← Policies

Application Allowlist

Application Information

Applications are subject to an allow-list. We will maintain an updated list of applications that are allowed to execute on Mac endpoints. The Santa agent, developed by North Pole Security, has been selected as the application to provide this functionality.

Enforcement

Rules set within the Santa management console will sync with the Santa agent on a regular basis. The Santa agent uses these rules to block the execution of applications and components that are not explicitly pre-approved. Users will have the ability to sync rules on-demand using a policy in the Self Service+ application.

Exception Process

In the event of a blocked application, users may request an exception via a form provided by the Santa management console. All requests are submitted to a GitHub rule repository as a pull request containing relevant application information. Each pull request will be reviewed and approved or denied on a case by case basis. Before an application may be added to the allow-list, it must have one approval by a Digital Ground Control team member or an Infrastructure leader. Decisions to allow or block a requested application are recorded in the GitHub pull request. New rules are applied globally to all Digital managed Mac endpoints.

Configuration Management and Access

The Santa agent will be installed and verified on all endpoints by Jamf Pro. If the agent is removed, Jamf Pro will re-install it. If any devices fall out of sync or enter an error state, an alert will be generated in Slack, then Jamf Pro will begin automated remediation. A GitHub repository will contain all of the allow and block list configurations and access to the repository will be available in read-only mode to all staff.

Logging and Review Process

Additions to the application allow list are reviewed each time a new application is requested. The application allow-list review process is constant, self-documenting, and ongoing. DataDog will provide reporting on all blocked and/or unknown application execution events. Jamf Pro will provide reporting on installed software, software versions, sync status, sync server, and Santa operation mode. Reviews of this data will occur every quarter. Reviews will be tracked in a Jira project and any data collected will be stored in a GitHub repository.

A review consists of acquiring samples from five machines to confirm all of the following are true:

  • Santa is installed on the device.
  • The installed version meets or exceeds the current baseline version.
  • The device is actively syncing with the management server.
  • The device is in “Lockdown” mode.
  • When an unknown application is run, it is blocked as expected.
    • This is intended to be a live test of the Santa mechanism, therefore, it requires coordination with the end user. This test is facilitated by running a policy from Jamf Self Service.
Published Date
9-1-22