Configuring a system policy rule
The system policy rule setting allows you to control Gatekeeper rules. Gatekeeper secures the macOS operating system by enforcing code signing and verifying applications downloaded from the web before allowing users to run them. The goal of Gatekeeper is to reduce the likelihood of accidentally running malware.
The options in this setting are also available in the macOS command-line utility spctl. The spctl utility manages the security assessment policy subsystem on macOS. This subsystem evaluates rules you define that determine whether the macOS device allows the installation, execution, and contextual menu opening of applications on the device. The system policy rule setting requires the system policy control in order to work.
For example, if you want to allow applications developed by a company called Salesapps on macOS devices, you would need to do the following:
- Create a system policy control setting enabling Gatekeeper.
- Disable the option that allows all applications by identified developers.
-
Create a system policy rule setting with the following syntax:
identifier com.salesapps
The system policy rule and control would allow the execution of all applications developed by the Salesapps company on macOS devices. However, macOS device users would still be able to download other apps.
Only one policy is allowed per macOS device. You can define multiple policies and assign a priority level to each, such that Ivanti EPMM can determine which policy it sends to macOS devices.
This policy is supported on devices running macOS 10.10 or supported newer versions
Procedure
- Select Policies & Configs > Policies.
- Select Add New > iOS and macOS > macOS > System Policy Rule.
- Use the guidelines in System policy rule settings to complete this form.
- Select Save.
- Apply the policy to a macOS label.