Package Rules, Require TouchID, Network Mount Blocking, and More
We’re excited to announce the latest Workshop release, bringing powerful new security controls to help you better protect your fleet. This release introduces support for Package Rules, REQUIRE_TOUCHID policies, network mount blocking, and numerous usability and performance improvements.
Package Rules
We’ve added support for Package Rules, a powerful new feature that takes the pain out of managing machines running homebrew, Terraform, cargo, and more. Package Rules allow you to define policies at the package level rather than for individual binaries, with execution rules automatically being added as packages are updated.
For a deep dive into Package Rules and how to use them effectively, check out our dedicated blog post on Package Rules.
Require TouchID for Binary Execution
One of the most significant additions in this release is the ability to gate execution behind TouchID, ensuring that a user really is at the machine and intended to run the application, adding a critical layer of protection for sensitive applications.
How It Works
When a CEL rule returns REQUIRE_TOUCHID or REQUIRE_TOUCHID_ONLY, Santa will prompt the user for TouchID authentication before allowing the binary to run. This is particularly useful for:
- Privileged administrative tools — Ensure only the person physically present at the machine can run tools like
osascript. - Sensitive applications — Protect access to applications that handle confidential data.
- High-risk binaries/flags — Add friction before executing binaries that could cause significant impact, such as starting
ncwith the listen flag.
Unlike a regular block, when an execution happens that requires authentication, it is suspended until authentication is given, so the user does not need to rerun the application.
Configuration Options
Workshop now supports several TouchID-related return values in your CEL rules:
| Function | Description |
|---|---|
REQUIRE_TOUCHID | Require TouchID authentication before execution |
REQUIRE_TOUCHID_ONLY | Require TouchID and skip the normal Santa dialog |
require_touchid_with_cooldown_minutes(N) | Require TouchID with a specified cooldown period, allowing future executions within that period without requiring extra authentication |
require_touchid_only_with_cooldown_minutes(N) | Same as above, skipping the normal Santa dialog |
The cooldown variants are especially useful for applications that users run frequently throughout the day—you get the security benefit of biometric verification without excessive authentication fatigue.
Note: This feature requires Santa 2026.1 or later. Workshop will automatically enforce this version requirement when REQUIRE_TOUCHID rules are in use.
Network Mount Blocking
This release introduces network mount blocking controls, giving you the ability to restrict access to network file shares across your fleet. Network mounts can be a vector for data exfiltration or lateral movement, and Workshop now provides granular controls to manage this risk.
At present this only works with local network mounts, such as NFS and Samba shares. We plan to enhance this in future releases.
Configuring Network Mount Blocking
Network mount blocking can be configured at both the global level and per-tag, allowing you to apply different policies to different groups of hosts. The configuration options include:
| Option | Description |
|---|---|
| Enable/Disable blocking | Turn network mount blocking on or off for specific tags or globally |
| Host allowlist | Specify trusted network hosts that should always be allowed (e.g., your corporate file servers) |
| Custom block message | Configure the message users see when a mount is blocked |
Use Cases
Network mount blocking is particularly valuable for:
- Preventing unauthorized file sharing — Block access to personal cloud storage services mounted as network drives
- Compliance requirements — Enforce policies that restrict where corporate data can be accessed
- Reducing attack surface — Limit the ability for compromised hosts to mount attacker-controlled shares
Combined with Workshop’s existing USB blocking capabilities (now unified in the UI), you have comprehensive control over removable and network storage across your fleet.
Note: This feature requires Santa 2026.1 or later.
Additional Improvements
Department and Cost Center Mapping
Workshop now syncs department and cost center information from your identity provider to user records. More importantly, you can map these organizational attributes to tags, which then automatically apply to hosts.
This makes it easy to enforce different security policies and add default rule sets based on organizational structure—for example:
- Applying stricter controls to Finance department machines
- Relaxing certain restrictions for Engineering
- Automatically tagging contractor devices differently from full-time employees
Create Rules from Bundle
You can now create rules directly for an entire bundle. When viewing an application’s details, you can now quickly create rules for all binaries within a bundle with a single action, streamlining the process of allowlisting or blocklisting entire applications. This is available in both the UI and API.
Santa Kill Command
Often you may need to terminate a running process either for compliance reasons or because it’s malicious. Santa by itself does not stop already running programs. This has been one of our most requested features over the years.
Workshop now supports Santa’s Kill Command, allowing administrators to remotely terminate processes on managed hosts. This powerful capability is protected by our new Multi-Party Approval (MPA) system—when MPA is enabled, kill commands require approval from multiple administrators before execution, preventing accidental or unauthorized use of this destructive action. Currently the kill command is only available in the API, but we’ll be adding UI support in the next release.
MDM User Mapping
Santa has long supported sending up the “assigned” user for a host, which helps Workshop map hosts to users and ultimately to tags. Many MDMs support variables in configuration profiles to automatically populate an assigned user’s email address, but knowing what these variables are and getting them into the Santa config could be tricky. The generated config shown in the Workshop UI now supports a drop-down MDM selector, which will automatically add the MachineOwner key for you.
We’re committed to giving you the tools you need to secure your Mac fleet effectively. As always, we welcome your feedback and suggestions for future improvements.