How can I use Google Santa to block the download/installation of a certain installer?

Google Santa is an open-source project from Google's Macintosh Operations Team. It is a binary whitelisting / blacklisting system for macOS and can be used to analyze what applications run across your fleet and control them by blocking their use entirely.

 

How can I block the download/installation of a specific installer with Google Santa?

The best way to accomplish this is to block the hash of the specific installer. 

 

Can't I just block the path to the installer?

Technically yes, it's possible to block the path to the installer with Santa. However this is not the most secure way. This is super easy to bypass (just relocate or rename the app). And there may even be a race condition between the installer arriving on disk and the app store automatically opening it before Santa has a chance to:

1) Check that a binary exists at that path
2) Get the hash for the binary at that path
3) Blacklist the hash of that binary

For those reasons, blacklisting the hash of the installer is the best way to guarantee that it get’s blocked. That way it’s already in a list of binaries that are unacceptable, so it won’t matter if it is, or isn’t on disk. As soon as a user/the AppStore attempts to launch it, Santa will already know about it and be able to block it from loading.

 

How do I manually obtain the SHA256 binary hash for an installer?

If you're unable to locate the SHA256 binary hash for an installer online, you can download the installer onto your device and use Terminal to retrieve the SHA256 binary hash.

Depending on your macOS version, one of the three commands below should work to obtain the SHA256 binary hash for an installer:

openssl sha -sha256 <file>

 

openssl sha256 <file>

 

shasum -a 256 <file>

Please be sure to replace "<file>" with the installer path to view the SHA 256 binary hash.

The SHA256 hash will be unique for a given version of the installer.

 

How do I find an installer's path?

If you've downloaded the app from the Apple App Store, launch the app and then check the "Open Files and Ports" tab in Activity Monitor. To do this:

1. Open Activity Monitor.
2. Double click on the app name in the list of processes.
3. Click "Open Files and Ports" and look for the path to the binary. (Usually it will be near the top.) 4. Use that path in the Terminal command above.

 

How can I add Santa to a Profile and configure the settings in the Fleetsmith web app?

1. In the Fleetsmith web app click "Apps & Settings". Then click "Google Santa".

2. Click the "Add to Profile" drop down and select the Profile you'd like add Google Santa to. Then click the "Add" button.

3. Click the blue "Configure" button to set up your desired settings.

Where can I read more on Google Santa? 

You can check out Santa's documentation here.

 

How do I remove the blacklist from my fleet?

To remove the blacklist from your fleet we recommend leaving Santa configured in a blank state so it sends a blank blacklist to all devices in your fleet before removing Santa from the profile.