Common Expression Language (CEL)

This page lists well-known and/or community-contributed CEL expressions.

CEL (Common Expression Language) rules allow for more complex policies than would normally be possible. Read how to configure CEL rules in the Binary Authorization documentation.

Apps signed since X

This will prevent executions of an app where the specific binary was signed before the provided date. This is particularly useful when attached to a TEAMID or SIGNINGID rule.

target.signing_time >= timestamp('2025-05-31T00:00:00Z')

Prevent users from disabling gatekeeper

Create a signing ID rule for platform:com.apple.spctl and attach the following CEL program

['--global-disable', '--master-disable','--disable', '--add', '--remove'].exists(flag, flag in args) ? BLOCKLIST : ALLOWLIST

Apps signed since X​

Prevent users from disabling gatekeeper​

Apps signed since X

Prevent users from disabling gatekeeper