gatekeeper not remembering app exceptions on 10.15.4

That Gatekeeper exemption is a per-app exemption. It sounds like you only happened wait a couple of days to try another non-Mac App Store app. There is no time limit on a Gatekeeper bypass. It bypasses only that one app that one time and nothing else. It sounds like it is working as designed. You can also just right-click or control-click on an app and choose "open" from the context menu.

Otherwise, I think you are on a wild goose chase for a couple of reasons:

1) There are plenty of apps in the Mac App Store that would allow someone bypass parental controls. Tor browser is irrelevant.

2) You said "we developers". Are you saying that you are a developer? Is your child also technically inclined? Regardless, there is a good chance that any given child might be clever and resist being controlled. Parental controls are for "normal kids". 😀 If you have a hacker, just give up now. This is a fight that you can't win. Parental controls are trivially easy to bypass. And if you've installed homebew on the machine too, the only difficulty is choosing the method.

Did you move the App off the disk image and into the Applications folder?

It sounds like you are running the app off of the Disk Image. When you restart, the disk is ejected and the app becomes brand new every time you run it off the disk image.

App Store apps should not be asking for permission to run. That is already granted by the App Store

Are the apps getting updated frequently. Some apps will replace the app when updating.

Does it happen for every non-App Store app?

Other than that, I can't find a way to make my Mac ask again for non-App Store apps.

rcoin wrote:

Yes this is what i was talking about with regards to permanent. However on 10.15.4 it is asking again after 2 days.

I'm not sure what you are seeing, but I can assure you that no such 2 day timeframe exists. It simply doesn't work that way.

exactly I was using gatekeeper to prevent tor browser from running.

It doesn't do that.

Sadly the app control on restrictions only allows a minimum of 1 minute for an app. Theres no way to completely block an app the most one can do is set a daily 1 minute limit. The limit should be able to be set to 0 to completely block an app.

Maybe look for some 3rd party solutions instead.

Homebrew has a GUI app? Haven't played with it in years. Seems weird to have a GUI for a package manager.

I don't run anything from a managed account, but I haven't had any problems just ctrl-clicking on an app and choosing Open, then Open again. Are you approving it from the child's account?

rcoin wrote:

I have my older macboook here with 10.15.3 and the bypass is permanent on that version. The bypass has been permanent for me for the past 5 years.

That's just a screen shot of the preference pane. Can you explain why you think there is a permanent bypass?

if apple chose to change the bypass period to two days instead of permanent then they should have included an option for the permanent or two day periods.

There is no two day bypass. There is no permanent bypass. I'm really not sure what you are talking about here. You can bypass Gatekeeper for a single downloaded app. But that is a single file downloaded one time. You can download a file, bypass gatekeeper to run it, and then trash the file. If you download the very same file again, 10 seconds later, gatekeeper will block it. If your Gatekeeper is not doing that, then your Gatekeeper is completely disabled.

right now the whole thing is broken because one cannot prevent tor browser from running while preserving functionality with the previously bypassed non app store apps.

I'm not familiar with parental controls. There appears to be an option to set time limits for individual apps: https://support.apple.com/en-ca/guide/mac-help/mchl630bc02f/10.15/mac/10.15

I also noticed that some apps are totally bypassing gatekeeper without needing to be bypassed at all.

I'm not sure what you mean. Once you bypass Gatekeeper for a single app, it stays bypassed forever. Is this what you were talking about with regards to "permanent"?

Gatekeeper works like its name. It is a "gate keeper". When you download an outside of the Mac App Store (according to your preferences) it is blocked. Once you allow the app "inside the gate" then it can run, forever. If you download an update to the app, or even if you download the same file again, that new download is blocked until you allow it to bypass gatekeeper.

But the important thing here is that Gatekeeper is NOT parental controls. Perhaps that is the problem here. Gatekeeper ONLY protects you from hostiles on the internet. If you have a hostile "inside the gates" (i.e. a clever child) then Gatekeeper can by bypassed in a few seconds. It is trivially easy.

Also the window that used to pop up in 10.15.3 when one clicks an app that was previous approved changed in 10.15.4. In 10.15.4 there is no dialog that pops up and the app just opens. This makes me think that maybe its a bug and not a deliberate change to a 2 day period instead of permanent exception.

There was never any pop up for an app that was already approved.

I have homebrew installed but without the administrator credentials the limited user cant install anything from homebrew.

I was just using homebrew as example. It is not necessary. I think I understand the problem now. You are confusing Gatekeeper with Parental Controls. They have absolutely nothing to do with each other. If Parental Controls is not working the way you want, you should probably start a new question and specifically ask about that.

With all due respect, you are completely wrong about Gatekeeper. It simply doesn't work the way you describe and never has. If someone, either a person or a malicious app, is on the other side of Gatekeeper, then they can disable it entirely. Or, they just bypass it as needed, keeping you totally in the dark. There is no need to download anything. If there is a malicious user on your machine, then they have all the tools they need to bypass Gatekeeper. Using Parental Controls, you should be able to limit what apps they can run, but you will have to limit that very, very strictly. Any use of the Terminal, or homebrew, is game over.