Santa: A binary Whitelisting/Blacklisting System for Mac OS X ¬


While developed internally by Google, Santa is not their Santa Tracker:

Santa is a binary whitelisting/blacklisting system for macOS. It consists of a kernel extension that monitors for executions, a userland daemon that makes execution decisions based on the contents of a SQLite database, a GUI agent that notifies the user in case of a block decision and a command-line utility for managing the system and synchronizing the database with a server.


Santa is written with the intention of helping protect users from themselves. People often download malware and trust it, giving the malware credentials, or allowing unknown software to exfiltrate more data about your system. As a centrally managed component, Santa can help stop the spread of malware among a larger fleet of machines. Additionally, Santa can aid in analyzing what is running in your fleet.

While it’s not 1.0 yet, this is definitely a project for macOS (née OS X) administrators to watch.

Managed Preferences (MCX) was deprecated way back in OS X 10.8 Mountain Lion, though it still works in OS X 10.11 El Capitan, and is the only other way I’m familiar with for blacklisting or whitelisting apps on OS X. MCX settings can even be applied using Profiles via your favorite deployment method (mcxToProfile is a handy tool for that). Unfortunately, I’ve found it to be very problematic and unreliable in practice (often needing to resort to whitelisting entire folders, which is not particularly secure), so this is a very welcome addition to the macOS management toolset. The ability to monitor binary usage across clients is another huge benefit.

Commenting is closed for this article.