--- title: "Keys - Santa Docs" description: "Keys - Open source binary authorization for macOS. Configure, deploy, and extend the agent that powers Workshop." doc_version: "1" last_updated: "2026-05-22" canonical: "https://northpole.security/docs/santa/configuration/keys" --- # Keys This page describes all of the available configuration options recognized by Santa. The configuration keys are broken down into sections to make it easier to find what you’re looking for but in the configuration profile all the keys should be set together. Some keys (or available values for a key) will have a badge showing which Santa version they were added or deprecated in. Where a key has been deprecated, the description will list an alternative if one is available. A key with next to the type can be overridden by a sync server. ## General General options **Default:** 1 **Allowed values:** - `1` (Monitor): Executions of binaries not covered by a rule will be allowed - `2` (Lockdown): Executions of binaries not covered by a rule will be blocked - `3` (Standalone): Executions of binaries not covered by a rule will trigger an authorization dialog 2024.11 The client mode that Santa should operate in. **Default:** false If true and the ClientMode is in `LOCKDOWN`: execution will be denied when there is an error reading or processing an executable file and when Santa has to make a default response just prior to deadlines expiring. **Default:** true If true, Santa will fallback to password authorization for Standalone mode. **Default:** false If true, Santa will not process events that are generated by other EndpointSecurity clients that may be installed on the system **Default:** false If true, Santa will periodically collect and send basic, non-identifying stats to the maintainers at North Pole Security to help better support Santa. See Stats documentation for complete details This key should only be set for organizations that have a contract with North Pole Security. See Stats documentation for complete details ## Sync Options related to syncing The base URL of the sync server **Default:** false If true, sync will happen using binary protos instead of JSON The proxy configuration to use when syncing. See the Apple Documentation for details on the keys that can be used in this dictionary **Default:** false If true, events will be uploaded to the sync server even if a clean sync is requested If set, this contains the location of a PKCS#12 certificate to be used for sync authentication Contains the password for the PKCS#12 certificate If set, this is the Common Name of a certificate in the System keychain to be used for sync authentication. The corresponding private key must also be in the keychain If set, this is the Issuer Name of a certificate in the System keychain to be used for sync authentication. The corresponding private key must also be in the keychain If set, this is valid PEM containing one or more certificates to be used for certificate pinning. To comply with ATS the certificate chain must also be trusted in the keychain The same as the above but is a path to a file on disk containing the PEM data The machine owner Groups the machine owner is a member of **Default:** Hardware UUID The machine ID. Care should be taken if overriding the default value. Using it incorrectly with a sync server that implements progressive syncing could lead to incomplete rules. The path to a plist that contains the `MachineOwnerKey` / value pair The key to use on `MachineOwnerPlist` The key to use on `MachineOwnerPlist` to access defined groups The path to a plist that contains the `MachineOwnerKey` / value pair The key to use on `MachineIDPlist` **Default:** false If true, the client will upload all execution events to the sync server, including those that were explicitly allowed **Default:** false If true, the client will not upload events for executions of unknown binaries allowed in monitor mode **Default:** deflate **Allowed values:** - `deflate` - `gzip` - `none` Sets the Content-Encoding header for requests sent to the sync service Dictionary of additional headers to include in all requests made to the sync server. System managed headers such as `Content-Length`, `Host`, `WWW-Authenticate` etc will be ignored ## GUI Options controlling how the GUI functions **Default:** false If true, Santa will not post any GUI notifications. This can be a very confusing experience for users, use with caution **Default:** false If true, Santa will not post any TTY notifications. This can be a very confusing experience for users, use with caution **Default:** true If true, Santa will show an item in the macOS menu bar to allow syncing and management of temporary monitor mode by default. Users are able to show/hide the menu item from the About window. The text to display when the user opens Santa.app. If unset, the default text will be displayed The URL to open when the user clicks “More Info…” when opening Santa.app. If unset, the button will not be displayed When the user gets a block notification, a button can be displayed which will take them to a web page with more information about that event. This URL will be used for all rules unless overridden by a rule-specific option. This property supports several placeholders in the string that will be replaced before the URL is constructefd to be turned into the URL to send them to. The following sequences will be replaced in the final URL: Placeholder Description %file\_identifier% SHA-256 of the file that was blocked %bundle\_or\_file\_identifier% SHA-256 of the file that was blocked or the bundle containing it, if available %file\_bundle\_id% The bundle ID that this binary is part of, if any %team\_id% The team ID that signed this binary, if any %signing\_id% The signing ID of this binary, if any %cdhash% The binary's CDHash, if any %machine\_id% ID of the machine %username% The executing user %serial% System's serial number %uuid% System's UUID %hostname% System's full hostname **Example**: `https://sync-server-hostname/%machine_id%/%file_identifier%` Related to the above property, this string represents the text to show on the button The text to display on the button that dismisses the binary block dialog. The default text is "Dismiss" In Lockdown/Standalone mode this is the message shown to the user when an unknown binary is blocked. If this message is not configured a reasonable default is provided This is the message shown to the user when a binary is blocked because of a rule if that rule doesn't provide a custom message. If this is not configured a reasonable default is provided **Default:** Switching into Monitor mode The notification text to display when the client goes into Monitor mode. **Default:** Switching into Lockdown mode The notification text to display when the client goes into Lockdown mode. Message to display when a USB device is prevented from being mounted Message to display when a USB device is allowed to be mounted with a subset of the requested flags as defined by `RemountUSBMode` This is the message shown to the user when a access to a file is blocked because of a rule defined by `FileAccessPolicy` if that rule doesn't provide a custom message. If this is not configured a reasonable default is provided **Default:** true If false, the user will not be presented with an option to silence notifications The company name to display on Santa GUIs as well as in messages written to the TTY. For GUI windows, this setting is ignored if `BrandingCompanyLogo` is set. A URL referencing a logo image to display on Santa UIs. The image will be scaled down appropriately to fit within image bounds (currently 84x28 pixels). If set, this overrides `BrandingCompanyName`. **Supported URL schemes:** - `file://` - Local file path (e.g., `file:///Library/Application%20Support/MyOrg/logo.png`) - `data:` - Base64-encoded image data (e.g., `data:image/png;base64,iVBORw0KG...`) **Note:** HTTP/HTTPS URLs are not supported. A URL referencing a logo image to display on Santa UIs. When the UI is displayed in dark mode and this is set, it overrides both `BrandingCompanyLogo` and `BrandingCompanyName`. The image will be scaled down appropriately to fit within image bounds (currently 84x28 pixels). **Supported URL schemes:** - `file://` - Local file path (e.g., `file:///Library/Application%20Support/MyOrg/logo-dark.png`) - `data:` - Base64-encoded image data (e.g., `data:image/png;base64,iVBORw0KG...`) **Note:** HTTP/HTTPS URLs are not supported. **Default:** false If true, the Santa UI will use special images/fonts on certain holidays. ## FAA Options controlling file-access authorization Path to a file access configuration plist. This is ignored if `FileAccessPolicy` is also set. See [File Access Authorization](https://northpole.security/docs/santa/features/faa) for configuration details. A complete file access configuration policy embedded in the main Santa config. If set, `FileAccessPolicyPlist` will be ignored. See File Access Authorization for configuration details **Default:** 600 Number of seconds between re-reading the file access policy config and policies/monitored paths updated. The minimum value is 15 seconds. **Default:** none **Allowed values:** - `AUDIT_ONLY`: no access will be blocked, only logged - `DISABLE`: no access will be blocked or logged - `none`: enforce policy as defined in each rule Defines a global override policy that applies to the enforcement of all FileAccessPolicy rules. **Default:** 60 Sets the average logs per second that will be emitted by File Access Authorization rule violations. Setting to 0 will disable log rate limiting. Rate limiting only applies to logging. FAA rules that are not audit only will still block operations that violate the rule. **Default:** 15 Sets the window size over which the FileAccessGlobalLogsPerSec setting is applied in order to allow for burts of logs. Setting to 0 will disable log rate limiting. Rate limiting only applies to logging. FAA rules that are not audit only will still block operations that violate the rule. ## Rules Options controlling binary authorization rules A regex to allow if the binary, certificate, or Team ID scopes did not allow/block execution. Regexes are specified in ICU format. A regex to block if the binary, certificate, or Team ID scopes did not allow/block an execution. Regexes are specified in ICU format. **Default:** false If true, binaries with a bad signing chain will be blocked even in `MONITOR` mode, **unless** the binary is allowed by an explicit rule. **Default:** true If true, 32-bit binaries that are missing the `__PAGEZERO` segment will be blocked even in `MONITOR` mode, **unless** the binary is allowed by an explicit rule. **Default:** false If true, Santa will respect compiler rules and create allow rules for the executables they produce. A static set of rules to always apply to the host. These rules always take precedence over any configured by a sync server. Having this key set will also prevent local configuration of rules using the `santactl rule` command. Within the set of rules configured as StaticRules, the normal [rule precedence](https://northpole.security/docs/santa/features/binary-authorization) order applies. The intended use-case for StaticRules is for a small hardcoded set of rules that every host at a company will need to run even in emergencies, such as management tools. Santa heavily caches these rules and we've seen hosts with a few thousand static rules working correctly, but we don't recommend using StaticRules for this. ## Telemetry Options controlling the output of telemetry data The regex of paths to log file changes. Regexes are specified in ICU format Array of path prefix strings. When an event is logged, if the target path (e.g. the file being written/removed/etc ) matches a prefix it will not be logged **Default:** Everything **Allowed values:** - `Everything` - `Execution` - `Fork` - `Exit` - `Close` - `Rename` - `Unlink` - `Link` - `ExchangeData` - `Disk` - `Bundle` - `Allowlist` - `FileAccess` - `CodesigningInvalidated` - `LoginWindowSession` - `LoginLogout` - `ScreenSharing` - `OpenSSH` - `Authentication` - `Clone` - `Copyfile` - `GatekeeperOverride` - `LaunchItem` - `TCCModification` - `XProtect` - `None` Array of strings for events that should be logged This key is no longer supported. Use the new `Telemetry` key instead. **Default:** file **Allowed values:** - `syslog`: Sent to the macOS Unified Logging Systen - `file`: Sent to a file on disk - `protobuf`: (BETA) Sent to file on disk using a maildir-like format - `json`: (BETA) Same as file but output is one JSON object per line - `null`: Don't output any event logs Defines how event logs are stored. Note: The `protobuf` and `JSON` formats are in BETA and subject to change. We will call out any changes in the release notes of any future release that changes them. **Default:** /var/db/santa/santa.log If `EventLogType` is set to `file` or `json`, EventLogPath will provide the path to save logs. If you change this value ensure you also update `com.northpolesec.santa.newsyslog.conf` with the new path **Default:** /var/db/santa/spool If `EventLogType` is set to `protobuf`, SpoolDirectory will provide the base directory used to save files according to a maildir-like format **Default:** 100 If `EventLogType` is set to `protobuf`, SpoolDirectoryFileSizeThresholdKB defines the per-file size limit for files stored in the spool directory. Events are buffered in memory until this threshold would be exceeded (or `SpoolDirectoryEventMaxFlushTimeSec` is exceeded) **Default:** 100 If `EventLogType` is set to `protobuf`, SpoolDirectorySizeThresholdMB defines the total combined size limit of all files in the spool directory. Once the threshold is met, no more events will be saved **Default:** 10 If `EventLogType` is set to `protobuf`, SpoolDirectoryEventMaxFlushTimeSec defines the maximum amount of time events will stay buffered in memory before being flushed to disk, regardless of whether or not `SpoolDirectoryFileSizeThresholdKB` would be exceeded **Default:** false If this key is true, the `MachineID` will be added to each log entry. Entitlement prefixes that should not be logged (for example: `com.apple.private`). Entitlements from processes with a matching TeamID in the code signature will not be logged. Use the value `platform` to filter entitlements from platform binaries. ## Removable Media (e.g. USB device) Options controlling the Removable Media (e.g. USB device) mount control feature **Default:** false If true, blocking USB Mass storage feature is enabled. **Allowed values:** - `rdonly` - `noexec` - `nosuid` - `nobrowse` - `noowners` - `nodev` - `async` - `-j` Array of strings for arguments to pass to `mount -o` when forcibly remounting devices. **Allowed values:** - `Unmount` - `ForceUnmount` - `Remount` - `ForceRemount` If set, defines the action that should be taken on existing USB mounts when Santa starts up. **Note**: “remounts” are implemented by first unmounting and then mounting the device again). Existing mounts with mount flags that are a superset of `RemountUSBMode` are unaffected and left as-is. ## Metrics Options controlling the export of agent metrics **Allowed values:** - `rawjson`: A single JSON blob containing all metrics - `monarchjson`: A format consumable by Google's internal Monarch tooling. Format to export metrics as. URL describing where monitoring metrics should be exported **Default:** 30 Number of seconds to wait between exporting metrics **Default:** 30 Number of seconds to wait before a timeout occurs when exporting metrics A map of key value pairs to add to all metric root labels. If a previously set key (e.g. host\_name is set to "" then the key is removed from the metric root labels. Alternatively if a value is set for an existing key then the new value will override the old. ## Sitemap - [Home](https://northpole.security/index.md) - [Workshop](https://northpole.security/workshop.md) - [Santa](https://northpole.security/santa.md) - [Features](https://northpole.security/features.md) - [Cookbook](https://northpole.security/cookbook.md) - [Docs](https://northpole.security/docs.md) - [Blog](https://northpole.security/blog.md) - [Glossary](https://northpole.security/glossary.md) - [About](https://northpole.security/about.md) - [Contact](https://northpole.security/contact.md)