Should You Allow Only App Store Apps on Mac? An Honest Take

Macs ship with a privacy and security setting under System Settings → Privacy & Security called “Allow applications downloaded from.” For years it had three options: App Store, App Store and identified developers, and Anywhere. Recent macOS versions removed the third option from the visible UI, leaving two. But the underlying choice — whether to restrict to App Store apps only — remains.

Here’s what each setting actually does, what you give up at each level, and who should pick which.

What “App Store only” actually does

When set to App Store, Gatekeeper will only allow apps that came from the Mac App Store to launch. Specifically:

• Apps installed via the Mac App Store run normally
• Apps you’ve directly downloaded won’t open without bypassing the setting
• Apps you copy from another Mac won’t open
• Apps from .dmg files you downloaded won’t open
• Apps from package installers (.pkg) generally won’t run

You can still bypass for a specific app:

1. Try to open the app — Gatekeeper blocks it with an error
2. System Settings → Privacy & Security, scroll to the bottom
3. Click “Open Anyway” for the specific app

This is a per-app override, not a setting change. The Gatekeeper restriction stays at App Store-only; you’ve just made one exception.

What you gain

The benefits of App Store-only:

1. Sandbox enforcement. Every Mac App Store app is sandboxed by default. Their file system reach is constrained to declared paths. Their network egress is constrained to declared endpoints. They can’t quietly install background services or launch agents.

2. App Store review. Apple reviews each app submission. Reviews aren’t perfect, but they catch obvious malware, policy violations, and misuse of APIs.

3. Uniform privacy disclosures. Every App Store app has a Privacy Disclosure on its listing — what data it collects, what data is linked to you, what’s used for tracking. Direct-download apps have no equivalent requirement.

4. Centralized updates. Updates go through the App Store, signed by Apple. No risk of a developer’s update server being compromised and pushing tampered binaries.

5. Easy clean uninstall. Delete from Launchpad, and most associated files go with it (sandbox containers especially are cleanly removed).

For a non-technical user, this list is genuinely valuable. The privacy and security baseline is high.

What you lose

The costs of App Store-only:

1. Most pro tools aren’t there. Nearly every popular developer tool, CLI utility, or power-user app lives outside the App Store. You can’t install Homebrew without bypassing. You can’t install most IDEs (VS Code, JetBrains, etc.). You can’t install most window managers or launchers (Rectangle, Raycast, Alfred all live outside).

2. Sandbox restrictions cost features. Even for apps that have both an App Store version and a direct-download version, the App Store version is often less capable because the sandbox prohibits things like global hotkeys, deep filesystem reach, or remote desktop control.

3. Some apps don’t have App Store versions at all. Many specialty tools (Figma desktop, Adobe apps, Notion, certain VPNs, certain terminal emulators) only ship outside the App Store.

4. Slower update cadence sometimes. Some developers maintain their direct-download version more actively than their App Store version, treating App Store as a slower release channel.

So the trade-off is real: lower attack surface, narrower app selection.

Audit your permissions in one screenSweep shows every app’s permissions on one page. Revoke in one click. Get Sweep free →

Who should pick “App Store only”

The strongest case for App Store-only:

• A Mac for a kid or a teenager
• A Mac for a parent or grandparent who’ll only use a handful of apps
• A Mac for a spouse who hates dealing with security warnings
• A locked-down work device where IT enforces it
• A second Mac you want extra-safe (e.g., banking-only)

For these, the lower attack surface is worth more than the missing apps. Most of what people actually use day-to-day — Apple’s apps, Microsoft 365 apps, Spotify, Slack, Zoom, common chat apps, Things, Day One, Pages/Numbers/Keynote, GarageBand, iMovie — is on the App Store. The gaps mostly hit power users.

Who shouldn’t

If you’re:

• A developer
• Someone who uses a window manager
• Someone who needs Homebrew or other package managers
• Someone who uses Adobe or specialty creative software with no App Store version
• Anyone who frequently installs from outside the App Store

… then App Store-only will be more friction than benefit. You’d end up bypassing per-app constantly, defeating the purpose.

What the second option (“App Store and identified developers”) does

This is the default on most Macs. It allows:

• App Store apps (sandboxed, reviewed)
• Apps signed by an Apple-recognized developer (Developer ID program)
• Apps notarized by Apple (scanned for known malicious patterns, then ticketed)

It blocks:

• Unsigned apps (no developer identity)
• Apps with revoked signatures
• Apps that fail notarization scan

Most reputable third-party Mac apps fall into “identified developers.” The signing and notarization pipeline gives Apple a chokepoint for known-bad software without restricting users to the App Store.

This is the right default for most users — you get a solid security baseline without the App Store-only restriction.

See what your apps actually accessSweep surfaces every camera, mic, file, and location permission on your Mac. Download Sweep free →

How to change the setting

1. System Settings → Privacy & Security
2. Scroll down to “Allow applications downloaded from”
3. Pick your preference

The change takes effect immediately. Apps already installed and previously approved continue working — the setting only affects future installs and apps that haven’t been explicitly approved.

What “Anywhere” does (for reference)

The third option, “Anywhere,” disables Gatekeeper entirely for new installs. Apple removed the visible UI for it but it can still be enabled via Terminal:

sudo spctl --master-disable

After running, “Anywhere” appears as an option in the Privacy & Security panel. It allows unsigned apps to run without explicit per-app approval.

This is generally not recommended. The signing and notarization pipeline catches a real subset of bad software. Disabling it removes that protection. The friction of right-click → Open for a one-off unsigned app is small enough that you should keep the protection on.

What about the App Store privacy claims?

Apple advertises App Store apps as “more private” largely because of:

• Sandbox enforcement
• Privacy Disclosures on the listing
• Apple’s review of permission requests
• Required Tracking entitlement disclosures

These are real. But App Store apps can still:

• Track you within their own app (analytics SDKs are common)
• Request all the same OS-level permissions (Camera, Mic, Photos)
• Send your data to their own servers (just not to declared third parties without disclosure)

So “App Store privacy” is better than “no privacy framework,” not “perfect privacy.” The audit you’d do for permissions on a non-App Store app is the same one you’d do for an App Store app.

Sandbox containers, again

App Store apps live in ~/Library/Containers/<bundle-id>/Data/. Each container is a constrained mini-filesystem. The app sees its own container as if it were the home directory; it can’t browse to your Documents or Downloads without going through user-driven file pickers (which expose the path the user chose, not full access).

This is a meaningful boundary. A direct-download app with full filesystem access can browse your entire user folder. An App Store app can’t. That alone is a reason the App Store-only setting has real teeth.

Audit checklist

A one-time decision, revisit if your needs change:

• Open System Settings → Privacy & Security
• Look at “Allow applications downloaded from”
• Decide based on who uses this Mac and what apps they need
• If App Store-only feels right, set it; bypass per-app if needed
• If default feels better, keep “App Store and identified developers”
• Don’t disable Gatekeeper unless you have a specific reason

Skip System Settings — see it all at onceSweep collapses the privacy maze into one screen. Try Sweep free →

App Store-only is a defensible choice for some users and a frustrating choice for others. The default — App Store and identified developers — is a sensible middle ground that catches the worst stuff without limiting your tool selection. The honest take: most users should leave the default. Some users (parents, kids, ultra-locked-down work setups) genuinely benefit from App Store-only. Power users should set it once and stop thinking about it.