Using Santa to block an .app

Acknowledgements

Special shoutout to @bur on the Mac Admins Slack for help with some command-line syntax.

Santa can be complicated, but doesn't need to be

Google has a project on GitHub called Santa, which is quite powerful and complicated. As the project's readme says, though: Documentation: This is currently limited..

I just wanted to do something simple: block an app, but I didn't see any straightforward documentation on how to do that. The closest I could find was the docs on certificate rules, but that was a bit incomplete.

So, first of all, something I was confused about at first was whether a configuration profile was necessary or not. It is not necessary. There are some default settings that just go by themselves. You need to configure settings only if you need to configure settings.

Blocking an app by certificate

If you have a blocking application rule, you can block by binary or by certificate. By binary may not be as helpful, because newer versions of an app will be a different binary. Let's say you want to block MacKeeper by certificate. (Install Santa first, so you can actually use it, including the santactl command.)

santactl fileinfo /Applications/MacKeeper.app --key "Signing Chain"
Signing Chain:
1. SHA-256 : 2df1460a9c76c4a63fa2d0d043fb0254f8fa69a99374f2a0b1e8eee885872614
SHA-1 : 2664b71c3db787226ff9715da4de32e9ad3e364f
Common Name : Developer ID Application: KROMTECH ALLIANCE CORP. (64424ZBYX5)
Organization : KROMTECH ALLIANCE CORP.
Organizational Unit : 64424ZBYX5
Valid From : 2013/10/14 04:00:13 -0700
Valid Until : 2018/10/15 04:00:13 -0700

2. SHA-256 : 7afc9d01a62f03a2de9637936d4afe68090d2de18d03f29c88cfb0b1ba63587f
SHA-1 : 3b166c3b7dc4b751c9fe2afab9135641e388e186
Common Name : Developer ID Certification Authority
Organization : Apple Inc.
Organizational Unit : Apple Certification Authority
Valid From : 2012/02/01 14:12:15 -0800
Valid Until : 2027/02/01 14:12:15 -0800

3. SHA-256 : b0b1730ecbc7ff4505142c49f1295e6eda6bcaed7e2c68c5be91b5a11001f024
SHA-1 : 611e5b662c593a08ff58d14ae22452d198df6c60
Common Name : Apple Root CA
Organization : Apple Inc.
Organizational Unit : Apple Certification Authority
Valid From : 2006/04/25 14:40:36 -0700
Valid Until : 2035/02/09 13:40:36 -0800

Then, add a block rule for it:

sudo santactl rule --blacklist --certificate --sha256 2df1460a9c76c4a63fa2d0d043fb0254f8fa69a99374f2a0b1e8eee885872614

You can always check on the other parameters by running

sudo santactl rule
which will output something like this:
No state specified

Usage: santactl rule [options]
One of:
--whitelist: add to whitelist
--blacklist: add to blacklist
--silent-blacklist: add to silent blacklist
--remove: remove existing rule
--check: check for an existing rule

One of:
--path {path}: path of binary/bundle to add/remove.
Will add the hash of the file currently at that path.
Does not work with --check. Use the fileinfo verb to check.
the rule state of a file.
--sha256 {sha256}: hash to add/remove/check

Optionally:
--certificate: add or check a certificate sha256 rule instead of binary
--message {message}: custom message

If you then try to run MacKeeper, you'll get a block message like this:

That's pretty much it. That isn't everything Santa can do. That's about the simplest thing you can do with Santa, but most of the documentation for Santa is about all of the other stuff you can do. I didn't see much about just how to simply block an .app, hence this blog post.

Setting up GAM: “Click the 3 dots to the right of your service account” not showing

GAM is a neat little command-line utility for admins to manage the G-Suite for their organizations.

The setup process is fairly straightforward, even though there are a lot of steps.

I did notice one little bit of weirdness that actually has nothing to do with GAM, but it put a little wrench in my GAM setup process. I don't know if many people will encounter this issue, but I'm writing it up just in case someone else does and is Googling for solutions.

At a certain point, GAM will prompt you to Click the 3 dots to the right of your service account. I didn't see the 3 dots. I kept thinking "Are the instructions out of date?" That seemed odd, though, since there was just a new release of GAM recently. I also couldn't find anything on the GAM mailing list indicating that the option had disappeared.

I then realized my browser window was too small (I don't expand it all the way out horizontally.

Notice how, with a smaller window width, there are no three dots on the right?

Expand the window width a bit, and then the three dots reappear, though!

I would have thought Google would have some kind of responsive web design to the page, but I guess not. In any case, if you run into this same issue, that's the solution—expand your browser window!

Setting a signature line for your SI e-mail – Microsoft Outlook edition

To set up your SI signature in Microsoft Outlook, do the following:

outlooksignature01
Click on File and select Options.

outlooksignature02
From the left side, select Mail.

Then, on the right side, select Signatures.

Make sure you're on the E-mail Signature tab. And, if you're creating a new signature (as opposed to editing an existing one), click New, give a name for the signature you're creating, and then click OK.

outlooksignature03
Once your signature is created (or if you're simply editing a previously existing signature), you can just click into the Edit signature large text box and start editing.

The Communications Office is asking us to standardize on one that looks like this:

Mr./Ms. YourNameHere
YourTitleHere
St. Ignatius College Preparatory
2001 37th Avenue
San Francisco, CA 94116
(415) 731-7500 ext. YourExtensionHere
YourEmailHere
http://www.siprep.org

outlooksignature04
Finally, you need to select your account (if you have multiple email accounts in your Outlook client) and then select which signature will populate for New messages and for Replies/forwards.

If you use Apple Mail for your e-mail, there are instructions here.
If you use Gmail's web interface for your e-mail, there are instructions here.

Setting a signature line for your SI e-mail – Apple Mail edition

If you’d like to set a signature for your SI e-mail and you use Apple’s Mail to view and read your e-mail, open Mail and choose Preferences from the Mail menu.
Click Signatures at the top of the window.
PastedGraphic-1
Click the + sign at the bottom of the middle column and give your new signature a name. You’ll note that I have a few… this is because I use different signature lines for students and parents (“Work – Official”), for employees of the school and vendors (“Work – with Cell”), and for when I’m goofing around (“SillyOne”). If you have more than one, you can choose which one you use… and it’s much easier if you give it a name so you can tell them apart.
PastedGraphic-2
Now, in the column on the right, type in what you’d like shown for this signature. You can use different fonts, colors… even pictures (copy and paste) in your signature… the Communications Office is asking us to standardize on one that looks like this:
Mr./Ms. YourNameHere
YourTitleHere
St. Ignatius College Preparatory
2001 37th Avenue
San Francisco, CA 94116
(415) 731-7500 ext. YourExtensionHere
YourEmailHere
http://www.siprep.org
If you’d prefer, you can copy and paste the one above into the right column… You can embellish it as long as you keep in mind that your signature will look different on different computers. I stick with the standard font and color to avoid any weirdness on the other end.
Once you have the signature looking good, you must assign it to your account in the left column by dragging the name of the signature over on top of the particular account in which you’d like to use that particular signature. My work signatures don’t go on my personal accounts (and vice versa), but this gives you the ability to have separate signatures for different accounts.
Pasted_Image_7_30_15__9_11_AM
You can set your signature to go on e-mails automatically by clicking on the account on the left column, then choosing a signature from the “Default Signature” pop-up menu at the bottom of the window.
Once you’re done, close the Signatures window and create a new e-mail. You’ll notice you have a new option on the right side of your messages based on the names you assigned to your signatures:
PastedGraphic-3
If you use Gmail’s web interface for your e-mail, there are instructions here.
If you use Outlook for your e-mail, there are instructions here.

Setting a signature line for your SI e-mail – Gmail edition

To get set up a signature on your SI e-mail if you use the Gmail web site to view and read your e-mail, click the small gear in the upper right corner of the main Gmail page, then choose Settings:

Pasted_Image_7_30_15__7_59_AM

In Settings, you’ll need to scroll down a bit to find the Signature area:
 Screen Shot 2015-07-30 at 8.18.35 AM

In the edit box, type in what you’d like displayed at the bottom of your e-mail messages… I’ve enclosed some text here that you can copy and paste, then edit to match your information.

Mr./Ms. YourNameHere
YourTitleHere
St. Ignatius College Preparatory
2001 37th Avenue
San Francisco, CA 94116
415.731.7500 ext. YourExtensionHere
YourEmailHere
http://www.siprep.org

The checkbox under the edit box puts your signature above any quoted text that you might be responding to… good idea to check it so that your signature is not lost at the very bottom of a long thread of e-mails.

Once you’ve got it looking the way you’d like, scroll down again to the very bottom of the Settings page and click the “Save Changes” button to enable the new signature.

If you use Apple Mail for your e-mail, there are instructions here.
If you use Outlook for your e-mail, there are instructions here.

iPad Gmail Mail “password missing” error

This randomly happened after we set up a slew of iPads with the same email account (Gmail on Mail), and sending messages put the outgoing message into the Outbox with an error that the password is missing, with the options to Cancel or go to Settings. Going to Settings, though, offers no option to input a password.

You can see here other users frustrated with this problem:
GMAIL Accounts unusable after 8.3 update!

Some workarounds offered are to use the Gmail app or to add Gmail as an Exchange account (if you're using Google Apps and not a regular home Gmail account).

The workaround we employed was to double-click the home button, swipe away the Mail application, and then launch it up again. After a minute or so, there would be an error about the missing password again. This time, though, the prompt for Settings would take you to a screen to enter the password.

Very odd issue.