Set up a Santa server for syncing with Fleetsmith
Important: Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information. Click here to view the Fleetsmith OSS Acknowledgements: App Catalog Apps.
As an alternative to local rules distributed directly to computers with Fleetsmith, it’s possible to configure Santa to sync with a server to receive additional configuration and update approve and block lists.
Fleetsmith offers support for configuring your clients to contact either an Upvote or Moroz server. Upvote is a companion project to Santa also developed by Google, which integrates with a G Suite account to allow users to “vote” on whether unknown binaries should be blocked or trusted. See the Github Upvote repository. In comparison, Moroz is a simpler system, which has per-computer and global rules it distributes to clients when they sync. See the Github Moroz repository.
While Moroz can be hosted anywhere, Upvote must be hosted on Google App Engine. For more details, refer to the servers’ respective documentation.
Important: If you are deploying Santa to your fleet and controlling its rules from your own sync server, you must add Fleetsmith’s certificate to the server’s approve list. Failure to do so could interrupt management and require manual intervention to restore it.
Set up Santa in Fleetsmith to sync with Upvote
Set up your Upvote server by following the instructions in its project.
Add the following certificate rule to your Upvote server’s
CRITICAL_RULESlocated in the upvote/gae/settings.py file. This rule ensures that Santa permits Fleetsmith’s agent to run on your clients on the basis of its signing certificate and is vital to ensuring its continued maintenance.# Fleetsmith Signing CertificateCriticalMacOsCertRule('d7a3279f421e241bbfc4cfa71bca970a952ebf7519d8e9c10ba11d2daf12447c'),In the Fleetsmith Admin Console, click Catalog, then click Santa.
Click the Add to Profile menu, click the Profile you want to add Santa to, then click Configure.
Turn on “Santa configuration” to enable management, then for “Mode,” click Remote.
For “Sync server type,” click Upvote.
For Server hostname, enter the domain name of the Upvote server you have set up.
Don’t add “https://” or the full URL for Upvote’s Santa endpoint, because they are added for you.
If necessary, do the following:
In the “Client certificate” field, upload a certificate in PKCS #12 format to be distributed to each of your computers by Fleetsmith. Make sure you enter the password in the “Client certificate password” field. Fleetsmith strongly recommends this step, but it requires additional configuration on your Upvote server.
If you won’t be assigning computers to their users in Fleetsmith, change “Client machine owner” to “Local user name.” You must create a function in your Upvote server to map these local user names to email addresses. The default is “Assigned user,” where Fleetsmith configures each computer to provide the email address of the user assigned to it in your Fleetsmith Admin Console as the computer owner when syncing with Upvote.
If you want to customize the user interface Santa presents to your users, enable management of “User interface customization” and configure the elements as desired.
Set up Santa in Fleetsmith to sync with Moroz
Set up your Moroz server by following the instructions in its project.
Add the following certificate rule to your Moroz server’s global.toml file located in its configs directory. This rule ensures that Santa permits Fleetsmith’s agent to run on your clients on the basis of its signing certificate and is vital to ensuring continued maintenance. You must add this rule to each config you create in Moroz, because it replaces the global.toml completely when computer-specific configurations are present.
[[rules]]rule_type = "CERTIFICATE"policy = "WHITELIST"sha256 = "d7a3279f421e241bbfc4cfa71bca970a952ebf7519d8e9c10ba11d2daf12447c"custom_msg = "Fleetsmith signing certificate"In the Fleetsmith Admin Console, click Catalog, then click Santa.
Click the Add to Profile menu, click the Profile you want to add Santa to, then click Configure.
Click the toggle for “Santa configuration” to enable management, then for “Mode,” click Remote.
For “Sync server type,” click Moroz.
For Server hostname, enter the domain name of the Moroz server you have set up.
Don’t add “https://” or the full URL for Moroz’s Santa endpoint or its port number, because they are added for you.
In the “Root certificate” field, upload the certificate authority (CA) used to sign your Moroz server’s TLS certificate in PEM format.
To comply with Apple security requirements and connect properly, the CA must be added to the System keychain on each client computer as a trusted root. The “Certificates • macOS” catalog item can accomplish this by adding it to Santa’s profile and entering the CA in PEM format.
If necessary, do the following:
If you prefer that your Santa clients identify themselves to Moroz by their serial number instead of their hardware UUID, change “Client machine ID” to Serial Number. This changes how you name your client configs in Moroz.
If you want to customize the user interface Santa presents to your users, enable management of “User interface customization” and configure the elements.
Mitigate risk of attacks
Connecting security software like Santa to a sync server you control exposes you to two main types of attacks, a Man in the Middle (MITM) attack and a Denial of Service (DoS) attack.
MITM attacks: An MITM attack can be mitigated by instructing clients to only trust the particular Certificate Authority (CA) which issued the TLS certificate identifying the server, a process known as CA pinning.
Moroz can be deployed and hosted anywhere, giving you full control over its server-side TLS configuration. This makes it possible to issue it a unique certificate from your own pinned CA and fully implement this mitigation.
Upvote can be deployed only on Google App Engine (GAE), which uses a CA defined by Google for everything running on GAE. Pinning that CA’s certificate still allows a potential attacker to create their own Upvote server on GAE and conduct a MITM attack if they’re able to observe network traffic from your Santa clients. Though pinning to the GAE CA doesn’t protect against against that scenario, Fleetsmith automatically does so as a partial mitigation, because this is the best that can be done without product changes to GAE by Google.
DoS attacks: A Denial of Service attack is mitigated by configuring the server’s TLS settings to only accept clients that can authenticate themselves. Santa offers one way to authenticate clients by presenting a certificate encoded as PKCS #12. In a manner similar to ensuring that a server is trusted by the client, the server can be configured to only accept certificates presented by specific CAs.
Upvote doesn’t immediately support this functionality, but it does provide a stub in its code in which administrators can write their own authentication function to receive and handle these certificates.
Moroz doesn’t provide any mechanism for client verification, leaving it vulnerable to these attacks.