Apple removes Control-click option for skipping Gatekeeper in macOS Sequoia

AppleInsider

You'll no longer be able to override Gatekeeper in macOS Sequoia with a keyboard shortcut as Apple continues to crack down on unsigned software.

Gatekeeper gets more strict in macOS Sequoia

If you try to install apps on macOS that haven't been signed or notarized, Gatekeeper gets in the way and won't let it run. Apple has removed an age-old shortcut for skipping the Gatekeeper prompt in macOS Sequoia.

Until macOS Sequoia, users could hold Control and click on a freshly installed app to avoid Gatekeeper's warnings about running unsafe software. Now, users must navigate to System Settings then Privacy & Security to allow the app to run.

It's a slight inconvenience for users trying to install apps from the web, but it doesn't prevent them from running the app. In fact, many installers include instructions or a direct link to the System Settings page, so the Control-click shortcut hasn't always been necessary.

The change is likely meant to protect non-technical users from being instructed by malicious installers to bypass Gatekeeper. The extra steps requiring actions in System Settings can create a higher barrier to entry for such attack vectors.

Apple, of course, recommends that any app destined for macOS that is distributed outside the App Store be notarized. The process scans the software for security risks and gives it a ticket for Gatekeeper to treat it as a trusted app.

Some see this as a direct attack on web-sourced software that Apple is babying its customer base with nanny-like protections. In the end, it is just an extra step that could prevent someone from running malware and does nothing to stop people from running what they want on Mac.

macOS Sequoia is due to release later in the fall. It could launch alongside iOS 18 shortly after the iPhone 16 announcement in September.



Read on AppleInsider

xed

I'm all for this change. Users need to be aware that unsigned SW is potentially more of a security issue so having the user make more qualified additional steps to run it the first time is not a bad idea. I would've implemented this many years ago, personally.

sflocal

The whining from a certain group is getting old.  If this bothers you, go to Linux or Windows.  There are choices.  Most users of MacOS are regular users, not power users.  The majority of users I would think would support this. 

Just look at the mess that happens with the wild-west that is Windows.  If that is what bakes your noodle, go right ahead to that yard.

elijahg

sflocal said:

The whining from a certain group is getting old.  If this bothers you, go to Linux or Windows.  There are choices.  Most users of MacOS are regular users, not power users.  The majority of users I would think would support this. 

Just look at the mess that happens with the wild-west that is Windows.  If that is what bakes your noodle, go right ahead to that yard.

Right clicking and open is already an inconvenience and different enough to usual that it should cause users to think twice. Has there been some mass infiltration of Macs through running unsigned software via right-click that I am unaware of? 

edited August 2024

dewme

sflocal said:

The whining from a certain group is getting old.  If this bothers you, go to Linux or Windows.  There are choices.  Most users of MacOS are regular users, not power users.  The majority of users I would think would support this. 

Just look at the mess that happens with the wild-west that is Windows.  If that is what bakes your noodle, go right ahead to that yard.

Both Windows and macOS have provided facilities for signing binaries and assemblies for a very long time. At the same time both Windows and macOS allow users with admin privileges to run unsigned binaries and assemblies. Windows is no more or less of a “Wild West” than macOS, at least when it comes to managed code. 

I suppose both macOS and Windows could have clamped down hard and insisted that everything be signed at some point. Unfortunately the boat anchor that is “backward compatibility” and legacy software has kept both operating systems from dropping the hammer. Each one has their own way of waving the “Danger Will Robinson” flag but users become oblivious to the warnings anyway.

in some ways the real “blame” if you want to call it that lies with the software providers who have chosen to place their customers at increased risk by not taking advantage of the more secure security facilities that the OS vendors provide and have provided for quite some time already. You can lead a horse to water …

Hopefully more users will start to question why some software providers are asking them to leave the door unlocked if they way to run their software on a secure system. Perhaps they believe the (fire)wall they’ve erected around their system is secure enough considering the nature of what the app does. All I can say is that if my privacy, security, or financial health is at risk I’m going to consider sighed software to be a requirement, not an option. All of my past customers felt exactly the same way. 

icodewell

Apple isn't taking something away, per se, but for power users (who are also influencers) it adds another annoyance. This is why I've been an advocate for adding a "Developer Mode" to macOS and Windows which would disable the default restrictions and otherwise configure the experience for pro users.

godofbiscuitssf

sflocal said:

The whining from a certain group is getting old.  If this bothers you, go to Linux or Windows.  There are choices.  Most users of MacOS are regular users, not power users.  The majority of users I would think would support this.

Because all the platforms are the same, right? Just go to something else if this thing “bothers” you?  Who are you to characterize what kind of person uses a Mac in what kind of way?  

godofbiscuitssf

dewme said:

sflocal said:

The whining from a certain group is getting old.  If this bothers you, go to Linux or Windows.  There are choices.  Most users of MacOS are regular users, not power users.  The majority of users I would think would support this. 

Just look at the mess that happens with the wild-west that is Windows.  If that is what bakes your noodle, go right ahead to that yard.

Hopefully more users will start to question why some software providers are asking them to leave the door unlocked if they way to run their software on a secure system. Perhaps they believe the (fire)wall they’ve erected around their system is secure enough considering the nature of what the app does. All I can say is that if my privacy, security, or financial health is at risk I’m going to consider sighed software to be a requirement, not an option. All of my past customers felt exactly the same way. 

This isn’t some kind of universal lock.  This is not registering as an Apple Developer.  You’re advocating the “if you’re not doing anything wrong, you shouldn’t have anything to worry about with any oversight, no matter what” position.   Apple keep moving towards the closed off system on the Mac.  Do you think there haven’t been any scams on iOS?  Do you think all scams on macOS, on PCs have been because of non-registered software?   Was Cloudstrike debacle from an unsigned  update?

dewme

icodewell said:

Apple isn't taking something away, per se, but for power users (who are also influencers) it adds another annoyance. This is why I've been an advocate for adding a "Developer Mode" to macOS and Windows which would disable the default restrictions and otherwise configure the experience for pro users.

What you’re talking about makes sense in terms of allowing system administrators, which for a lot of “power” users is the end user, to establish their own environment based on their own situational needs. For some users the default behaviors associated with signed software is more than simply an annoyance, it’s a productivity issue. 

For example, a lot of manufacturing and processing systems use Ethernet and Windows for communication, visualization, and certain types of control. Due to the nature of what they do they can’t open their systems to the internet. Security services that rely on an outside authority for authentication and revocation cannot be reached by the connected systems inside the facility that have no outside connection. Even time services can be an issue. Of course there are workarounds like caching but it places more burden on the administrators of these systems to put all the necessary workarounds in place and keep them up to date. 

You’re right, what works in the best interests of computer users who aren’t familiar with the risks and consequences of these kinds of details doesn’t necessarily help those who understand what they’re doing, but there are some of us who still favor the benefits over the annoyances. 

tobian

It’s that kind of slight inconvenience, like unability to set behaviour for wi-fi and bluetooth buttons in iOS control center. Much less frequent, but another one.