Gatekeeper

This security feature is going to send every Eastern European teenage hacker into therapy.

Nasty programs aren’t very common on the Mac to begin with. But now, unless you turn Gatekeeper off, downloading a program that’s secretly designed to damage your Mac is virtually impossible.

Gatekeeper won’t even let you install programs that haven’t been proved to be safe (Figure 13-13).

Top: The “Allow apps downloaded from” options are, in fact, the face of Gatekeeper.Bottom: If you try to open a downloaded program that Apple can’t vouch for, you get this admonishing dialog box.

Figure 13-13. Top: The “Allow apps downloaded from” options are, in fact, the face of Gatekeeper. Bottom: If you try to open a downloaded program that Apple can’t vouch for, you get this admonishing dialog box.

There’s no Gatekeeper app or even a Gatekeeper System Preferences icon. Instead, to find Gatekeeper, you open System Preferences→Security & Privacy→General. At the bottom of this screen (Figure 13-13, top), you see three options. These three humble buttons are Gatekeeper.

Click the and enter your password to unlock this panel. Now your choices, under “Allow applications downloaded from,” are:

Mac App Store. This is the safest option. Every program that Apple allows into its Mac App store is safe. Each has been tested by Apple to make sure that, among other things, it’s both sandboxed (blocked from accessing parts of the Mac that it doesn’t need) and digitally signed (set up to notify that Mac if it’s been altered in any way since it left the software company).
So what happens if you try to download a program that didn’t come from the App Store? The Mac won’t let you install it, period.
Mac App Store and identified developers. This option, the factory setting, lets you download and install both App Store programs and those from “identified developers.” That means software companies that have registered with Apple and received, in turn, an encrypted code (a “certificate”) that’s embedded in their programs.
This certificate lets Apple track who created the app, and also digitally signs it, as described above. Now, Apple may not know this software company, and Apple doesn’t inspect its software. But if anybody reports that some program is actually a virus in disguise, Apple can instantly add that program to its blacklist—and prevent millions of other people from installing it. (OS X updates its blacklist once a day.)
Anywhere. This button turns Gatekeeper off (after presenting an “Are you sure?” message). You’re free to download and install any programs you want, with no checking for their hygiene.

Tip

Don’t turn on Anywhere just because there’s one particular non-kosher app you want to run. In that case, it’s smarter to leave Gatekeeper turned on—and override Gatekeeper just for that one app. To do so, right-click (or two-finger click) the program’s icon; from the shortcut menu, choose Open.

Gatekeeper is a pretty powerful disincentive for the world’s bad eggs; if millions of people leave Gatekeeper turned on, the bad guys might as well not even bother. Their apps will never be downloaded and can therefore never spread.

There are, however, some important limitations to note:

Gatekeeper doesn’t uninstall programs you’ve already installed. (Once you’ve run any program once, Gatekeeper never checks it again.)
Gatekeeper is intended to stop bad software that you get by downloading. It doesn’t do anything about programs you’ve installed from, for example, a DVD or USB drive.
It doesn’t stop Flash and Java programs.

Overall, Gatekeeper is a pretty convincing barrier to a Windows-like nightmare scenario, where some virus breaks out into the wild and takes down hundreds of thousands of computers. If most people leave the factory setting selected—and they will—that outcome is virtually impossible.