Configuring a system policy rule

The system policy rule setting allows you to control Gatekeeper rules. Gatekeeper secures the macOS operating system by enforcing code signing and verifying applications downloaded from the web before allowing users to run them. The goal of Gatekeeper is to reduce the likelihood of accidentally running malware.

The options in this setting are also available in the macOS command-line utility spctl. The spctl utility manages the security assessment policy subsystem on macOS. This subsystem evaluates rules you define that determine whether the macOS device allows the installation, execution, and contextual menu opening of applications on the device. The system policy rule setting requires the system policy control in order to work.

For example, if you want to allow applications developed by a company called Salesapps on macOS devices, you would need to do the following:

  1. Create a system policy control setting enabling Gatekeeper.
  2. Disable the option that allows all applications by identified developers.
  3. Create a system policy rule setting with the following syntax:

    identifier com.salesapps

The system policy rule and control would allow the execution of all applications developed by the Salesapps company on macOS devices. However, macOS device users would still be able to download other apps.

Only one policy is allowed per macOS device. You can define multiple policies and assign a priority level to each, such that Ivanti EPMM can determine which policy it sends to macOS devices.

This policy is supported on devices running macOS 10.10 or supported newer versions


  1. Select Policies & Configs > Policies.
  2. Select Add New > iOS and macOS > macOS > System Policy Rule.
  3. Use the guidelines in System policy rule settings to complete this form.
  4. Select Save.
  5. Apply the policy to a macOS label.
Table 21.  System policy rule settings




Enter a name for the policy.


Select the relevant radio button to indicate whether the policy is Active or Inactive.

Only one active policy can be applied to a device.


Specifies the priority of this policy relative to the other custom policies of the same type. This priority determines which policy is applied if more than one policy is available.

Select Higher than or Lower than, then select an existing policy from the drop-down list.

For example, to give Policy A a higher priority than Policy B, you would select “Higher than” and “Policy B”.


Enter an explanation of the purpose of this policy.

Policy requirement

Enter your desired spctl command.

The code you enter here must follow the rules delineated in the Code Signing Requirement Language.

You cannot enter the expiration date or operation type in the spctl command you enter here. The expiration date and operation type must be entered or selected in the field and drop-down list below.


Enter any comments regarding the rule or command.

Expires on

Enter an expiration date for the rule.

Operation type

Select an operation type for the rule.