Of the Mountain Lion announcements, Gatekeeper has been one of the most discussed. Apple has touted OS X as being a safer, more secure environment than Windows, offering its customers a relatively malware-free experience. In the early days this was often discounted by saying that OS X wasn't a likely target for malware simply because no one used it. Today Apple claims to have a Mac installed base of 63 million users. While there are far more Windows users, that's not an insignificant number. And it's growing.

As the likelihood for significant malware targeting OS X increases, Apple must do whatever it can to maintain its pristine image. In a sense, Apple made its bed by promising a more secure, virus/malware-free experience, and now it has to sleep in it. It's not a bad thing, but it's something that is going to require a lot of work.

The easiest and most obvious solution to the problem is the Mac App Store. Every app distributed through the Mac App Store is certified by Apple and thus no malware/viruses should ever make their way to a customer's Mac if they only run apps from the Store. That's a step in the wrong direction unfortunately. Companies like Adobe and Microsoft don't make their applications available in the Mac App Store (paying Apple 30% for every copy of Photoshop sold seems unlikely to happen), not to mention the tons of useful open source or other programs that aren't distributed through the MAS. While the iPhone can sell just fine as a platform that's more of an appliance, Macs (at least today) cannot.

The alternative is to heavily warn users that what they're running isn't exactly safe but allow applications, regardless of origin, to be run. This is what's done today in Lion. The first time you run an application that you downloaded you'll get a message that looks like this:

It's the everlasting debate between freedom and security. Give up one to get the other, but what's the right balance?

The compromise in Mountain Lion comes in the form of a tool called Gatekeeper. An innocuous little radio selection in the Security preference pane, Gatekeeper lets you choose what applications can be run on your Mac.

You can choose to only allow applications from the Mac App Store, allow all (the two extremes we discussed above) or pick an in-between option: allow anything downloaded from the MAS or anything by an identified developer.

This in-between setting is the compromise.

If a developer joins the Mac developer program ($99/year) it can become an officially identified developer with Apple. The developer can then sign its applications with a unique cryptographic key that Apple recognizes, without requiring that the apps be distributed through the Mac App Store. Unlike the Mac App Store, there's no approval process that the developer's signed apps need to go through. There's only one stipulation that goes along with the identified developer label: the apps distributed with that key cannot be malware.

Apps from identified developers will communicate with Apple's servers to verify the digital signature is intact and correct only upon install or the first run of the application. Subsequent runs do not phone home and there's no remote kill switch for these applications. Should Apple find out that a developer has been distributing malware Apple can revoke the developer's key, but that would only render those apps that have yet to be installed/run from working. Without a certification process for non-MAS apps there's still a degree of risk associated with this compromise. I don't believe the ideal solution is to force everyone to buy through the MAS, but Gatekeeper's compromise isn't an impervious solution.

Apple tells us the default Gatekeeper setting in Mountain Lion will be to allow apps from the Mac App Store or from identified developers to run. Hopefully by the time Mountain Lion ships many third party developers will be on-board and identified making the transition mostly seamless. If you don't change the default Gatekeeper setting there's another way around the protection: simply control-click (or right click) on the app you're trying to run and select open. Doing so will override the Gatekeeper setting and let you run an unsigned app.

General Impressions & New Safari Software Updates & Moving Toward the Mac App Store
Comments Locked


View All Comments

  • macuser2134 - Monday, February 20, 2012 - link

    I have an important question about the Text-to-speech synthesizer that is included with OS X. Have they given it an independent volume control?

    This is coming from someone who is still on Snow Leopard. Whenever any 3rd party application invokes this feature - its always extremely lound at 100% the maximum volume. So unfortunately it never gets used for anything. But its such a great feature.
  • chemist1 - Tuesday, February 21, 2012 - link

    My two principal concerns with the accelerated (yearly) release schedule are:

    1) In my experience, it takes nearly a year before each OSX release becomes fully useable -- i.e., it takes nearly a year before all my apps are updated, by the developers, to be *completely* compatible with the new OS (some of these are smaller developers with more limited resources), and likewise nearly a year before most of the bugs in the OS itself are worked out. So with the annual release schedule we lose that "sweet spot" second year when things are basically working well, and the OS and app developers can continue to refine and improve. Instead, all the focus will be redirected towards the new OS.

    2) Consider the case of expensive software like Adobe CS. Typically, a given version of Adobe CS is good for the current Mac OS and the next two or so (=> about six years when releases are biannual) before one starts to run into compatibility issues and thus needs to upgrade. With releases coming out annually, might this not cut the longevity of such software in half? Indeed, wouldn't this be a problem for your apps generally?
  • MobiusStrip - Tuesday, February 21, 2012 - link

    "The Mountain Lion Finder, along with Lion additions... are at this point largely identical to their Lion counterparts."

    Apple's failure to fix this pathetic piece of garbage they call Finder is just disrespectful to their users at this point. If there is a single foil for all of the breathless fawning over Apple's mythical design "elegance", Finder is it.

    When you have a file browser that can't even sort its contents properly (with FOLDERS AT THE TOP), start searches in the selected folder, create subfolders in the selected folder, or present search results that show you WHERE each hit is... you have a failure.

    Whatever happened to the much-ballyhooed "rewrite" of Finder for SnowLeopard (or was it Leopard)?
  • repoman27 - Wednesday, February 22, 2012 - link

    I recognize that you're just trolling, and you don't appear to be a Mac user, but you do realize that the Finder already can do all of the things you listed? If you haven't been able to figure out how to do these things, the failure would seem to be a personal one and not on the part of the Finder.

    You seem very angry at Apple. Has Apple or its fans hurt you personally in some way?
  • Shinobi_III - Wednesday, February 22, 2012 - link

    Since forever, Mac OS has looked exactly the same..
    And now a new OS version every year, for 100 bucks or whatnot?

    These are basically just service packs, why is anyone even getting excited?

    BTW, did they add cut/paste yet? lol
  • snouter - Thursday, February 23, 2012 - link

    Apple will need to push/encourage 3rd parties to keep up with them.

    Adobe is notorious for taking their time with updates to newer Mac OSes.

    Canon, only a few weeks ago released EOS Utility for Lion.

    My Girlfriend bought some new $100 Samsung laser printer. No Lion drivers. I use dropbox to move files to my Windows computer so I can print them in 2012! There are CUPS hacks and stuff, but, meh.

    So with Mountain Lion on the way, will Adobe CS6 be ready? Will I have to go a year waiting for Canon to upgrade EOS Utility? I guess in 2012, I can just forget about printing, lol.

Log in

Don't have an account? Sign up now