Mountain View to North Pole

As of February, 2025, the Google version of Santa has been retired, but there’s a new North Pole version of Santa available.

While the migration guide outlines a fairly straightforward process, there are some nuances to consider.

Even though I highly recommend reading the actual migration guide, the tl;dr version is basically

1. Deploy/update the MDM profiles
2. Install North Pole Santa
3. Remove the Google Santa part of the system extensions profile
4. North Pole Santa will automatically remove Google Santa and put itself in place

Inside the Toy Sack

You can see here that that the payload for Google Santa is a more direct payload:

The payload for North Pole Santa is a bit more indirect (so the migration can happen after you remove the Google Santa part of the system extensions profile):

Opening the Gifts

The migration guide says

Update your MDM configuration to allow both Google and NPS Santa system extensions simultaneously. This dual-authorization is temporary but necessary for a seamless transition.

and

Remove Google Santa from the allowed system extensions list – This will trigger the automatic unloading of Google Santa – NPS Santa will detect the removal and finish loading itself within a few seconds

I have, however, verified with the North Pole Security team and also through my own testing that you can have completely separate system extensions profiles (one for Google, one for North Pole), and just remove the Google one (instead of having a single system extensions profile you modify the Google parts out of).

I favored having two separate profiles, so I could do a gradual transition.

You could do an all-at-once transition by

1. deploying the updated profiles to all Macs in your fleet
2. deploying North Pole Santa to all Macs in your fleet
3. removing the Google Santa parts of your system extension profile for all Macs in your fleet

Instead, I opted for

1. deploying the updated profiles (including separate system extensions profiles for Google Santa and North Pole Santa) to all Macs in the fleet
2. creating a smart group in Jamf (you could probably do something similar with another MDM) looking to see if the package receipt for North Pole Santa is present
3. having the Google Santa system extensions profile’s scope exclude members of the smart group
4. gradually deploying out North Pole Santa
5. having the deployment process involve a jamf recon so Jamf knows immediately to remove the Google Santa system extensions profile

Keychain in Your Stocking?

Nota bene: If you have any certs you want to grant santasyncservice access to in the Keychain, you’ll have to delete and re-import those certs, since the developer has changed (from Google to North Pole), but you can’t do that right after installing North Pole Santa, since “installing” North Pole Santa just has its version of Santa wait in the wings for the Google Santa system extensions profile to be removed, so you’ll have to script waiting until the actual North Pole Santa .app bundle is in the /Applications folder before you re-import those certs with the proper ACLs.