Acknowledgements
Special shoutout to @bur on the Mac Admins Slack for help with some command-line syntax.
Santa can be complicated, but doesn’t need to be
Google has a project on GitHub called Santa, which is quite powerful and complicated. As the project’s readme says, though: Documentation: This is currently limited..
I just wanted to do something simple: block an app, but I didn’t see any straightforward documentation on how to do that. The closest I could find was the docs on certificate rules, but that was a bit incomplete.
So, first of all, something I was confused about at first was whether a configuration profile was necessary or not. It is not necessary. There are some default settings that just go by themselves. You need to configure settings only if you need to configure settings.
Blocking an app by certificate
If you have a blocking application rule, you can block by binary or by certificate. By binary may not be as helpful, because newer versions of an app will be a different binary. Let’s say you want to block MacKeeper by certificate. (Install Santa first, so you can actually use it, including the santactl command.)
Signing Chain:
1. SHA-256 : 2df1460a9c76c4a63fa2d0d043fb0254f8fa69a99374f2a0b1e8eee885872614
SHA-1 : 2664b71c3db787226ff9715da4de32e9ad3e364f
Common Name : Developer ID Application: KROMTECH ALLIANCE CORP. (64424ZBYX5)
Organization : KROMTECH ALLIANCE CORP.
Organizational Unit : 64424ZBYX5
Valid From : 2013/10/14 04:00:13 -0700
Valid Until : 2018/10/15 04:00:13 -0700
2. SHA-256 : 7afc9d01a62f03a2de9637936d4afe68090d2de18d03f29c88cfb0b1ba63587f
SHA-1 : 3b166c3b7dc4b751c9fe2afab9135641e388e186
Common Name : Developer ID Certification Authority
Organization : Apple Inc.
Organizational Unit : Apple Certification Authority
Valid From : 2012/02/01 14:12:15 -0800
Valid Until : 2027/02/01 14:12:15 -0800
3. SHA-256 : b0b1730ecbc7ff4505142c49f1295e6eda6bcaed7e2c68c5be91b5a11001f024
SHA-1 : 611e5b662c593a08ff58d14ae22452d198df6c60
Common Name : Apple Root CA
Organization : Apple Inc.
Organizational Unit : Apple Certification Authority
Valid From : 2006/04/25 14:40:36 -0700
Valid Until : 2035/02/09 13:40:36 -0800
Then, add a block rule for it:
You can always check on the other parameters by running
which will output something like this:
Usage: santactl rule [options]
One of:
–whitelist: add to whitelist
–blacklist: add to blacklist
–silent-blacklist: add to silent blacklist
–remove: remove existing rule
–check: check for an existing rule
One of:
–path {path}: path of binary/bundle to add/remove.
Will add the hash of the file currently at that path.
Does not work with –check. Use the fileinfo verb to check.
the rule state of a file.
–sha256 {sha256}: hash to add/remove/check
Optionally:
–certificate: add or check a certificate sha256 rule instead of binary
–message {message}: custom message
That’s pretty much it. That isn’t everything Santa can do. That’s about the simplest thing you can do with Santa, but most of the documentation for Santa is about all of the other stuff you can do. I didn’t see much about just how to simply block an .app, hence this blog post.
Leave a Reply