Next up we'll talk about Gatekeeper. By default, Gatekeeper helps to ensure that all macOS installed software has been signed by the App Store or signed by a registered developer and notarized by Apple. It verifies that the software is free of known malicious content and hasn’t been altered.
We'll start with a macOS configuration profile. Navigate to Devices > macOS > Configuration Profiles and select Create new policy.
Choose Templates as the Profile type and select Endpoint Protection.
Enter a name for the policy and click Next.
We'll see two settings to configure. You are given the following options for "Allow apps downloaded from these locations"
- Not configured (default)
- Mac App Store
- Mac App Store and identified developers
- Anywhere
This is to limit the apps a device can launch, depending on where the apps were downloaded from. The intent is to protect devices from malware, and allow apps from only the sources you trust.
I've chosen Mac App Store for now. There is a second setting to configure "Do not allow user to override Gatekeeper". This prevents users from overriding the Gatekeeper setting, and prevents users from Control-clicking to install an app. When enabled, users can't Control-click any app to install it. I want this so I've selected Yes.
I'm assigning this policy to my group of Mac devices.
Select Create. The policy will then be assigned.
In Intune, I can see that the policy has been successfully deployed to my test device.
I can see that each of the two settings was successfully applied to the device.
On the device you can navigate to System Preferences > Profiles. There are two new profiles. The first one disallows apps by identified developers.
The second one disallows the opening of untrusted apps i.e. not downloaded from the Mac App Store.
Navigate to System Preferences > Security and Privacy and we can see the configuration. Only allow apps downloaded from the App Store. The setting is greyed out and cannot be changed, even by an administrator on the device.
See what happens when launching an app that was downloaded from the Internet. It can't be opened because it was not downloaded from the App Store. That's what we want.
I hope this helps. Until next time.....
No comments:
Post a Comment