Workshop 2026.3 focuses on giving you more powerful policy control, better fleet visibility, and a smoother day-to-day experience.
CEL Fallback Rules
Sync settings now support CEL-based fallback rules — expressions that evaluate when no existing rule matches a binary. Fallback rules can return all regular return values (e.g. ALLOWLIST, SILENT_BLOCKLIST, etc.) or UNSPECIFIED (to fall through to the next rule), giving you a programmable safety net at the bottom of your rule stack.
This release also adds support for the fds field, target.entitlements, and signing ID in all CEL expressions, plus the args field on ancestors — significantly expanding what you can express in policy. The target.entitlements field is particularly useful in fallback expressions, allowing you to block things like VPNs and Hypervisors across your fleet while regular rules can still allow specific tools from these classes that you trust.
Note: This feature requires Santa 2026.3 or later.
Risk Engine Plugin Filters
Each risk engine plugin (VirusTotal, ReversingLabs, etc.) can now have a CEL filter expression that’s evaluated before the plugin runs. This lets you scope plugins to specific hosts or blockable properties — for example, “only run VirusTotal for hosts in the production tag” — without relying on post-hoc exceptions.
Filter expressions use the same CEL environment you already know, with access to blockable properties and host tags.
Santa Metrics
Workshop now ingests CPU and memory metrics directly from Santa agents. Fleet-wide metrics are visualized on the dashboard, and per-host metrics are available on host detail pages. This gives you immediate visibility into agent health and resource consumption without needing a separate monitoring stack.
Note: This feature requires Santa 2026.3 or later.
Additional Improvements
Bulk Rule Creation
Select multiple bundles or binaries from the Apps tab and create rules for all of them at once, with support for multiple tags and configurable rule type, policy, and comment.
Rule IDs in Events
Execution and file access events now include the ID of the rule that triggered them. Rule IDs are displayed in the events UI and are searchable, making it easy to trace an event back to the policy that caused it.
Note: This feature requires Santa 2026.3 or later.
Encrypted Removable Media
Admins can now enforce encrypted removable media mounts via sync settings, and encryption details are surfaced on the USB mount events page.
Note: This feature requires Santa 2026.3 or later.
We’re committed to giving you the tools you need to secure your Mac fleet effectively. As always, we welcome your feedback and suggestions for future improvements.