Using Santa to block an .app

Acknowledgements

Special shoutout to @bur on the Mac Admins Slack for help with some command-line syntax.

Santa can be complicated, but doesn’t need to be

Google has a project on GitHub called Santa, which is quite powerful and complicated. As the project’s readme says, though: Documentation: This is currently limited..

I just wanted to do something simple: block an app, but I didn’t see any straightforward documentation on how to do that. The closest I could find was the docs on certificate rules, but that was a bit incomplete.

So, first of all, something I was confused about at first was whether a configuration profile was necessary or not. It is not necessary. There are some default settings that just go by themselves. You need to configure settings only if you need to configure settings.

Blocking an app by certificate

If you have a blocking application rule, you can block by binary or by certificate. By binary may not be as helpful, because newer versions of an app will be a different binary. Let’s say you want to block MacKeeper by certificate. (Install Santa first, so you can actually use it, including the santactl command.)

santactl fileinfo /Applications/MacKeeper.app –key “Signing Chain”
Signing Chain:
1. SHA-256 : 2df1460a9c76c4a63fa2d0d043fb0254f8fa69a99374f2a0b1e8eee885872614
SHA-1 : 2664b71c3db787226ff9715da4de32e9ad3e364f
Common Name : Developer ID Application: KROMTECH ALLIANCE CORP. (64424ZBYX5)
Organization : KROMTECH ALLIANCE CORP.
Organizational Unit : 64424ZBYX5
Valid From : 2013/10/14 04:00:13 -0700
Valid Until : 2018/10/15 04:00:13 -0700

2. SHA-256 : 7afc9d01a62f03a2de9637936d4afe68090d2de18d03f29c88cfb0b1ba63587f
SHA-1 : 3b166c3b7dc4b751c9fe2afab9135641e388e186
Common Name : Developer ID Certification Authority
Organization : Apple Inc.
Organizational Unit : Apple Certification Authority
Valid From : 2012/02/01 14:12:15 -0800
Valid Until : 2027/02/01 14:12:15 -0800

3. SHA-256 : b0b1730ecbc7ff4505142c49f1295e6eda6bcaed7e2c68c5be91b5a11001f024
SHA-1 : 611e5b662c593a08ff58d14ae22452d198df6c60
Common Name : Apple Root CA
Organization : Apple Inc.
Organizational Unit : Apple Certification Authority
Valid From : 2006/04/25 14:40:36 -0700
Valid Until : 2035/02/09 13:40:36 -0800

Then, add a block rule for it:

sudo santactl rule –blacklist –certificate –sha256 2df1460a9c76c4a63fa2d0d043fb0254f8fa69a99374f2a0b1e8eee885872614

You can always check on the other parameters by running

sudo santactl rule

which will output something like this:

No state specified

Usage: santactl rule [options]
One of:
–whitelist: add to whitelist
–blacklist: add to blacklist
–silent-blacklist: add to silent blacklist
–remove: remove existing rule
–check: check for an existing rule

One of:
–path {path}: path of binary/bundle to add/remove.
Will add the hash of the file currently at that path.
Does not work with –check. Use the fileinfo verb to check.
the rule state of a file.
–sha256 {sha256}: hash to add/remove/check

Optionally:
–certificate: add or check a certificate sha256 rule instead of binary
–message {message}: custom message

That’s pretty much it. That isn’t everything Santa can do. That’s about the simplest thing you can do with Santa, but most of the documentation for Santa is about all of the other stuff you can do. I didn’t see much about just how to simply block an .app, hence this blog post.


Posted

in

by

Tags:

Comments

7 responses to “Using Santa to block an .app”

  1. […] a previous blog entry, I talked about using Santa to block apps by certificate (and I briefly mentioned blocking by […]

  2. […] found Santa to block things more reliably (or not to block things you've allowed). You can block by certificate or (for Apple applications you'd need to do this), block by […]

  3. Mike Avatar

    Hey, excellent work… your blog was just recommend by someone in a very high place, I’m not at liberty to say who and what company, but lets just say that they work for a company that resembles a fruit. (: I’m trying to block the Terminal app, will this method work ?

    1. Alan Siu Avatar
      Alan Siu

      Hi, Mike. No, you can’t block it with certificate rules, because Apple apps are whitelisted by certificate by default. The only way to block Apple apps with Santa is by binary. Here’s an example of how I did that (/Applications/Utilities/Terminal.app isn’t in the example here, but you can easily add it—or create your own script based on the principles here):
      https://github.com/aysiu/Mac-Scripts-and-Profiles/blob/master/OutsetPrivilegedSantaRules.sh

  4. Søren Døygaard Avatar
    Søren Døygaard

    Hello Alan. Thank you for your constant inspiration. Do you use Google Upvote together with Santa ?

    1. Alan Siu Avatar
      Alan Siu

      No, I don’t use Upvote right now.

  5. […] with macOS 10.14 (Mojave), you can block using Santa (see Using Santa to block an .app for more details on general Santa use). It's possible this Santa-blocking approach may have worked […]

Leave a Reply

Your email address will not be published. Required fields are marked *