disable Gatekeeper with configuration profiles in macOS 15

README.md

Disable Gatekeeper with Configuration Profiles

Starting from macOS 15, sudo spctl --master-disable is no longer supported to disable Gatekeeper.

We need to disbale it with Configuration Profiles.

How

• Create a new configuration profile, an XML file with .mobileconfig extension, refer the sample file in this gist
• replace the UUID with your own, you can use uuidgen in terminal to generate a new one
• 2 UUIDs are required, one for the profile and one for the payload
• double click the .mobileconfig file to install the profile on your Mac
• in system pereferences -> device management, click to open the profile and enable it
• restart the Mac

You can see in Sysytem Settigns -> Security & Privacy, allow applications from Anywhere is set.

sample.mobileconfig

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>PayloadContent</key>
    <array>
      <dict>
        <key>PayloadType</key>
        <string>com.apple.systempolicy.control</string>
        <key>PayloadUUID</key>
        <string>FIRST-UUID-HERE</string>
        <key>PayloadIdentifier</key>
        <string>com.yourcompany.profile.systempolicy</string>
        <key>PayloadDisplayName</key>
        <string>System Policy Control</string>
        <key>PayloadDescription</key>
        <string>Configures System Policy Control settings</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
        <key>EnableAssessment</key>
        <false />
      </dict>
    </array>
    <key>PayloadDisplayName</key>
    <string>Disable Gatekeeper</string>
    <key>PayloadIdentifier</key>
    <string>com.yourcompany.profile</string>
    <key>PayloadRemovalDisallowed</key>
    <false />
    <key>PayloadScope</key>
    <string>System</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>SECOND-UUID-HERE</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
  </dict>
</plist>

Works excellently, thank you!

Thank you for this :)

Do I need to paste this directly into terminal exactly as is? I do not know coding but am trying to get my plugin to work that worked on my m1 mac with my new m4

Do I need to paste this directly into terminal exactly as is? I do not know coding but am trying to get my plugin to work that worked on my m1 mac with my new m4

Just type in terminal sudo spctl --global-disable

Do you need different UUIDs for each device or can the same mobile profile be used on all my devices?

Do you need different UUIDs for each device or can the same mobile profile be used on all my devices?

Nothing is needed, just enter in the terminal sudo spctl --global-disable

But it is still not possible to do via CLI/ssh, right? You'd still need to go to System Settings to install the profile?

But it is still not possible to do via CLI/ssh, right? You'd still need to go to System Settings to install the profile?

If you need to enable the "from any source" function in Mac OS 15.6, enter sudo spctl --global-disable in the terminal, enter the password, go to the privacy settings and the desired item appears there. Select it and press enter. This is as clear as possible. If you can't handle it, you don't need to enable this option, trust me.

A reply to off topic passive-aggressive comment

@ilgam111 Are you getting some kind of extra points for these comments?

The spctl --global-disable no longer works starting from Sequoia (15.x) — it even says so in the title:

Starting from macOS 15, sudo spctl --master-disable is no longer supported to disable Gatekeeper.

Why do you insist on pointing people in the wrong direction? Maybe actually try yourself before patronizing others?

The profiles install was is disabled; I'm guessing this is just to steer people towards using paid MDMs 😒

A reply to off topic passive-aggressive comment
The profiles install was is disabled; I'm guessing this is just to steer people towards using paid MDMs 😒

Борис, напишу по русски.
Ты не в состоянии отличить команду master disable от команды GLOBAL DISABLE?
Команда прекрасно работает как на маках с intel так и на процессорах apple silicon в Mac Os 15.6.
Если ты не проверил работоспособность этой команды - зачем ты мне что то доказываешь?! (Хочется прям матом написать)
Для начала проверь.
Пожалуйста не доказывай мне обратное.

Ты не в состоянии отличить команду master disable от команды GLOBAL DISABLE?

They're exactly the same, and neither works.

I feel compelled to apologize to everyone who finds this thread utterly unuseful. Honestly don't know what's @ilgam111's story here.

Всё что тебе осталось - это в настройках конфиденциальности выбрать пункт "Из любых источников"

Another round of completely useless conversation

This is exactly what "not working via CLI" means, which is what I was asking about initially. It's clear you're having troubles reading plain text, but screenshots seem to work better on you for some reason, so here goes:

Now, as comforting as it is to keep proving things to random people on the Internet — especially to the ones with such impeccable attention to details as you've demonstrated above — I suggest that we steer the conversation into more constructive manner. Which is: unless you know how to disable Gatekeeper via CLI only (e.g. so that you can provision 300 hosts, say, with Ansible or ssh without having to click buttons in System Preferences), please don't bother me or anyone in this thread.

Thank you very much for your understanding.