punkfairie/install.fairie
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
install.fairie/home/dot_config/santa
History
Brian Zalewski aa4a6679dc
Fixes
2023-08-08 13:42:10 -04:00
..
install.sh Added Santa configs 2023-08-08 04:13:48 -04:00
local.santa.mobileconfig Added Santa configs 2023-08-08 04:13:48 -04:00
notification-settings.santa.mobileconfig Added Santa configs 2023-08-08 04:13:48 -04:00
README.md Fixes 2023-08-08 13:42:10 -04:00
server.santa.mobileconfig Added Santa configs 2023-08-08 04:13:48 -04:00
system-extension-policy.santa.mobileconfig Added Santa configs 2023-08-08 04:13:48 -04:00
tcc.configuration-profile-policy.santa.mobileconfig Added Santa configs 2023-08-08 04:13:48 -04:00

README.md

Santa

Santa is a macOS security tool that helps handle the process of authorizing binary executions.

The .mobileconfig files in this folder have to be manually clicked on to be loaded or used in conjunction with an managed device provider. For more information on what each .mobileconfig does, please see the Santa Getting Started page.

  • local.santa.mobileconfig - Does not configure Santa to use a centralized server and can be run locally
  • server.santa.mobileconfig - Relies on a synchronization server (more details on the Santa site)

The original code used to deploy Santa via Ansible can be seen below which shows how to use santactl locally to block apps from loading:

---
- name: 'Ensure {{ app_name }} is installed'
  become: false
  community.general.homebrew_cask:
    name: santa
    state: "{{ app_state | default('present') }}"
    accept_external_apps: '{{ allow_external_apps | default(true) }}'
    sudo_password: '{{ ansible_password | default(omit) }}'

- name: Copy the MDM Profile to the target
  become: false
  copy:
    src: santa.mobileconfig
    dest: ~/santa.mobileconfig
    mode: 0700
  when: lockdown_mode

# The `profiles` command, starting in BigSur, does not allow installing Profiles. The command used below allows
# partial automation, in that a notification is shown to install the Profile using System Preferences.
# However, the step fails. Leaving it here to use if another way to completely automate this is possible
# - name: Install the profile # noqa 303
#   shell: open /System/Library/PreferencePanes/Profiles.prefPane /Users/{{ ansible_user }}/santa.mobileconfig
#   when: lockdown_mode
#
# - name: Remove the MDM Profile from the target
#   become: false
#   file:
#     path: ~/santa.mobileconfig
#     state: absent
#   when: lockdown_mode

- name: Ensure Rules are created # noqa 301 305
  shell: /usr/local/bin/santactl rule {{ '--allow' if lockdown_mode else '--block' }} --path {{ rule }}
  loop: '{{ allowed_apps if lockdown_mode else blocked_apps }}'
  loop_control:
    label: '{{ rule }}'
    loop_var: rule