The Sonoma rule for os_gatekeeper_enable has the mobileconfig: value as true. This should be false since this rule is audited and remediated within the script and not a configuration profile.

This is actually on purpose.

When you set it with profile it locks the GUI but the command line can override it. So we decided the configuration profile is important but reading the status of the profile doesn't return the actual status of gatekeeper.

Perfect. Thank you for the explanation.