For defense on MacOS, Apple officially introduced Gatekeeper/Xprotect in 2012, a mechanism for real-time interception of user clicks on known malicious programs, unsigned, and unnotarized. However, does its defense really make it impervious to all threats? In fact, in recent years, attacks targeting Apple enterprise users have continued to emerge, such as the 3CX supply chain attack, TriangleDB, and the first-ever exposed macOS lockbit, which are enough to prove that attackers have long been adept at bypassing Apple's system security mechanisms. This session will delve into the design architecture of this mechanism through reverse engineering, we will introduce the exploitation techniques observed in recent years, and summarize their attack surface. Through actual attack cases, we will explore the latest attack trends, leading the audience to understand the security issues of the Apple system.