---
title: "Announcing Santa 2026.4"
description: "Santa 2026.4 expands tamper resistance, changes clean sync semantics, adds silenceable device notifications, and continues security hardening."
doc_version: "1"
last_updated: "2026-05-22"
canonical: "https://northpole.security/blog/santa-20264"
---
[Back](https://northpole.security/blog)

Releases • May 20, 2026 • By Matthew White

![Announcing Santa 2026.4](https://northpole.security/images/blog/santa-2026.4-hero.jpg)

![](https://northpole.security/images/home/divider-band-top.svg)

Santa 2026.4 is available now. This release expands Santa’s tamper resistance, changes the semantics of clean syncs, and includes user-facing improvements to the GUI.

## Continued Security Hardening

Santa’s role in macOS security means it has to be resilient to both ordinary bugs and active tampering. Across the last several releases we have made a sustained investment in hardening Santa’s most security-sensitive paths: tamper protection, code-signature verification, and the way Santa consumes data from the operating system.

Recent advances in security-focused AI [tooling](https://www.provos.org/p/finding-zero-days-with-any-model/) have helped us scale this work across the codebase, grounded in human review and engineering judgment. Expect the effort to continue across upcoming releases as both the tooling and the threats evolve.

## Expanded Anti-Tamper Protections

The bulk of 2026.4’s anti-tamper work lands in four areas:

-   **Filesystem monitoring.** Santa watches a broader set of filesystem operations to catch attempts to interfere with its on-disk state.
-   **Signal handling.** Signal delivery to the Santa daemon has been hardened against external influence.
-   **Endpoint Security input validation.** Data Santa consumes from the Endpoint Security framework is validated more rigorously before it factors into any decision.
-   **Upgrade path.** The path Santa uses during upgrades is now held to the same tamper-resistant posture as the rest of the system.

In each area, Santa is stricter about which operations it treats as legitimate, and more rigorous about validating the data behind it.

## Clean Sync Now Replaces Settings

Previously, a clean sync replaced all rules on the client but left other sync-managed settings in place. As of 2026.4, a clean sync also replaces those settings using whatever the server sends down during Preflight.

For Workshop customers, Workshop is already doing the right thing. Sync server maintainers should update their Preflight response on clean syncs to include the complete desired settings. Settings the server doesn’t send won’t carry over from the prior client state.

After a clean sync, the client now matches whatever the server says it should be, rules and settings together. The semantics are easier to reason about, and stale settings no longer linger after a reset.

## Silenceable Device Notifications

Notifications for blocked removable media can now be silenced from the GUI. When the same notification appears repeatedly, end users can silence it without dismissing each one. Silencing is per-device, so anything else that gets blocked will still trigger its own notification.

When UI notifications for removable media have been silenced, Santa will still apply security policy as configured and prevent the device from mounting. The user-facing notification is the only thing that changes.

## Additional Improvements

Other notable changes in 2026.4:

-   `SyncBaseURL` must now use HTTPS unless it points at a loopback address. Existing plaintext deployments against remote servers will need to migrate before upgrading.
-   The sync service no longer retries requests on non-transient errors such as most HTTP 4xx responses. Retrying on a 401 or 403 just delayed the eventual failure and added noise to sync server logs.
-   Keyboard shortcuts in the Santa GUI now follow standard system conventions. Cmd+W closes windows. Esc dismisses panes like the “More Info” view.

## Getting Santa 2026.4

Santa 2026.4 is available now on [GitHub](https://github.com/northpolesec/santa/releases/tag/2026.4), with deployment guidance in the [getting started guide](https://northpole.dev/deployment/getting-started/).

Santa Releases Removable Media Anti-Tamper Security Hardening Clean Sync

## You may also like

[

![Announcing Workshop 2026.3](https://northpole.security/images/blog/workshop-2026.3-hero.jpg)

Releases • April 14, 2026

Announcing Workshop 2026.3

Workshop v2026.3 introduces CEL fallback rules, risk engine plugin filters, Santa host metrics, and much more!



](https://northpole.security/blog/workshop-20263)[

![Announcing Santa 2026.3](https://northpole.security/images/blog/santa-2026.3-hero.jpg)

Releases • April 10, 2026

Announcing Santa 2026.3

Santa 2026.3 adds encryption-aware removable media policies, CEL fallback rules for global enforcement, and significant performance improvements.



](https://northpole.security/blog/santa-20263)[

![Announcing Workshop 2026.2](https://northpole.security/images/blog/workshop-2026.2-hero.jpg)

Releases • March 3, 2026

Announcing Workshop 2026.2

Workshop v2026.2 introduces Chat with Workshop, Ancestor-based CEL policies, improved Telemetry export & querying, and much more!



](https://northpole.security/blog/workshop-20262)

## Sitemap

- [Home](https://northpole.security/index.md)
- [Workshop](https://northpole.security/workshop.md)
- [Santa](https://northpole.security/santa.md)
- [Features](https://northpole.security/features.md)
- [Cookbook](https://northpole.security/cookbook.md)
- [Docs](https://northpole.security/docs.md)
- [Blog](https://northpole.security/blog.md)
- [Glossary](https://northpole.security/glossary.md)
- [About](https://northpole.security/about.md)
- [Contact](https://northpole.security/contact.md)