BlacklistRegex and WhitelistRegex on Santa


Thanks once again to @bur on the Mac Admins Slack for the info I’m documenting here.

BlacklistRegex and WhitelistRegex

In a previous blog entry, I talked about using Santa to block apps by certificate (and I briefly mentioned blocking by binary).

You can also block by path using regular expressions. Binary takes precedence over certificate, which takes precedence over regex, so unfortunately you can’t really block Apple apps (like Safari) using regex, because Santa automatically whitelists them by certificate—you can block them only by binary.

You may notice in the Santa documentation for configuration that both WhitelistRegex and BlacklistRegex are listed as string types instead of arrays of strings. That is absolutely true, so if you wanted to whitelist a whole bunch of app paths, you’d have to have a massively long string like this:

<string>^(?:/Applications/Adobe Acrobat DC)/.*|^(?:/Applications/LockDown*|^(?:/Applications/Microsoft*|^(?:/Applications/Microsoft*|^(?:/Applications/Microsoft*</string>

Same deal for a BlacklistRegex string.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.