OS X Mountain Lion’s GateKeeper: Bad For Businesses, Great For Consumers [Opinion]

By

gatekeeper.jpg

GateKeeper is one of the big new features in Mountain Lion. It’s designed to protect against malware by limiting what kinds of software gets installed on your Mac. GateKeeper offers Mac users three levels of security: Mac App Store purchases (which have been fully vetted by Apple), Developer ID apps purchased outside the Mac App Store that are digitally signed so your Mac can verify their authenticity via Apple, and apps from all other sources.

The GateKeeper model looks great from the perspective of an individual user or family – easy to understand and use while being fairly effective at leveraging Apple’s developer program as a security solution. How it will stack up in business and enterprise environments, where mass deployment are commonplace, may be a different story.

The Mac App Store as a whole can be a challenging proposition for IT departments to handle because, like the iOS App Store, it’s based around the concept of individual users and Apple IDs. Unlike the iOS App Store, however, the Mac App Store doesn’t currently offer a volume purchase plan – something that may change with the release of Mountain Lion.

Volume purchasing aside, the Mac App Store also present challenges when it comes to updates for the same reason – it takes an iOS-like individual-centered approach rather than the traditional software update model for business which is to centralize and push updates out to computers. That approach offers the ability to vet updates before pushing them out and it ensures all computers are updated consistently. It also streamlines the process for users because they don’t need to be involved in the process.

GateKeeper’s middle of the road approach with signed applications and distribution outside the Mac App Store looks like a good middle of the road model. It still allows IT to be the central player in app purchasing, distribution, and updates but it also offers some security.

Despite that, I don’t see many organizations using GateKeeper unless Apple provides backend functionality to it that hasn’t been announced (which is completely possible). Deploying apps using current methods (monolithic imaging or package-based installations) will simply be easier to manage outside of the GateKeeper paradigm. If businesses follow standard anti-malware practices, which include not giving users administrative access to workstations as well as using anti-malware tools, they simply shouldn’t have a need for GateKeeper’s approach to security.

The exception to that rule may be employee-owned Macs brought in as part of a BYOD program or businesses that have minimal Mac populations where it may be simplest to let the one or two Mac users handle their devices almost as personally owned machines.