Unquarantine Mac Apps

On every Mac I manage – including my personal Mac I’m using right now – I use https://brew.sh to manage my installed apps. But – there’s one thing I truly despise – and that is running brew as my logged-in, low-privilege, non-sudo user. So I run brew as a different, privileged user. (And – of course – you run the same?)

Oh wait – “brew is not supported in a multi-user mode! It could break any INSTANT!”. Yes, I’ve actually read that comment from other ‘professionals.’ (ahem…) What a bunch of FUD. Please – pay no attention to the naysayers – I’ve run brew as a separate privileged user to manage a whole lab of Macs. For many years. With almost zero problems. (Yes there are a few – but very few – problems. To be covered later in more detail later.) And the benefits? Too many to state, but here are just a few:

  • Maintainability: You can automate Mac setup and run brew as a domain user with updates occurring on a timer.
  • Security: Because brew updates occur from a common source, you can modify the script to determine safe vs. unsafe updates. Additionally – you can check for unauthorized software (in a corporate environment) and flag / report this software.
  • “No Knobs:” I remember this fraudulent Computer Security Maven (no names) preaching back in 2002 about the bliss of not permitting users to have any insight or direct control over application operations. Pure nonsense, of course, but in controlled situations not a completely losing idea. Especially with a centrally-managed software package update solution, as long as (to quote our Beloved US VP in 2021) “Ze Plan” actually works then hiding the guts of package updates without requiring any input from the end-user makes a lot of sense.

One problem is that brew casks installed as the separate user continuously prompt the user about “Unsafe program downloaded from Internet – Do you want to open?” Which of course is meaningless to the user. And since the “unquarantine” only applies if *the current user* is the same user who ran brew to install the cask – the problem Never Goes Away. So I want to fix that problem – and here is how.

I use Chef to manage all of my Macs – so one of the steps is to install all the required casks, and then another is to run the script to unquarantine those casks. And for you, dear reader, here is that awesome script. Enjoy!

Update for 2021: Ya know, scripts tend to break over time (“good for 2000 runs or 5000K ‘if’ statements – whichever comes first”) and this management script is no exception. Here’s an idea! I’ll give you the link to the git repository where I keep my current, guaranteed-running version (because I use it myself All The Time).

Here’s the link: https://github.com/andybrucenet/lcl-bins/blob/03382827792ddf0f9de1d40394d847447f362d89/lcl-disable-brew-quarantine-bit.sh

Let’s give a few notes before I move on to my next project 😉

  • One problem I ran into when deploying this script from Chef was that I wanted to use ERB so I could do substitutions if I ever needed to. But my regex failed because the Chef parser kept killing my \1 replacement references in the script. So I have a trick or two to fool the Chef ruby parser. Just look for the comment about “…work directly in chef scripts.”
  • Not every app will have an actual app_path I can deterministically identify. Here’s an actual output:
     $ ~/bin/lcl-disable-brew-quarantine-bit.sh
    Enter password for 'none-of-your-beeswax' when prompted...
    Password: [and-you-gotta-enter-password...]
    Unquarantine docker: Password: OK
    Unquarantine firefox: OK
    Unquarantine gimp: OK
    Unquarantine google-chrome: OK
    Unquarantine idrive: empty the_app_path
    Thus far I haven’t found this to be a problem – all the applications that my users *can* open interactively are properly unquarantined.

Happy Computing!

Team-oriented systems mentor with deep knowledge of numerous software methodologies, technologies, languages, and operating systems. Excited about turning emerging technology into working production-ready systems. Focused on moving software teams to a higher level of world-class application development. Specialties:Software analysis and development...Product management through the entire lifecycle...Discrete product integration specialist!

Leave a Reply

Your email address will not be published.


Human Verification: In order to verify that you are a human and not a spam bot, please enter the answer into the following box below based on the instructions contained in the graphic.