Announcing Workshop 2026.5

Workshop 2026.5 expands what you can control from the console, gives you finer-grained safeguards around sensitive actions, and makes navigating your fleet faster than ever.

Seatbelt Rules (BETA)

Workshop can now craft and sync Seatbelt policies to your fleet. Full policies can be authored using the complete power of the Seatbelt Policy Language, giving you fine-grained control over what processes are allowed to do on a host.

For everyday policies, a simple editor helps you write a policy without learning the language by hand — configuring allowed actions such as which files a process can read or write, and whether network access is allowed or blocked. When you need more, you can drop down to the full policy language at any time.

Seatbelt Rules are currently in BETA.

Note: This feature requires Santa 2026.4 or later.

Multiparty Approval on Any Method

Multiparty approval (MPA) is no longer limited to a hardcoded list of protected methods. You can now enforce MPA on any method, choosing exactly which actions in your environment require a second set of eyes.

For even finer control, each method can have a CEL expression attached. The expression receives a full copy of the request, letting you selectively require approval based on the request itself — for example, only requiring MPA for changes made against a specific tag rather than for every call to a method.

If you enable MPA after upgrading to this release, a default set of methods becomes protected out of the box. Some of these defaults ship with CEL expressions that limit MPA to requests made against the global tag, so the most sensitive, fleet-wide changes are protected without requiring approval for routine, narrowly-scoped work.

Redesigned Filters

We’ve redesigned the filter mechanism across Workshop into a single search bar. Active filters are now visible at a glance, far quicker to update, and can be driven entirely from the keyboard — no reaching for the mouse to refine what you’re looking at.

Additional Improvements

App Inventory & Binary Upload

Two new commands can be sent to Santa: App Inventory, which collects an inventory of the applications installed on a host, and Binary Upload, which retrieves a copy of a binary for closer inspection.

Both commands require Santa 2026.5 or later.

API Key CIDR Restrictions & Passkey Emergency Login

API keys can now be restricted to specific CIDR ranges, so a key only works from the networks you expect. We’ve also added passkey emergency login support, giving you a resilient way back into Workshop when your primary login path is unavailable.

AUDIT return in CEL rules

You can now return the AUDIT return value from CEL rules to allow execution but flagging the execution in the Workshop UI.

This is especially useful when crafting complex CEL expressions to see what effect your expression will have before blocking something on user’s machines. It can also be used to highlight executions that might be more risky (e.g. specific command-line flags, or running as root)

We’re committed to giving you the tools you need to secure your Mac fleet effectively. As always, we welcome your feedback and suggestions for future improvements.