Chat with Workshop, Ancestor-based CEL policies, improved Telemetry export & querying, and much more
When we shipped Workshop 2026.1, we called it our biggest release ever. Nobody on the team seems to have heard of a “quiet follow-up release,” so here we are — Workshop 2026.2 is even bigger. This release introduces Chat with Workshop, ancestor-based CEL policies, telemetry export, and a long list of usability improvements that give you deeper visibility into your fleet and more powerful policy controls than ever.
Chat with Workshop (BETA)
We’ve added an AI-powered chat interface directly inside Workshop. Bring your own Claude, Gemini, or ChatGPT API key and ask natural language questions about your fleet, with full access to Workshop’s APIs behind the scenes.
Ask questions like:
- “What are the 10 most blocked pieces of software on my fleet?”
- “Who has been approving the most software?”
- “How many hosts are running an old version of Santa?”
Chat with Workshop is currently in BETA and available to users with the workshop-admin role. You can configure the chat interface to be read-only if you prefer to limit it to queries only.
Ancestor-Based CEL Policies
Workshop now exclusively supports the ancestors field in CEL policies, unlocking a whole new class of policy that controls execution based on a binary’s ancestor process chain. This lets you write rules that consider how a binary was launched, not just what was launched.
This is especially powerful for:
- Restricting AI agent tool access — Prevent AI agents from invoking built-in system tools like
osascriptorcurlunless launched from an approved parent process. - Compiler rules — Create rules scoped to tools invoked by Xcode or other build systems, without broadly allowing those tools everywhere.
- Preventing scripting abuse — Block your word processor or browser from spawning shell scripts or interpreters.
Note: This feature requires Santa 2026.2 or later.
Telemetry Export
Telemetry export is now available, giving you the ability to stream host telemetry data — including new network activity events — to your own storage. On-host filtering lets you control what gets exported, keeping data volumes manageable and keeping secrets from leaving hosts. We’ve also added network activity events to the telemetry stream, letting you see which processes are making connections, where to, and how much data they’re sending & receiving.
Telemetry data is queryable directly from the Workshop UI or API using a SQL interface, making it easy to investigate activity across your fleet without leaving Workshop.
Telemetry export is an optional add-on for Workshop. If you’d like to try it, get in touch.
Note: This feature requires Santa 2026.2 or later.
Additional Improvements
Event & Approval Analytics
The Reports page has two new analytics tabs. Event Analytics shows aggregated event counts per day, grouped by decision and reason, with optional filtering. Approval Analytics shows rule propagation latency across all workflows, and for self-service approvals it displays approval latency along with blocked apps still awaiting approval. More approval workflow reports are coming in the next release.
Global Search with Cmd+K
A new global search and command palette is now available via Cmd+K, making it fast to navigate to hosts, rules, events, and settings from anywhere in the UI.
Package Rule Enhancements
Package rules now support CEL policies, custom messages, and custom URLs — bringing them to feature parity with regular execution rules. With the ability to attach CEL policies to package rules, you can use this to block executions of known bad scripts that use interpreters from Homebrew, like OpenClaw.
Kill Command in the UI
The Kill command, introduced in 2026.1 as an API-only feature, is now available in the UI. You can issue kill commands to one or more tags or directly to a host.
We’re committed to giving you the tools you need to secure your Mac fleet effectively. As always, we welcome your feedback and suggestions for future improvements.