In this post, I will show you how to check Gatekeeper status on Mac using Intune. An Intune administrator can easily check the Mac gatekeeper status of all their managed devices with the help of a custom attribute.
The purpose of Gatekeeper is to restrict access to your Mac to authorized applications only. To lessen the likelihood of malware infection, it is a built-in Mac security function that checks the downloaded software for authenticity and integrity and the application’s codes.
If you have enrolled your Mac devices in Intune, a custom attribute can help you determine the gatekeeper status from the admin center. The steps covered in this require knowledge of creating custom attributes for Mac devices.
Prepare the CheckGatekeeperStatus.zsh Script
The below extension attribute script by Microsoft attempts to check the status of Gatekeeper on Mac devices and returns whether it is enabled or not. This script must be saved with the .zsh extension. I have saved this script into a file called CheckGatekeeperStatus.zsh.
#!/bin/zsh
#set -x
# Fixed variables
gatekeeper=$(spctl --status)
notcompliance="assessments disabled"
# Attempt to check status of Gatekeeper and return its result
if [[ "$gatekeeper" == "$notcompliance" ]]; then
echo "Gatekeeper is not enabled."
else
echo "Gatekeeper is enabled."
fi
Check Gatekeeper Status on Mac using Intune
To add a new custom attribute for macOS, sign in to the Microsoft Intune admin center. Select Devices > By platform > macOS. Under Organize devices > Custom attributes for macOS, click Create.
On the basics tab, specify the script name and description. The following details are entered in the below example.
- Name: Check Gatekeeper Status on Mac using Intune
- Description: Determine the status of Gatekeeper on your macOS devices.
Click Next.
On the Attribute Settings tab, first select the data type of attribute. Next, upload the actual script that checks for gatekeeper status. The script that you uploaded is shown in the script box. Click Next to continue.
In the Assignments tab, choose your target Microsoft Entra groups to assign the script policy. If you are testing this script in your organization, I recommend assigning it to a pilot device group that mostly includes the devices and users intended for testing. Upon successful deployment, you can expand the policy to larger groups.
Your script policy will be sent to the groups you have chosen after you have made your selections. Click Next.
This is the last step where you review the custom attribute policy settings. A summary of the policy settings that you’ve configured is presented on the screen. If everything looks good, click Add to save the script.
You should see a new notification in the top-right corner of Intune admin center: “Custom attribute successfully assigned“. The script policy is now deployed to the groups you selected.
Monitoring Mac Gatekeeper Status policy
You can sync your macOS devices with Intune to get the latest policies and deployments. The overview tab of the Mac gatekeeper status shows the devices that have successfully received the attribute policy.
One of our Mac devices has received the custom attribute policy that checks for the mac gatekeeper status, as shown in the screenshot below.
Select the custom attribute policy and check the Device Status tab for the result. You can see that one of our Macs has reported that Gatekeeper is enabled in the screenshot below.
Still Need Help?
If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.