In macOS Sequoia, Apple has added another stumbling block to launching software that has not gone through Apple’s baseline vetting process for apps. Generally, this can be a good thing, preventing naive users from accidentally installing malware or privacy-invading software. However, for users who rely on software created by people who don’t work within the lines painted by Apple and its App Store, here’s what you need to know.
The Gatekeeper feature in macOS is something you never see called by that name. It’s designed to ensure that only certain apps can run on your Mac, even though macOS can execute any correctly constructed software for the platform. The only visible control is in System Settings > Privacy & Security > Security, where you can choose one of two options from the “Allow applications from” menu: App Store, or App Store & Known Developers. (See: How to open a Mac app from an unidentified developer). You used to be able to override Gatekeeper by pressing Control-click while opening an app, but that has been disabled.
There’s a third category that Apple eliminated from this list in macOS years ago. (The menu used to appear as radio buttons in a different System Preferences pane.) Those are apps where the programmer chose not to pay the annual fee for an Apple Developer account, or they have such an account but didn’t run the app through a vetting system Apple uses that’s a big step below the App Store’s review process.
When a developer submits an app to an App Store, Apple uses a combination of automatic and human review to ensure that the app doesn’t contain malware (written by the developer or included in software code from third parties) and that it more or less does what it says it does without being misleading. That process is full of human error and inconsistencies, but it has mostly led to safe apps in the App Store, even if some are scammy in their pricing intent or misleading about how useful they are.
Mac developers who want to release their software directly, either bypassing the App Store or having a separate version, can choose a less-intensive pathway. Apple issues every developer a unique digital certificate (a bundle of cryptographic information). A developer creates their app and “signs” it with the certificate, which ensures it can’t be modified later, as the signature can be checked. The developer submits the app to Apple for “notarization,” a term Apple uses to cover scanning the app for malware and any signing or other technical issues. If it passes, Apple attaches its own imprimatur to the app and adds an online record that can be checked by macOS. When a notarized app is launched and cross-checked with Apple’s online records, it meets the criteria for being from a Known Developer and—if your Mac is set to App Store & Known Developers—it launches, though with a warning about being downloaded from the Internet. (Notarization was optional at one point, made mandatory in 2020; all apps released since then that aren’t notarized can’t launch without the next steps.)
Some developers prefer not to engage in that step. They don’t want to pay the annual developer fee, have Apple scan their code, or don’t want Apple to have a say-so on whether their software can run. I’ve found fewer over the years, but they still exist and generally come from specialized academic and research fields. They can still launch on your Mac, with the steps below.
Sequoia has no Finder bypass for unsigned apps—click Done.
Foundry
In System Settings, you can choose to open an unsigned app despite Apple’s warning.
Foundry
Here’s what to do to launch such an app in Sequoia:
- Double-click the app.
- You’re warned that the app may contain malware or compromise your privacy. The only options are Done and Move To Trash. Click Done.
- Open System Settings > Privacy & Security.
- At the bottom of the settings list, you should see a message like “‘App name’ was blocked to protect your Mac.” If you want to open it, click Open Anyway.
I urge you to continue to exercise a high level of vigilance around unsigned and unnotarized apps as you entirely rely on the developer to protect your security and privacy. However, few apps like that have enough reach that any malware practitioner would have an interest in exploiting a weakness.
If you can’t open the apps you need in Sequoia you can revert back, read: How to downgrade macOS Sequoia to Sonoma.
Ask Mac 911
We’ve compiled a list of the questions we get asked most frequently, along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to mac911@macworld.com, including screen captures as appropriate and whether you want your full name used. Not every question will be answered; we don’t reply to emails, and we cannot provide direct troubleshooting advice.
Author: Glenn Fleishman, Contributor, Macworld
Glenn Fleishman’s most recent books include Take Control of iOS and iPadOS Privacy and Security, Take Control of Calendar and Reminders, and Take Control of Securing Your Mac. In his spare time, he writes about printing and type history. He’s a senior contributor to Macworld, where he writes Mac 911.