This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Disclaimer
JUMPCLOUD EXPRESSLY DISCLAIMS ALL REPRESENTATIONS, WARRANTIES, CONDITIONS, AND LIABILITIES OF ANY KIND ARISING FROM OR RELATED TO THIRD-PARTY SOFTWARE, SCRIPTS, REPOSITORIES, AND APIS. JUMPCLOUD IS NOT REQUIRED TO SUPPORT ANY SUCH THIRD-PARTY MATERIALS AND ALL RISKS RELATED TO THIRD-PARTY MATERIALS ARE YOUR RESPONSIBILITY. PLEASE ALSO REVIEW THE JUMPCLOUD TOS.

Block users from launching specific Apps on macOS devices

saifshaik
JumpCloud Employee
JumpCloud Employee

โ€Ž05-03-2025 11:26 AM

Sometimes, as an IT Admin, you'd like to prevent your end users from accessing certain Applications they have installed on their Mac devices. It's achievable using a third party tool called Santa, which is developed by Northpole Security. It is a high-performance open-source security agent for macOS that provides binary & file-access authorization and rich system event logging.

About Santa:

nps-logo-256.png

Santa consists of a system extension that monitors for executions & file access, and makes decisions based on the contents of a local database, a GUI agent that notifies the user in case of a block decision, a background service for synchronizing the configuration with a remote server, and a command-line utility for managing the system.

Binary Authorization, also known as Binary Allowlisting is a feature that lets Santa control which binaries (Applications) are run on the machine. This is a powerful control for both security and policy enforcement. With Santa running, any time a binary is executed on the machine, Santa will decide whether the binary is allowed to be executed.

  • If the execution is allowed, everything will proceed as normal and Santa will cache its decision so that subsequent executions can avoid repetitive processing and execute faster.

  • If the execution is denied, Santa optionally presents a GUI notification over the top of any other windows detailing what was blocked.

Santa supports multiple mechanisms for controlling which executables are allowed to run as friction-free as possible. The primary mechanism for deciding what is able to run is Rules. Rules can be synchronized from a server, configured statically in a profile, or managed locally.

Rule Types:

Santa supports several different rule types and follows a strict evaluation order when determining which rule to enforce for a given execution. The following diagram shows Santa's rule precedence:

Screenshot 2025-05-03 at 2.51.04โ€ฏPM.png

CDHash - CDHash rules use a binaryโ€™s signed code directory hash as an identifier.

Binary - Binary rules use the SHA-256 hash of the entire binary file as an identifier. This means that if the binary file is tampered with in any way then the rule will not match.

Signing ID - Signing IDs are arbitrary identifiers under developer control that are given to a binary at signing time. Typically, these use reverse domain name notation and include the name of the binary (e.g. com.google.Chrome). Because the signing IDs are arbitrary, the Santa rule identifier must be prefixed with the Team ID associated with the Apple developer certificate used to sign the application.
For example, a signing ID rule for Google Chrome would be: EQHXZ8M8AV:com.google.Chrome. For platform binaries (i.e. those binaries shipped by Apple with the OS) which do not have a Team ID, the string platform must be used (e.g. platform:com.apple.curl)

Certificate - Certificate rules are formed from the SHA-256 fingerprint of an X.509 leaf signing certificate.

Team ID - The Apple Developer Program Team ID is a 10-character identifier issued by Apple and tied to developer accounts/organizations. For e.g., a signing ID rule for Google Chrome is: EQHXZ8M8AV.

Modes:

If Santa hasn't made a decision based on existing Rules, the action that is taken depends on what mode Santa is running in. In event/telemetry output this is the UNKNOWN case:

  • Monitor - Executions of binaries or Apps not covered by a rule will be allowed

  • Lockdown - Executions of binaries or Apps not covered by a rule will be blocked

  • Standalone - All unknown executions are held until the user approves them, either by using TouchID or entering their password. If they approve the execution the execution is allowed to continue (without requiring re-execution) and a local SigningID or SHA-256 rule is automatically created.

Deploying Santa on Mac devices using JumpCloud:

To start blocking Applications on the Mac endpoints, you need to deploy pre-approved permissions for Santa, deploy the app and configure the Rules.

Deploying System Extension:

Leveraging JumpCloud's Mac System Extension Policy, you need to preapprove Santa System Extension by configuring and deploying the policy with the values mentioned below:

  • Policy Name - Santa System Extension
  • team ID -ZMCG7MLDV9
  • Bundle ID - com.northpolesec.santa.daemon
  • Security Extension - Checked
  • Driver Extension - Unchecked
  • Network Extension - Unchecked

Deploying Other Permissions:

Other permissions required by Santa are Full Disk Access, Background App Access and Notifications. To save some time and effort, I've crafted a custom MDM configuration profile for all these permissions. Download the MDM configuration profile from here and deploy it using JumpCloud's Mac MDM Custom Configuration Profile Policy. This profile was created based on the configuration mentioned in this article.

Deploying the Santa App:

With all of the permissions configured you are finally ready to install the Santa App package.

The latest releases of Santa App are always available on GitHub in DMG, PKG and APP (within a.tar.gz file) formats.

For feasibility and easy future upgrades, we choose the PKG file and deploy it using either JumpCloud's Self-Hosted macOS Apps method or Mac Private Repository method. In Self-Hosted method, we use the direct one-click download URL of the PKG file and configure it in Self-Hosted Software Management. In Private Repo, we download the PKG from Github and upload it to Private Repo Software Management for deployment.

Once the app is successfully installed, next you need to configure and maintain the Rules and also verify the Mode.

Verifying the Santa App:

Upon successful installation of Santa, you can check that Santa is installed and running using santactl:

  • santactl version - would provide the version details of the Santa app.
  • santactl status - would provide the status of Santa including the mode its running on, rules types along with the number of rules configured, sync server info in case a sync server is setup.

You can remotely execute these commands on target Mac device(s) using JumpCloud Commands. Setup the below command in JumpCloud to run as 'root', to query the status of Santa. As JumpCloud Commands are processed by the JumpCloud agent, we need to provide full path of the santactl command:

 

/usr/local/bin/santactl status

 

A sample Command Result screenshot:
Screenshot 2025-05-03 at 4.43.35โ€ฏPM.png

Configuring Mode and Rules:

Mode:

As mentioned above, if you wish to block the execution of ALL the apps on the device and explicitly allow only certain apps, you configure Santa in LOCKDOWN mode. Alternatively, if you wish to explicitly block execution of only CERTAIN apps but allow access to all other apps, you configure Santa in MONITOR mode, which is the most commonly used mode. The third modeSTANDALONE is used if you, as an admin, do not want to decide the rules but you let the end users approve/deny the execution of apps themselves.

By default, when Santa App is installed, its configured in MONITOR mode, so no Mode changes are required. But in case, if you wish to place Santa in LOCKDOWN mode you can do so using an MDM configuration profile.

Rules:

As mentioned above, if you wish to block the execution of particular apps, you need to configure rules within Santa to block or unblock the Apps. You can do this using santactl command options.

First, identify which Rule Type you'd like to use to block apps, I'd prefer to use teamID or Signing ID or Binary to configure the rules.

After identifying the name of the app, which my end user has installed on their Mac, I silently add a rule in Santa to blacklist the app. This prevents the app from launching, the next time user tries to open it.

A few use-cases of santactl command options:

As an example, lets block users from accessing the Discord app installed on their Mac using the Team ID:

First, identify the teamID of Discord app using the below command -

 

/usr/local/bin/santactl fileinfo /Applications/Discord.app | grep 'Team ID'

 

While there are other methods to retrieve the Team ID, this is one of the reliable options usingsantactl command.

Screenshot 2025-05-03 at 7.49.19โ€ฏPM.png

10-character alphanumerical Team ID of Discord will be retrieved. Next, we add a rule in Santa to block this App from executing using the Team ID rule type -

 

 

/usr/local/bin/santactl rule --block --teamid --identifier 53Q6R32WPB

 

 Command Result outputs that the a rule has been added for the specified Team ID.

Screenshot 2025-05-03 at 7.50.58โ€ฏPM.png

Now, on the Mac endpoint, when the end user tries to open the Discord app, they'd be presented with Santa dialog box with a generic warning message and the app does not launch.

Screenshot 2025-05-03 at 7.52.55โ€ฏPM.png

If you'd like to customize the warning message shown in the dialog box, you can do so by appending --message to the above command.

 

/usr/local/bin/santactl rule --block --teamid --identifier 53Q6R32WPB --message 'Your IT Admin has blocked this app due to Security and Compliance reasons.'

 

Then the user will see the below prompt when trying to launch Discord:

Screenshot 2025-05-03 at 7.58.07โ€ฏPM.png

To revert the changes and allow the app, you can execute the below command, where we're basically allowing the specified team ID to execute.

 

 

/usr/local/bin/santactl rule --allow --teamid --identifier 53Q6R32WPB

 

 As another example, lets block users from accessing Whatsapp app installed on their Mac using the Signing ID:

First, identify the Signing ID of Whatsapp using the below command -

 

 

/usr/local/bin/santactl fileinfo /Applications/Whatsapp.app | grep 'Signing ID'

 

Signing ID of Whatsapp is retrieved. Next, same as before, we add a rule in Santa to block this App from executing using the Signing ID rule type. This time I've used silent block -

 

 

/usr/local/bin/santactl rule --silent-block --signingid --identifier 57T9237FN3:net.whatsapp.WhatsAppโ€‹

 

 Command Result as seen in JumpCloud -

Screenshot 2025-05-03 at 8.07.52โ€ฏPM.png

To verify the rule set on a specific app, we can use --check command along with the rule type and ID -

 

/usr/local/bin/santactl rule --check --signingid --identifier 57T9237FN3:net.whatsapp.WhatsAppโ€‹

 

Command Result would inform of the rule set for the specied App's Signing ID -

Screenshot 2025-05-03 at 8.12.37โ€ฏPM.png

When a block rule is added using --silent-block command, there would be no warning dialog box or prompt when the user tries to open the app, it simply prevents the app from launching. Due to its nature, this can be a very confusing experience for users, use with caution. Refer the attached GIF clip depicting end user's experience.

Lastly, if you wish to clear all the rules (both block and allow) set on the target Mac, use the below command:

 

/usr/local/bin/santactl rule --clean-all

 

There are more advanced features of Santa like Sync Server (Santa can be configured to synchronize with a central server, to manage the rules that Santa applies, the settings that apply to the host, and to upload details about executions that have been blocked), File Access Authorization (lets Santa control which processes are allowed access to read/write files. This can be used to monitor and log access or even block access altogether), Telemetry (Santa collects and outputs telemetry data about security events. This data is used to provide insights into system activity, security events, and policy enforcement decisions) etc. Refer Santa Github, Northpole Dev and Santa Dev (deprecated) sites for more information on extra features.

Hope this helps! Until next time! ๐Ÿ™‚

Labels:
Preview file
4417 KB
2 REPLIES 2

hoium
Novitiate II

โ€Ž05-06-2025 05:17 PM

Thank you for this guide, @saifshaik! I was looking for a way to block the Migration Assistant, and this solution worked perfectly.

0 Kudos

saifshaik
JumpCloud Employee
JumpCloud Employee
In response to hoium

โ€Ž05-10-2025 02:21 AM

Most welcome @hoium. I'm glad the article has been helpful. Cheers!

0 Kudos
You Might Like

New to the site? Take a look at these additional resources:

Community created scripts:

Our new Radical Admin blog:

Keep up with Product News:

Read our community guidelines

Ready to join us? You can register here.