Deploy Google Santa on macOS devices using Hexnode UEM - Hexnode Help Center (2024)

Jump To

Google Santa is a service designed for macOS devices, offering application blocklisting and allowlisting capabilities. With application allowlisting, you can designate trusted applications for execution, whereas blocklisting prevents unauthorized applications from running.

The Google Santa package includes a system extension that monitors application execution. If users attempt to access a blocklisted application, they will receive a message prompt that the application cannot be run.

With Hexnode UEM, admins can easily deploy and install Google Santa on multiple macOS devices. This document will provide you a detailed explanation of how to manage applications via Google Santa using Hexnode UEM.

Disclaimer:


Google Santa is a powerful tool designed for application management that requires full disk access on the system. We strongly recommend testing this application in a staged environment, prior to deploying it in production.

Add Google Santa to the app inventory

To add the Google Santa DMG file to the app inventory, follow the steps given below:

  1. Download the Google Santa DMG file on your device.
  2. Login to the Hexnode UEM console.
  3. Navigate to the Apps tab and click on +Add Apps > Enterprise App.
  4. Select macOS, enter the required app details and upload the DMG file.
  5. Click on Add.

The Google Santa DMG file has now been added to the app repository.

Configure a policy to deploy Google Santa

To deploy Google Santa on your macOS devices, you need to configure Required Apps, System Extensions, and Privacy Preferences policies. The following sections provide a detailed explanation of how to set up these required configurations.

Add the Google Santa DMG file as a required app

To configure a Required Apps policy,

  1. Login to the Hexnode UEM console.
  2. Navigate to Policies > New Policy > New Blank Policy.
  3. Select macOS > App Management > Required App.
  4. Click on +Add > Add App. Next, search and select the Google Santa DMG file and click on Done.

Configure System Extensions (For devices running macOS 10.15 and above)

To configure a System Extensions policy,

  1. Navigate to macOS > Configurations > System Extensions.
  2. Click Configure.
  3. Enable User Override.
  4. Under System Extensions, enter the Team ID “EQHXZ8M8AV” and Bundle ID “com.google.santa.daemon”. Click on Add.
  5. Under System Extension Types, enter the Team ID “EQHXZ8M8AV” and check the Endpoint Security Extension box. Click on Add.

Configure Privacy Preferences to allow full disk access

You can either use an existing policy or create a new one to grant full disk access for the necessary components of Google Santa.

  1. Under the macOS tab, navigate to Security > Privacy Preferences.
  2. Click on +Add new preference.
  3. Click on the dropdown beside All Files and select Allow.
  4. Select Specify Bundle IDs/Path.

To ensure proper functionality of Google Santa, the following components require Full Disk Access:

Sl No Identifier Type Identifier Code Requirement
1.Bundle IDcom.google.santa identifier "com.google.santa" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EQHXZ8M8AV
2.Bundle IDcom.google.santa.daemon identifier "com.google.santa.daemon" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EQHXZ8M8AV
3.Bundle IDcom.google.santa.bundleservice identifier "com.google.santa.bundleservice" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EQHXZ8M8AV

Associate target device(s)

  1. Navigate to Policy Targets and select the Devices, Device Groups, Users, User Groups, or Domains you want to associate the policy with.
  2. Click on Save.

Shell scripts to manage applications

After successfully associating the policy, you can blocklist/allowlist applications on macOS devices using Google Santa. Deploy the below scripts meant to perform various related operations using the Execute Custom Script action.

Scripting Language – Bash

File extension - .sh

Disclaimer:


The sample scripts provided below are adapted from third-party open-source sites.

Check Google Santa status

By default, Santa operates in MONITOR mode, allowing all applications to run unless they are specifically blocklisted or lack a valid certificate. To check Google Santa status on your devices, use the following command:

Script to check Google Santa status

1

2

3

4

#!/bin/bash

CurrentUser=$(ls -l /dev/console | awk '/ / { print $3 }')

CurrentUserUID=$(id -u "$CurrentUser")

launchctl asuser $CurrentUserUID sudo -iu "$CurrentUser" santactl status

Fetch file information using Google Santa

You can retrieve all relevant file information using the "fileinfo" command, which can be used to make decisions on blocking or allowing specific files.

Script to fetch file information using Google Santa

1

/usr/local/bin/santactl fileinfo path/to/file

For example, to retrieve information about the Firefox application, execute the below command:

/usr/local/bin/santactl fileinfo /Applications/Firefox.app

Label 1 in the image below represents the bundle hash of the application, and label 2 represents the certificate hash of the application.

Apply rules on applications

Using the generated file hashes, you can create rules and effectively block applications on your devices.

The "rule" command offers various flags:

  • allow: Add to allow
  • block: Add to block
  • silent-block: Block the app without displaying a pop-up
  • remove: Removes existing rule
  • check: Checks for the presence of a rule

Optionally,

  • The --certificate flag is used to indicate whether the given hash is a certificate. This flag applies to all items signed with the same certificate, allowing you to block multiple applications from the same developer.
  • The --message flag is used to specify the message displayed to the user when an application is blocked.

Block application using its bundle hash:

Bundle Hashes are specific to each version of the .app file. This implies that if an application is blocked based on its Bundle Hash, only that version of the .app file will be blocked. If a newer version of the file or software is available, it will not be blocked unless a new rule is added.

To block the Firefox application using its bundle hash and provide the user with a custom message, use the below script:

Script to blocklist application using its bundle hash

1

/usr/local/bin/santactl rule --block --sha256 746f3351df5c3c6dbc75de1ce6aa909a57e5bf788394f1174daf0e0177c73bb6 --message "Your organization has blacklisted Mozilla Firefox."

When the user attempts to access the blocked application, they will receive a message prompt.

To block the application without any message prompt for the user, replace the –block flag with –silent-block in the above script.

To remove the block on the application, you can use the same command, but with the --remove flag instead of --block:

Script to remove block on the application

1

/usr/local/bin/santactl rule --remove --sha256 746f3351df5c3c6dbc75de1ce6aa909a57e5bf788394f1174daf0e0177c73bb6

Block application using its certificate hash:

Certificates serve as a signature from the software developer. When you block a certificate, it will block all versions of the software associated with that certificate. It will also block any other applications signed with the same certificate. However, it's important to note that this can have unintended consequences if the device uses other items signed by the same certificate. For instance, blocking a certificate for native macOS applications will also block all Apple software on the device.

To block all versions of the Firefox application, use its certificate hash in the below script:

Script to block app using its certificate hash

1

/usr/local/bin/santactl rule --block --sha256 714c8a308e522bef92ea9c1d5f9391d2e0eeacfb7d0c09696c0777154b42483f --certificate --message "Your organization has blacklisted Mozilla Firefox."

To remove the block implemented using certificate hash of the application, you can use the same command, but with the --remove flag instead of --block:

Script to remove block on the app (certificate hash)

1

/usr/local/bin/santactl rule --remove --sha256 714c8a308e522bef92ea9c1d5f9391d2e0eeacfb7d0c09696c0777154b42483f --certificate

Notes:

  • It is advisable to avoid blocking system apps using certificate, to prevent multiple message prompts for unwanted applications.
  • It is recommended to manually validate the script execution on a system before executing the action in bulk.
  • Hexnode will not be responsible for any damage/loss to the system on the behavior of the script.
Deploy Google Santa on macOS devices using Hexnode UEM - Hexnode Help Center (2024)

References

Top Articles
Latest Posts
Article information

Author: Sen. Ignacio Ratke

Last Updated:

Views: 5926

Rating: 4.6 / 5 (76 voted)

Reviews: 83% of readers found this page helpful

Author information

Name: Sen. Ignacio Ratke

Birthday: 1999-05-27

Address: Apt. 171 8116 Bailey Via, Roberthaven, GA 58289

Phone: +2585395768220

Job: Lead Liaison

Hobby: Lockpicking, LARPing, Lego building, Lapidary, Macrame, Book restoration, Bodybuilding

Introduction: My name is Sen. Ignacio Ratke, I am a adventurous, zealous, outstanding, agreeable, precious, excited, gifted person who loves writing and wants to share my knowledge and understanding with you.