Mac Developer Library Developer


This manual page is for Mac OS X version 10.9

If you are running a different version of Mac OS X, view the documentation locally:

  • In Terminal, using the man(1) command

Reading manual pages

Manual pages are intended as a quick reference for people who already understand a technology.

  • To learn how the manual is organized or to learn about command syntax, read the manual page for manpages(5).

  • For more information about this technology, look for other documentation in the Apple Developer Library.

  • For general information about writing shell scripts, read Shell Scripting Primer.

SPCTL(8)                  BSD System Manager's Manual                 SPCTL(8)

     spctl -- SecAssessment system policy security

     spctl --assess [-t type] [-] file ...
     spctl --master-enable | --master-disable
     spctl --enable | --disable | --remove [-t type] [--path path] [--requirement requirement]
           [--anchor hash] [--hash hash]
     spctl --status

     spctl manages the security assessment policy subsystem.

     This subsystem maintains and evaluates rules that determine whether the system allows the installation,
     execution, and other operations on files on the system.

     spctl requires one command option that determines its principal operation:

     --add    Add rule(s) to the system-wide assessment rule database.

     -a, --assess
              Requests that spctl perform an assessment on the files given.

              Disable one or more rules in the assessment rule database.  Disabled rules are not considered
              when performing assessment, but remain in the database and can be re-enabled later.

              Enable rule(s) in the assessment rule database, counteracting earlier disabling.


              Disable the assessment subsystem altogether.  Operations that would be denied by system policy
              will be allowed to proceed; assessment APIs always report success.  Requires root access.

              Enable the assessment subsystem.  Operations that are denied by system policy will fail;
              assessment APIs report the truth.  Requires root access.

              Remove rule(s) from the assessment rule database.

              Query whether the assessment subsystem is enabled or disabled.

     In addition, the following options are recognized:

              In rule update operations, indicates that the arguments are hashes of anchor certificates.

              If the assessment of a file fails, continue assessing additional file arguments.  Without this
              option, the first failed assessment terminates operation.

     --hash   In rule update operations, indicates that the arguments are code directory hashes.

              Do not query or use the assessment object cache.  This may significantly slow down operation.
              Newly generated assessments may still be stored in the cache.

     --label label
              Specifies a string label to attach to new rules, or find in existing rules.  Labels are arbi-trary arbitrary
              trary strings that are assigned by convention.  Rule labels are optional.

              Do not place the outcome of any assessments into the assessment object cache.  No other
              assessment may reuse this outcome.  This option not prohibit the use of existing cache

     --path   In rule update operations, indicates that the argument(s) denote paths to files on disk.

     --priority priority
              In rule update operations, specifies the priority of the rule(s) created or changed.  Priori-ties Priorities
              ties are floating-point numbers.  Higher numeric values indicate higher priority.

     --raw    When displaying the outcome of an assessment, write it as a "raw" XML plist instead of parsing
              it in somewhat more friendly form.  This is useful when used in scripts, or to access newly
              invented assessment aspects that spctl does not yet know about.

              In rule update operations, indicates that the argument(s) are code requirement source.

     --rule   In rule update operations, indicates that the argument(s) are the index numbers of existing

     -t, --type
              Specify which type of assessment is desired: execute to assess code execution, install to
              assess installation of an installer package, and open to assess the opening of documents.  The
              default is to assess execution.

     -v, --verbose
              Requests more verbose output.  Repeat the option or give it a higher numeric value to increase

     The system assessement rule database contains entries that match candidates based on Code Requirements.
     spctl allows you to specify these requirements directly using the --requirement option.  In addition,
     individual programs on disk can be addressed with the --path option (which uses their Designated
     Requirement).  The --anchor option takes the hash of a (full) certificate and turns it into a require-ment requirement
     ment matching any signature based on that anchor certificate.  Alternatively, it can take the absolute
     path of a certificate file on disk, containing the DER form of an anchor certificate.  Finally, the
     --hash option generates a code requirement that denotes only and exactly one program whose CodeDirec-tory CodeDirectory
     tory hash is given.  The means of specifying subjects does not affect the remaining processing.

     /var/db/SystemPolicy  The system policy database.
                           A copy of the initial distribution version of the system policy database.  Useful
                           for starting over if the database gets messed up beyond recognition.

     To check whether is allowed to run on the local system:
           spctl -a /Applications/

     To allow to run on the local system:
           spctl --add --label "My Stuff" /Applications/

     To forbid all code obtained from the Mac App Store from running:
           spctl --disable --label "Mac App Store"

     spctl exits zero on success, or one if an operation has failed.  Exit code two indicates unrecognized
     or unsuitable arguments.  If an assessment operation results in denial but no other problem has
     occurred, the exit code is three.

     codesign(1), syspolicyd(1)

     The system policy facility and spctl command first appeared in Mac OS X Lion 10.7.3 as a limited devel-oper developer
     oper preview.

BSD                            January 19, 2012                            BSD

Reporting Problems

The way to report a problem with this manual page depends on the type of problem:

Content errors
Report errors in the content of this documentation with the feedback links below.
Bug reports
Report bugs in the functionality of the described tool or API through Bug Reporter.
Formatting problems
Report formatting mistakes in the online version of these pages with the feedback links below.