Use Zentral to sync ALLOW or BLOCK rules targeting applications with the Santa Agent automatically. Rules can be scoped to machines with inventory tags, serial numbers and principal users. To identify the application targeted by a rule, you can use either:
When implementing Santa you begin in Monitor mode (where unknown applications are allowed). See all applications that run on your fleet, then start with creating rules to BLOCK or ALLOW them.
Once you are confident that you are not impacting your users, you can progress to Lockdown mode (block unknown apps by default). Start with testing on a few devices and then expand if successful. You can always switch back to Monitor mode if you are having an issue.
Use the official Zentral Terraform module to manage Santa configurations, enrollments, and rules. This is perfect for a CI/CD system. Protect your main branch, setup mandatory code reviews and dry-runs for the pull requests to improve the security and reliability of your configuration. Zentral will generate audit events for each configuration change.
Apple deprecated the MDM mount controls for the removable storage devices with macOS 11.
To close that gap, the team at Google have integrated a mechanism that uses the macOS endpoint security framework to block removable storage devices or force them to be mounted with special flags (e.g. read-only or no-exec). You can manage this mechanism with Zentral because it is part of the Santa sync protocol. Different configurations can be used for different groups of machines to match your requirements.
We manage the Santa agent with macOS configuration, Zentral enrollment and upgrades.
We configure Santa based on your requirements and guide you toward Lockdown mode for at least a subset of devices.
Implement CI/CD worfklow setup for the rulesets, using your existing Gitlab or GitHub system.