Mac OS X 10.10.4: Managing Gatekeeper's automated re-enable via a management profile

Number:rdar://22094327 Date Originated:31-Jul-2015 02:43 PM
Status:Open Resolved:
Product:OS X Product Version:Mac OS X 10.10.4 (14E46)
Classification:Other Bug Reproducible:Always

On OS X 10.10.x and later, disabling Gatekeeper does not mean it is permanently off. After a set amount of time (currently 30 days), Gatekeeper will automatically re-enable itself with the "Allow apps downloaded from: Mac App Store and identified developers" setting.

After doing some research, it looks like Gatekeeper’s automatic re-enablement function can be disabled by running the following command with root privileges:

defaults write /Library/Preferences/ GKAutoRearm -bool false

This would allow Gatekeeper to be set to "Allow apps downloaded from: Anywhere" and have it stay that way.

However, it does not appear that I can manage this with a profile based on the CFPreferencesCopyValue variable being used.

Instead, it looks like CFPreferencesCopyAppValue would need to be used. (see attached screenshot).

Steps to Reproduce:

1. Install profile
2. Check value for GKAutoRearm

Expected Results: GKAutoRearm is set to False

Actual Results: GKAutoRearm is set to True


Running the defaults command listed above sets the following value:

GKAutoRearm is set to False


I have more information on this issue available here:

I have a sample management profile available here:


Attached screenshot

The referenced screenshot is viewable here:

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!