tactics [Defense Impairment](https://attack.mitre.org/tactics/TA0112/) Techniques [T1553.001: Gatekeeper Bypass](https://attack.mitre.org/techniques/T1553/001/) ### Tags gatekeeperspctl ### Deployment Notes This rule is safe to deploy widely. If you're using Workshop, you can set up tags to enforce this across your fleet but allow exceptions for your dev team. ### False Positive Guidance Developers may occasionally need to disable Gatekeeper temporarily. Use Workshop tags to exempt specific hosts or users. ## Sitemap - [Home](https://northpole.security/index.md) - [Workshop](https://northpole.security/workshop.md) - [Santa](https://northpole.security/santa.md) - [Features](https://northpole.security/features.md) - [Cookbook](https://northpole.security/cookbook.md) - [Docs](https://northpole.security/docs.md) - [Blog](https://northpole.security/blog.md) - [Glossary](https://northpole.security/glossary.md) - [About](https://northpole.security/about.md) - [Contact](https://northpole.security/contact.md)