WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple
You are here: Home / Apple / How to exclude VCSA UI/CLI Installer from MacOS Catalina Security Gatekeeper?

How to exclude VCSA UI/CLI Installer from MacOS Catalina Security Gatekeeper?

02.08.2020 by William Lam // 9 Comments

A couple of weeks ago I had upgraded my personal home computer to the latest MacOS Catalina (10.15) and one of the first issues I ran into was being able to access my vCenter Server. It turned out this was due to changes to MacOS security (which is a good thing) but certainly caught me and others off guard. In fact, I spent quite some time searching online and eventually found this workaround here.

After sharing this tidbit online (which several others also ran into) I came to learn that both Duncan Epping blogged about this issue back in Nov 2019 here and Christian Mohn blogged about this in Dec 2019 here. Sadly I did not come across either of their blogs using "NET::ERR_CERT_REVOKED macos catalina" in Google. I had assumed this was a Chrome issue and simply landed on the first few links and looking back, I now see Duncan's blog was #6 in the search results (doh!)

Today, I ran into another issue when attempting to use the VCSA CLI Installer, the following error was thrown:

“vcsa-deploy.bin” cannot be opened because the developer cannot be verified


This is again due to a security change in MacOS Catalina which now prevents terminal-based applications which are not notarized from running. For a single application/binary, you can go into System Preferences->Security & Privacy and allow anyway. For more complex applications like the VCSA CLI Installer which has a number of libraries and scripts, this will take awhile and end up frustrating end users. The updated security enhancement is actually a good thing and I did not want to disable the Gatekeeper service but I was interested in disabling it for the VCSA CLI Installer. While searching online, I came across this Hashicorp Terraform thread where folks were having the exact same issue and I found out there was a way to disable the MacOS Security Gatekeeper for a specific application.

To do so, we just need to recursively remove the metadata attribute "com.apple.quarantine" for the extracted VCSA ISO by running the following command:

sudo xattr -r -d com.apple.quarantine VMware-VCSA-all-6.7.0-Update-15132721

After the quarantine attribute has been removed, you can now run the VCSA CLI Installer (including UI Installer) without being prompted with an error. Hopefully VMware will consider notarizing future releases of the VCSA Installer and I will be sharing this feedback internally if it has not already.

More from my site

  • Can you really deploy the vCenter Server Appliance (VCSA) without DNS and NTP?
  • Using PowerCLI to automate the retrieval of VCSA Identity Sources
  • How to deploy the vCenter Server Appliance (VCSA) with a custom MAC Address?
  • Using PowerCLI to automate the retrieval of VCSA Password Policies
  • Is a DNS server still required when using a Static IP for VCSA?

Categories // Apple, Automation, VCSA Tags // Catalina, com.apple.quarantine, Gatekeeper, macOS, vcenter server appliance, VCSA

Comments

  1. *protectedAndrew Moser says

    02/17/2020 at 9:31 am

    Another way around the Catalina SSL issue is to import the certs into your keychain. In Chrome if you view the certificate by clicking the "Not Secure" section to the left of the URL, you can then just drag the cert to your desktop, then open it by double clicking, which will open Keychain. Once in Keychain, you can set it to always trust. Saves a few steps for things that use Identity Manager as you only have to do it once instead of for each solution.

    Reply
  2. *protectedJoe Adams (@vJoeAdams) says

    04/15/2020 at 11:57 am

    Thanks William! This works for the vRA 8.1 deployment as well. Thanks for posting this!

    Reply
  3. *protectedMatthew Heinrich says

    04/19/2020 at 9:02 pm

    Thanks William. I'm trying to deploy VSCA 7.0 from a Mac and running into similar issues. I tried to adapt the quarantine command for the VCSA 7.0 installer but it still fails... Any ideas?

    Reply
    • *protectedPatrick Ramsey says

      05/08/2020 at 5:55 pm

      Try un-mounting the ISO, then running the remove attribute command on the ISO file including the extension. Then re mounting the ISO, then running the installer

      Reply
      • *protectedTim Sheppard says

        07/19/2020 at 2:15 am

        Thank you - that stopped me going round in circles.

        Reply
  4. *protectedJoao Moradei says

    05/24/2020 at 4:38 am

    Hello! Thanks for the great tip!
    I have something else I didn't search properly how to fix yet, I thought someone could have a quick fix for that.
    When starting my VMs it asks for my admin password for every NIC the VMs have. Is there a way to run my VMs on a "trusted" mode? Without having to authorize them every time?
    Thanks!

    Reply
  5. *protectedMark Koepsell says

    10/23/2020 at 10:20 am

    Hi has anyone run into similar issues when trying to install vcsa ui installer? I get ovftool cannot be opened, libcrypto.1.0.2.dylib, libvmacore.dylib cannot be opened as well even after allowing it from settings. I tried running the command line that William shared. Didn't work and tried with my current version and build number and no luck either.

    Currently trying to run VMware-VCSA-all-7.0.1-16860138 and connect it to my server (mac mini). I'm new and learning to setup a home lab. 🙂 Thanks!

    Reply
  6. *protectedToine Eetgerink says

    01/05/2021 at 2:53 pm

    Thx Saved me, Needed to extract the ISO and then i could fix it with the above command point to the extracted directory
    Mac keeps on being annoying

    Reply
  7. *protectedcloudmakerbrian says

    04/03/2021 at 8:08 am

    over 1 year and no change the the VRA8.3 installer - same behavior. I'm sorry that they didn't hear your feedback and I'm sorry that MacOS is still a second class citizen with respect to Vmware installers. Thanks for your blog william , we appreciate your help.

    Reply

Thanks for the comment!Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • VMware Flings is now available in Free Downloads of Broadcom Support Portal (BSP) 05/19/2025
  • VMUG Connect 2025 - Minimal VMware Cloud Foundation (VCF) 5.x in a Box  05/15/2025
  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025

 

Loading Comments...