macOS has a feature called “Gatekeeper” designed to lock down your Mac, forcing it to only run Apple-approved software by default. But a Mac is locked down in the same way Android is locked down–you’re still free to run any application you want.
Gatekeeper works a little differently depending on which version of macOS you’re running. Old versions let you turn it off with a simple switch, while macOS Sierra makes things a little more complicated. Here’s what you need to know.
How Gatekeeper Works
Whenever you launch a new application on your Mac, Gatekeeper checks to see that it’s signed with a valid signature. If the application is signed with a valid signature, it’s allowed to run. If it’s not, you’ll see a warning message and your Mac will prevent the application from running.
But not every Mac app is signed. Some apps available on the web–particularly older ones–just aren’t signed, even if they’re trustworthy. Maybe they haven’t been updated in a while, or maybe the developer just didn’t bother. That’s why Apple offers a way to bypass Gatekeeper. (You may also want to bypass this and run an unsigned app if you’re developing your own apps.)
Gatekeeper knows about three different types of apps:
- Apps from the Mac App Store: Applications you install from the Mac App Store are considered the most trustworthy, as they’ve gone through an Apple vetting process and are hosted by Apple themselves. They’re also sandboxed, although this is a reason why many app developers don’t use the Mac App Store.
- Apps from Identified Developers: Mac app developers can acquire a unique developer ID from Apple and use it to sign their applications. This digital signature ensures the application was actually created by that specific developer. For example, when you install Google Chrome on your Mac, it’s signed with Google’s developer ID so Apple allows it to run. If it’s discovered that a developer is abusing their developer ID–or it was acquired by hackers who are using it to sign malicious apps–the developer ID can then be revoked. In this way, Gatekeeper ensures only applications created by legitimate developers who have gone through the trouble of getting a developer ID and are in good standing can run on your computer.
- Apps from anywhere else: Apps that aren’t acquired from the Mac App Store and aren’t signed with a developer ID fall into this last category. Apple considers these the least secure, but it doesn’t mean an app is untrustworthy–after all, Mac apps that haven’t been updated in years may not be properly signed.
The default setting is to only allow apps from the first two categories: the Mac App Store and from identified developers. This setting should provide a good amount of security, allowing users to get apps from the app store or download signed apps from the web.
How to Open an Unsigned App
If you try opening an unsigned app by double-clicking it, it won’t work. You’ll see an “[App Name] can’t be opened because it is from an unidentified developer” message.
Of course, there may be a time when you come upon an unsigned app that you need to use. If you trust the developer, you can tell your Mac to open it anyway.
Warning: Gatekeeper is a security feature, and it’s on by default for a reason. Only run apps you trust.
To open an unsigned app, you need to right-click or Control-click the app and select “Open”. This works on macOS Sierra as well as previous versions of macOS.
You’ll be warned that the app is from an unidentified developer–in other words, it isn’t signed with a valid developer signature. If you trust the app, click “Open” to run it.
That’s it. Your Mac will remember this setting for each specific app you allow to run, and you won’t be asked again the next time you run that app. You’ll just have to do this the first time you want to run a new unsigned app.
This is the best, most secure way to run a handful of unsigned apps. Just allow each specific app as you go, making sure you trust each app before you run it.
How to Allow Apps From Anywhere
In older versions of macOS, you could disable Gatekeeper entirely from System Preferences > Security and Privacy. You’d just select “Anywhere” from the “Allow apps downloaded from” setting.
In macOS 10.12 Sierra, though, Apple changed this. You can no longer disable Gatekeeper entirely from the System Preferences window. That’s it–a single graphical option was removed. You can still choose to run individual unsigned apps, and there’s a hidden command line option to bypass Gatekeeper entirely. But Apple doesn’t want less knowledgeable users disabling this security feature, so it’s hidden that switch, just like like the option to disable system integrity protection.
If you know what you’re doing and need to change the setting, you can, though we don’t recommend it.
First, open a Terminal window. Press Command+Space, type “Terminal”, and press Enter to launch one. Or, you can open a Finder window and head to Applications > Utilities > Terminal.
Run the following command in the Terminal window and provide your password:
sudo spctl --master-disable
After you do, head to System Preferences > Security & Privacy. You’ll find that the old “Anywhere” option has returned and is enabled.
Your Mac will now behave as it used to if you selected the “Anywhere” setting, and unsigned apps will run without any problem.
To undo this change, just select “App Store and identified developers” or “App Store” in the Security & Privacy pane.
Apple is trying to make macOS more secure by hiding this option from less knowledgeable users. If you need to run unsigned applications, we encourage you to just allow them one by one rather than disabling Gatekeeper and allowing all unsigned applications to run. It’s almost as easy, and ensures nothing runs on your computer that you don’t approve yourself.