This document describes how to enable installation of applications from sources other than the Mac App Store on macOS.
Background:
App Store and identified developers: Select to allow apps only from the App Store, and from developers identified by Apple. System software blocked. If you recently installed new software, it may attempt to load system extensions. Click Allow to load system extensions from the developer of the software. The default System Preferences are configured for typical use but are not ideal for external audio devices and DAW software. You will need to change a few System Preferences to optimize the Mac and improve your music production experience.
Mac App Store and identified developers: When you try to open a new app and it’s not on the list of identified developers that’s saved within the operating system, the Mac tells you it can’t. Aug 02, 2012 On the prompt that appears, click Allow From Anywhere. Note: In Max OSX 10.12 Sierra and 10.13 High Sierra, the 'Anywhere' option does not appear. In these cases you will need to follow the instructions below for manually launching the application. Exit System Preferences by clicking the red button in the upper left of the window. Oct 13, 2017 The difference in my situation is that the Allow button (for the extension) is there, but clicking it did nothing. The message, regarding the blocked Vmware extension is still displayed. I also did a restore of High Sierra, have uninstalled VMware 10.0.1 (and remove all preferences and cache files) and reinstalled several times.
By default, Mac OS only allows users to install applications from 'verified sources.' In effect, this means that users are unable to install most applications downloaded from the internet or stored on physical media without receiving the error message below:
Users can follow the directions below to prevent this error message from appearing in one of two ways:
- Changing Gatekeeper's settings (10.8.x / 10.9.x / 10.10.x / 10.11.x)—this is useful for users who download a lot of programs that are not from 'verified sources.'
- Changing Gatekeeper's settings (10.12.x / 10.13.x)—the same steps as above, but for Mac's Sierra and High Sierra OS
- Manually allowing individual applications to launch—this is the best method for users who do not want to change the global setting to allow all applications to run.
For more information about this message, please visit Apple's KB article on the topic: http://support.apple.com/kb/HT5290.
Change Gatekeeper Settings (10.8.x / 10.9.x / 10.10.x / 10.11.x):
Open the System Preferences. This can be done by either clicking on the System Preferences icon in the Dock or by going to Apple Menu > System Preferences.
Open the Security & Privacy pane by clicking Security & Privacy.
Make sure that the General tab is selected. Click the icon labeled Click the lock to make changes.
Enter your username and password into the prompt that appears and click Unlock.
Under the section labeled Allow applications downloaded from:, select Anywhere. On the prompt that appears, click Allow From Anywhere.
Note: In Max OSX 10.12 Sierra and 10.13 High Sierra, the 'Anywhere' option does not appear. In these cases you will need to follow the instructions below for manually launching the application
Exit System Preferences by clicking the red button in the upper left of the window. You should now be able to install applications downloaded from the internet.
To Manually Launch Application:
While holding down the control key on your keyboard, click the application's icon once to make a dropdown menu appear.
Select Open from the menu. A new window will appear.
Click Open in that window to launch the application. You should only need to do this once per application, on the first launch. After that, you'll be able to launch the application any way you like.
Change Gatekeeper Settings (10.12.x / 10.13.x):
- For OSX Sierra, we recommend consulting Apple's documentation at the following link: macOS Sierra: Open an app from an unidentified developer
Are you the designated IT person for your family, or maybe for your small business? If you are, then perhaps you’re getting a bit tired of everyone asking you to provide your administrator name and password every time a printer jams, an app needs updating, or Time Machine throws an error code.
The Mac has a pretty straightforward model for assigning privileges to a user’s account, and in many cases, only the administrator has the right to stop, start, or pause services, such as pausing the print server when a printer jams. Only a user with administrator privileges can get the print server running again.
(The print server always seems to enter a paused state when an administrator isn’t around to kick start it.)If you’re tired of running over to a user’s Mac just to enter a password so the print server can restart after a paper jam, then you may be thinking it’s time to give everyone admin privileges. And believe it or not, that may be a valid solution to the problem, depending on the competence and trustworthiness of your users.
It is, in fact, the method we use; all users at our home and office are set up as administrators, relieving us of the more mundane tasks of Mac administration. But if you’re inclined to use the standard, managed, and administrator user models to ensure a bit tighter security, then this tip can help you keep your personal workload low, while allowing other users to perform routine tasks, such as resetting printers, without needing the local overlord to make an appearance.
Mac User Accounts
The first account created during the original setup of your Mac is an administrator account that includes elevated privilege levels that allow the account holder to manage the basic system. The Mac’s administrator account isn’t an all-powerful tyrant; it has a number of restrictions, including the inability to access another user’s data. It does, however, have power over all of the Mac’s system preferences, including the ability to add new apps, add new users, assign user groups, manage parental controls, set up accessibility options, and manage printers. You get the idea. If there’s a system preference pane for a service, users holding an administrator account can make changes as they see fit.
While the administrator is one type of account, the Mac OS supports additional types, including:
Standard: Standard user accounts can install apps and change settings that affect only their own accounts. So, standard users can pick their own desktop wallpaper, customize the Dock, and set their own preference for how a mouse or track pad works. They can’t add or delete users, or change settings that would affect anyone else.
Managed: Managed users are bound by the restrictions set up by Parental Controls. With Parental Controls, you can restrict the apps available, the websites that can be visited, and the contacts available to the user through various apps, such as Messages and Mail. Managed users can also have usage restrictions based on time, to ensure kids aren’t using their Macs when they should be sleeping.
Sharing Only: Allows users to log in remotely and access their own files. It doesn’t allow general access to the Mac, or the ability to change any settings.
Guest: Guest user accounts are for visiting family, friends, or clients who may need to use your Mac for a brief time, perhaps to check messages or access a website. All of a guest user’s data stored on the Mac is deleted automatically when the user signs out.
Add Additional Administrators
One method to help resolve the burden of administration is to spread the task around, allowing other trusted users to share the work. In general, this is a good idea; having a single administrator can cause problems if the administrator isn’t available when some task comes up that needs the admin password.
Mac System Preferences Allow Apps
The first step is to use the Mac OS Users & Groups preference pane to change the account type for the selected individual. In this example, you can change a standard user to an administrator.
Of course, you must already be an administrator for this to work.
If you’re not currently logged in to your administrator account, log out, and then log back in with the appropriate account.
Launch System Preferences by clicking its Dock icon, or by selecting System Preferences from the Apple menu.
In the System Preferences window, open the Users & Groups preference pane.
Click the padlock icon in the lower left corner, and then enter your administrator password. Click the Unlock button.
Select the user account you wish to elevate to an administrator account from the sidebar list.
Place a checkmark in the “Allow user to administer this computer” box.
Note: If the account you wish to elevate is a managed user account, all parental control settings will be removed when the user is elevated to an administrator account.
Provide Admin Privileges for Specific Tasks
A slightly different approach is to provide admin-like capabilities to standard users, but restrict them to certain tasks. This is the way we fixed one of our headaches: clearing printer jams that cause the print server to pause. By giving all standard users admin rights to the Printer preference pane and print server, they can be their own printer administrator.
This same concept of limited administrator rights works for a number of system preference panes, including:
- Printers & Scanners
- Date & Time
- Energy Saver
- Startup Disk
- Time Machine
- Network
The Mac OS doesn’t currently have a method to selectively apply administrator privileges using the GUI, but there are a number of ways to elevate user privileges using the Terminal app. In this example, we’re going to raise the privilege levels of every user (except the guest account) to manage the printer system. This same technique can be used for any of the preference panes listed above.
This method should work for any Mac running OS X Mavericks or later. It makes use of the authorization database that Apple introduced with Mavericks. This database is used to control the access rights for many different processes, such as printing, Time Machine, and networking. You’ll need to be logged in with your administrator account to make these changes.
The process works by exporting the preference’s rules to a temporary property list file, then using the default write command to make changes to the file, and finally, reimporting the altered rights list back into the authorization database. This means you’ll need to execute three Terminal commands for each preference pane to which you wish to give non-admin access.
Before you make changes to the authorization database, it’s a good idea to create a current backup of your Mac. Errors in making changes to the database can produce unexpected results; a current backup will let you recover to a known good state.
If you’re ready, let’s begin:
Launch Terminal, located at /Applications/Utilities.
The following three commands allow general access to the System Preferences. They do not, however, give unrestricted access to every individual preference pane; it’s just the first step in the process.
(The security command responds with YES or NO if the security change can be implemented.)Enter the following at the Terminal prompt. After each line is entered, hit Return or Enter on your keyboard.
Note: Each command is a single line of text, but your browser may show them as multiple lines. You can copy/paste each line for easy entry into Terminal.
/usr/bin/security authorizationdb read system.preferences > /tmp/system.preferences.plist
/usr/bin/defaults write /tmp/system.preferences.plist group everyone
/usr/bin/security authorizationdb write system.preferences < /tmp/system.preferences.plist
Note: After the first and third lines are executed, Terminal will respond with the word YES if the command was carried out successfully or NO if there was a problem.
To enable anyone to access the printer preferences as well as the print server, enter the following three lines:
/usr/bin/security authorizationdb read system.preferences.printing > /tmp/system.preferences.printing.plist
/usr/bin/defaults write /tmp/system.preferences.printing.plist group everyone
/usr/bin/security authorizationdb write system.preferences.printing < /tmp/system.preferences.printing.plist
The print server on your Mac uses its own special group to control access, so we need to enter the following command in Terminal:
/usr/sbin/dseditgroup -o edit -n /Local/Default -a “everyone” -t group lpadmin
The above example should allow anyone to manage printer issues that may come up, with one caveat: depending on the version of the Mac OS you’re using, an administrator account may still be needed to add printers.
(After entering the Terminal commands above, the Printer & Scanner preference pane is unlocked for all users.)If you would like to add non-admin access to other preference panes that are usually restricted to an administrator, you should only need to change the word “printing” in the above example to the name of the appropriate preference pane. For instance, to allow everyone to access the Time Machine preference pane, the three commands would be changed to:
/usr/bin/security authorizationdb read system.preferences.timemachine > /tmp/system.preferences.printing.plist
/usr/bin/defaults write /tmp/system.preferences.timemachine.plist group everyone
/usr/bin/security authorizationdb write system.preferences.timemachine < /tmp/system.preferences.timemachine.plist
When granting access to a preference pane, the name you need to use in the Terminal commands is usually easy enough to figure out; in the example above, the Time Machine preference pane becomes just timemachine with no spaces or capitalization.
The general rule for guessing the preference pane’s name in the authorization database is to remove any spaces in the name, provide the name in all lowercase, and remove the word “and” if present in the name.
Additional references: Security command, authorizationdb, defaults
Be Sociable, Share This!
Mac System Preferences Shortcut
OWC is on-site wind turbine powered at 8 Galaxy Way, Woodstock, IL 60098 | 1-800-275-4576 | +1-815-338-8685 (International)
All Rights Reserved, Copyright 2018, OWC – Since 1988