Deploy Google Santa on macOS devices using Hexnode UEM - Hexnode Help Center (2024)

Jump To

Google Santa is a service designed for macOS devices, offering application blocklisting and allowlisting capabilities. With application allowlisting, you can designate trusted applications for execution, whereas blocklisting prevents unauthorized applications from running.

The Google Santa package includes a system extension that monitors application execution. If users attempt to access a blocklisted application, they will receive a message prompt that the application cannot be run.

With Hexnode UEM, admins can easily deploy and install Google Santa on multiple macOS devices. This document will provide you a detailed explanation of how to manage applications via Google Santa using Hexnode UEM.


Google Santa is a powerful tool designed for application management that requires full disk access on the system. We strongly recommend testing this application in a staged environment, prior to deploying it in production.

Add Google Santa to the app inventory

To add the Google Santa DMG file to the app inventory, follow the steps given below:

  1. Download the Google Santa DMG file on your device.
  2. Login to the Hexnode UEM console.
  3. Navigate to the Apps tab and click on +Add Apps > Enterprise App.
  4. Select macOS, enter the required app details and upload the DMG file.
  5. Click on Add.

The Google Santa DMG file has now been added to the app repository.

Configure a policy to deploy Google Santa

To deploy Google Santa on your macOS devices, you need to configure Required Apps, System Extensions, and Privacy Preferences policies. The following sections provide a detailed explanation of how to set up these required configurations.

Add the Google Santa DMG file as a required app

To configure a Required Apps policy,

  1. Login to the Hexnode UEM console.
  2. Navigate to Policies > New Policy > New Blank Policy.
  3. Select macOS > App Management > Required App.
  4. Click on +Add > Add App. Next, search and select the Google Santa DMG file and click on Done.

Configure System Extensions (For devices running macOS 10.15 and above)

To configure a System Extensions policy,

  1. Navigate to macOS > Configurations > System Extensions.
  2. Click Configure.
  3. Enable User Override.
  4. Under System Extensions, enter the Team ID “EQHXZ8M8AV” and Bundle ID “”. Click on Add.
  5. Under System Extension Types, enter the Team ID “EQHXZ8M8AV” and check the Endpoint Security Extension box. Click on Add.

Configure Privacy Preferences to allow full disk access

You can either use an existing policy or create a new one to grant full disk access for the necessary components of Google Santa.

  1. Under the macOS tab, navigate to Security > Privacy Preferences.
  2. Click on +Add new preference.
  3. Click on the dropdown beside All Files and select Allow.
  4. Select Specify Bundle IDs/Path.

To ensure proper functionality of Google Santa, the following components require Full Disk Access:

Sl No Identifier Type Identifier Code Requirement
1.Bundle identifier "" and anchor apple generic and certificate 1[field.1.2.840.113635.] /* exists */ and certificate leaf[field.1.2.840.113635.] /* exists */ and certificate leaf[subject.OU] = EQHXZ8M8AV
2.Bundle identifier "" and anchor apple generic and certificate 1[field.1.2.840.113635.] /* exists */ and certificate leaf[field.1.2.840.113635.] /* exists */ and certificate leaf[subject.OU] = EQHXZ8M8AV
3.Bundle identifier "" and anchor apple generic and certificate 1[field.1.2.840.113635.] /* exists */ and certificate leaf[field.1.2.840.113635.] /* exists */ and certificate leaf[subject.OU] = EQHXZ8M8AV

Associate target device(s)

  1. Navigate to Policy Targets and select the Devices, Device Groups, Users, User Groups, or Domains you want to associate the policy with.
  2. Click on Save.

Shell scripts to manage applications

After successfully associating the policy, you can blocklist/allowlist applications on macOS devices using Google Santa. Deploy the below scripts meant to perform various related operations using the Execute Custom Script action.

Scripting Language – Bash

File extension - .sh


The sample scripts provided below are adapted from third-party open-source sites.

Check Google Santa status

By default, Santa operates in MONITOR mode, allowing all applications to run unless they are specifically blocklisted or lack a valid certificate. To check Google Santa status on your devices, use the following command:

Script to check Google Santa status






CurrentUser=$(ls -l /dev/console | awk '/ / { print $3 }')

CurrentUserUID=$(id -u "$CurrentUser")

launchctl asuser $CurrentUserUID sudo -iu "$CurrentUser" santactl status

Fetch file information using Google Santa

You can retrieve all relevant file information using the "fileinfo" command, which can be used to make decisions on blocking or allowing specific files.

Script to fetch file information using Google Santa


/usr/local/bin/santactl fileinfo path/to/file

For example, to retrieve information about the Firefox application, execute the below command:

/usr/local/bin/santactl fileinfo /Applications/

Label 1 in the image below represents the bundle hash of the application, and label 2 represents the certificate hash of the application.

Apply rules on applications

Using the generated file hashes, you can create rules and effectively block applications on your devices.

The "rule" command offers various flags:

  • allow: Add to allow
  • block: Add to block
  • silent-block: Block the app without displaying a pop-up
  • remove: Removes existing rule
  • check: Checks for the presence of a rule


  • The --certificate flag is used to indicate whether the given hash is a certificate. This flag applies to all items signed with the same certificate, allowing you to block multiple applications from the same developer.
  • The --message flag is used to specify the message displayed to the user when an application is blocked.

Block application using its bundle hash:

Bundle Hashes are specific to each version of the .app file. This implies that if an application is blocked based on its Bundle Hash, only that version of the .app file will be blocked. If a newer version of the file or software is available, it will not be blocked unless a new rule is added.

To block the Firefox application using its bundle hash and provide the user with a custom message, use the below script:

Script to blocklist application using its bundle hash


/usr/local/bin/santactl rule --block --sha256 746f3351df5c3c6dbc75de1ce6aa909a57e5bf788394f1174daf0e0177c73bb6 --message "Your organization has blacklisted Mozilla Firefox."

When the user attempts to access the blocked application, they will receive a message prompt.

To block the application without any message prompt for the user, replace the –block flag with –silent-block in the above script.

To remove the block on the application, you can use the same command, but with the --remove flag instead of --block:

Script to remove block on the application


/usr/local/bin/santactl rule --remove --sha256 746f3351df5c3c6dbc75de1ce6aa909a57e5bf788394f1174daf0e0177c73bb6

Block application using its certificate hash:

Certificates serve as a signature from the software developer. When you block a certificate, it will block all versions of the software associated with that certificate. It will also block any other applications signed with the same certificate. However, it's important to note that this can have unintended consequences if the device uses other items signed by the same certificate. For instance, blocking a certificate for native macOS applications will also block all Apple software on the device.

To block all versions of the Firefox application, use its certificate hash in the below script:

Script to block app using its certificate hash


/usr/local/bin/santactl rule --block --sha256 714c8a308e522bef92ea9c1d5f9391d2e0eeacfb7d0c09696c0777154b42483f --certificate --message "Your organization has blacklisted Mozilla Firefox."

To remove the block implemented using certificate hash of the application, you can use the same command, but with the --remove flag instead of --block:

Script to remove block on the app (certificate hash)


/usr/local/bin/santactl rule --remove --sha256 714c8a308e522bef92ea9c1d5f9391d2e0eeacfb7d0c09696c0777154b42483f --certificate


  • It is advisable to avoid blocking system apps using certificate, to prevent multiple message prompts for unwanted applications.
  • It is recommended to manually validate the script execution on a system before executing the action in bulk.
  • Hexnode will not be responsible for any damage/loss to the system on the behavior of the script.
Deploy Google Santa on macOS devices using Hexnode UEM - Hexnode Help Center (2024)


How do I install Hexnode apps on my Mac? ›

Navigate to Manage tab from the Hexnode dashboard and choose either a single or multiple devices. Click Actions drop-down and select Install Application. Choose the app from the list of Local Apps and click Done.

What is the purpose of Hexnode? ›

Hexnode ensures complete content security by granting secure access to corporate apps and data. You can also isolate corporate content from personal devices by enabling a virtual container on the devices.

How to install app through MDM? ›

How to Silently Install Apps Using MDM?
  1. Log into MDM admin console and enroll mobile devices. You need to enroll your mobile phones or tablets first. ...
  2. Go to 'Apps' > 'Managed Google Play Store' and then click 'Add app. ' ...
  3. Select the target device and test release the app. ...
  4. Check the force-installed app on your device.
Jan 4, 2024

What can Hexnode MDM track? ›

Hexnode MDM offers precise location tracking and geo-fencing capabilities, allowing employees to be remotely monitored. Additionally, Hexnode allows for the integration of alternative map APIs in addition to the default services, ensuring the safety and productivity of employees while they work from home.

Why do people use MDM? ›

Mobile device management (MDM) is required because it allows organizations to secure their networks, ensure employees access corporate systems using secure devices, and prevent the risk of data breaches.

What does mobile device management MDM do? ›

Mobile device management (MDM) is a proven methodology and toolset that provides a workforce with mobile productivity tools and applications while keeping corporate data secure. With a mature MDM platform, IT and security departments can manage all of a company's devices, regardless of their operating system.

How do I install App Store apps on my Mac? ›

In the App Store on your Mac, click your name in the bottom-left corner, or click Sign In if you're not already. Locate the purchased app you want to download, then click the Download button .

How do I get my apps on my Mac? ›

Download apps from the App Store on your Mac
  1. Open the App Store app.
  2. Browse or search for the app that you want to download.
  3. Click the price or Get button. If you see the Open button instead of a price or Get button, you already bought or downloaded that app.
Feb 13, 2024

Where is installer app on Mac? ›

Apple Installer (Mac OS X)

The Installer would be installed on every Mac OS X computer, and it would run from the hard drive. The Installer, under Mac OS X, is located in Applications > Utilities > Installer. app.

How do I install managed Software center on Mac? ›

Managed Software Center is an Application found in your Applications folder. You can access your Applications folder by clicking on the Finder (Happy Mac) icon on the left side of your dock. Then click on Applications, scroll, and double click on the Managed Software Center icon. Additional Software can be found here.

Top Articles
Latest Posts
Article information

Author: Dean Jakubowski Ret

Last Updated:

Views: 5739

Rating: 5 / 5 (50 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Dean Jakubowski Ret

Birthday: 1996-05-10

Address: Apt. 425 4346 Santiago Islands, Shariside, AK 38830-1874

Phone: +96313309894162

Job: Legacy Sales Designer

Hobby: Baseball, Wood carving, Candle making, Jigsaw puzzles, Lacemaking, Parkour, Drawing

Introduction: My name is Dean Jakubowski Ret, I am a enthusiastic, friendly, homely, handsome, zealous, brainy, elegant person who loves writing and wants to share my knowledge and understanding with you.