Now that Windows has Device Guard, here's how to use its inspiration, Gatekeeper, on the Mac
Now that Windows has Device Guard, here's how to use its
inspiration, Gatekeeper, on the Mac
InfoWorld | Sep 22, 2015
Windows 10 is getting Mac religion, at least when it
comes to how it manages apps. My colleague Fahmida Rashid recently explained
the new Device Guard feature in Windows 10, a major step for the ubiquitous
Microsoft desktop operating system to combat malware.
Apple introduced a similar technology called Gatekeeper
in 2012's OS X Mountain Lion (and made its retroactive to the previous OS X
Lion). Now that Microsoft has Device Guard, the two leading desktop operating
systems have a similar approach to managing dubious apps -- and both let
administrators control those settings.
It doesn't matter who had the technology first -- what
matters is that there's now a consensus approach to managing computers to keep
out malware. Most admins will quickly read up on how to use Device Guard for
Windows, but few know how to use the Mac's Gatekeeper equivalent. They should.
Here's what you need to know to take advantage of it in your organization.
The origins of Gatekeeper (and Device Guard)
Adopting this approach was no easy feat for Microsoft.
The issue was less technical and more practical. Windows's blessing and curse
is that it can run an almost unlimited set of apps, from practically any
source. That's why Windows PCs power everything from ATMs to spacecraft, not
simply run productivity and design software on users' desktops. It's also let
malware ravage Windows users.
Restricting the apps that can be installed would keep out
malware, as well as thousand of legitimate apps. Getting all of those apps
certified by Microsoft would have been near-impossible until Microsoft had its
own app store and a more centralized approach to identifying developers.
By contrast, Apple has the advantage of a much smaller
developer base, plus the dominance of its own Xcode development tool, which
requires a developer ID be issued to use. Microsoft, in its support for a broad
range of developers and development tools, did not.
It took a change in attitude at Microsoft to adopt
Apple's approach, a change made easier by the introduction of the Windows Store
in Windows 8 and Windows Phone and -- let's be honest -- by the steady decrease
in PC sales in the last five years and the never-ending parade of Windows
malware. Something had to give, and it finally did.
When Macs began to get popular in the early 2010s, Apple
saw the potential for a similar malware problem in OS X -- malware attacks,
especially from Internet links and poisoned websites. Then it got a wake-up
call with the Flashback malware attack in 2012.
How Gatekeeper works
Out of that came Gatekeeper, which restricts app
installation to apps from the Mac App Store and to apps whose developer ID is
signed by Apple, meaning Apple knows who the developer is. (Device Guard does
the same now for Windows.)
Apple heavily polices its app stores for malware.
Although that heavy policing (er, curation) created harsh developer criticism
in the early days, it has kept iOS in particular safe, and Apple hoped for
similar safety in OS X. (Of course, some malware has gotten into the iOS App
Store. In fact, this past weekend, Apple removed malware-infested apps that got
into the iOS App Store after being created using a counterfeit version of its
Xcode development tool. But the few iOS malware attacks pale in comparison to
what the Android ecosystem experiences.)
But few OS X developers wanted to pay Apple's 30 percent
cut for Mac App Store inclusion, so the Mac App Store has not taken off in a
meaningful way, as the iOS App Store has. Thus, Apple adopted the notion of the
signed developer ID for those non-Mac App Store apps.
Malware isn't likely to get a signed Apple developer ID,
so Gatekeeper essentially keeps malware off Macs. And if malware is found using
a signed developer ID, Apple can flag that ID as untrusted, so Gatekeeper won't
install any of that developers' apps any more. (Sadly, it does not prevent
already installed apps using that ID from running.)
There are legitimate reasons to install unsigned apps,
mainly revolving around legacy apps created before developer IDs were
available. But in the three years since Gatekeeper's introduction, there are
fewer and fewer of those apps that haven't been updated to the current OS X
versions, and many of those that have not been updated are incompatible with
modern OS X versions because they depend on the Rosetta compatibility tool for
PowerPC-based apps to run in OS X. Rosetta was retired in 2011, with its removal
from OS X Lion and subsequent OS X versions.
I should note that Gatekeeper won't block apps installed
from the network or from a CD or DVD, even if they don't have a developer ID.
It's designed to block unsigned downloads, which is how most malware finds its
way on to computers.
I should also mention Apple's method for limiting the
damage caused by malware: app sandboxes. Every Mac App Store app must be
sandboxed to prevent outside malware from infecting it. But that restriction is
not imposed on non-Mac App Store apps, so developers can get away with
providing infectable apps. Please don't.
Managing Gatekeeper
Apple updates the blacklist daily and all Macs have that
check enabled. But if users have administrator privileges (home users do, as do
many corporate ones) users can disable the update installation in their Macs'
App Store system preference. They can also bypass Gatekeeper by selecting the
Anywhere option in the General pane of the Security & Privacy system
preference or, more simply, by clicking the Open Anyway link that appears there
after a user tries to install an unsigned app.
Gatekeeper isn't really a good solution after all, right?
Wrong. IT can manage the policies around Gatekeeper to prevent users from
working around it (just as Microsoft offers policy administration for Device
Guard).
Apple's $20 OS X Server application for Macs is the
cheapest way to manage Macs' policies, though I ironically find its user
interface daunting to learn. With it, you can disable users' abilities to
change Gatekeeper's settings, to override Gatekeeper for individual apps'
installation, and/or to disable automatic security update installation.
You can also manage these OS X policies using mobile
management tools from Centrify, Citrix Systems, Good Technology, MobileIron,
and VMware -- Apple largely unified its iOS and OS X management APIs in OS X
Mavericks and iOS 7, and the smarter mobile management providers realized they
could easily bring Macs into their management folds as a result. (I suggest you
check out Apple's guide on how to use policy management on Macs and iOS
devices.)
Keep out the malware on all Macs and PCs
Gatekeeper and Device Guard both give IT a proactive way
to keep out malware, while permitting the installation of legitimate software.
Use them!
You should do so on your corporate-issued computers, of
course, but I suggest you do the same for users' home computers, too (where
feasible). After all, the same mixing of personal and work contexts that so concerns
IT about mobile devices exists on computers -- and the risks are much higher.
So many employees work from home that the use of policy management on their
computers simply makes sense.
Comments
Post a Comment