--- title: "Features | Workshop" description: "Workshop features for enterprise macOS allowlisting. Approval workflows, execution rules, telemetry, risk engine, package rules, and more." doc_version: "1" last_updated: "2026-06-05" canonical: "https://northpole.security/features" --- ![](https://northpole.security/images/workshop/figma/hero-bg.png) # Every capability, on one platform. AI chat, approval workflows, package rules, risk intelligence, file access authorization, telemetry, and more. Explore every feature Workshop layers on top of Santa. [Book a demo](https://northpole.typeform.com/to/SG9jCi0v) [Explore Workshop](https://northpole.security/workshop) ![](https://northpole.security/images/workshop/figma/snow-corner-tr.png) ![](https://northpole.security/images/workshop/figma/snow-floor.png) Workshop capabilities ## Everything Workshop adds to Santa Santa is a powerful open-source security agent on its own, but running it across a fleet of Macs is a different challenge. Workshop adds the management console, approval workflows, threat intelligence, and telemetry that make Santa practical and livable at enterprise scale. [ ### AI Chat Query events, manage rules, investigate issues in plain English. Learn more ](https://northpole.security/features/ai-chat)[ ### Approval Workflows Lockdown without the lockup. Self-service, manager, voting, and Slack-native. Learn more ](https://northpole.security/features/approval-workflows)[ ### Execution Rules Five rule types in strict precedence with CEL and TouchID policies. Learn more ](https://northpole.security/features/execution-rules)[ ### File Access Authorization Stop infostealers from reaching browser cookies, SSH keys, and credentials. Learn more ](https://northpole.security/features/file-access-authorization)[ ### Package Rules Auto-allowlist Homebrew, npm, Cargo, GitHub Releases, and more. Learn more ](https://northpole.security/features/package-rules)[ ### Removable Media Control Block USB, FireWire, and network mounts that exfiltrate data. Learn more ](https://northpole.security/features/removable-media-blocking)[ ### Risk Engine Pre-screen every binary against VirusTotal, ReversingLabs, and your own logic. Learn more ](https://northpole.security/features/risk-engine)[ ### Social Voting Peer consensus instead of a ticket queue. Learn more ](https://northpole.security/features/social-voting)[ ### Telemetry & EDR Every execution, every file access, every block. Stream it to your SIEM. Learn more ](https://northpole.security/features/telemetry) ## Frequently asked questions How do approval workflows keep teams productive in Lockdown mode? Workshop offers multiple approval paths so users aren't stuck waiting on a single security team. Self-service approvals let users approve low-risk software themselves. Designated approvers route requests to team leads or managers. Social voting, the same approach Google used across 100,000+ Macs, lets colleagues vouch for software they trust. Slack integration means approvals happen where your team already works. What are Package Rules? Package Rules automate allowlisting for developer tools and package managers. Workshop automatically tracks and approves binaries from Homebrew, npm, Cargo, GitHub Releases, VS Code extensions, Terraform plugins, and more. Version filtering and scheduled syncs keep your allowlist current without manual rule creation. How does the Risk Engine assess new binaries? When Workshop encounters an unknown binary, the Risk Engine evaluates it against multiple threat intelligence sources. Built-in plugins query VirusTotal and ReversingLabs for known malware signatures and reputation data. You can also build custom webhook plugins to integrate your own threat intel feeds. The Risk Engine assigns a risk score that can drive automatic allow or block decisions. Can Workshop protect files, not just binaries? Yes. File Access Authorization controls which processes can read or write specific files on disk. You can protect browser cookies, SSH keys, keychains, and source code from infostealers by restricting access to only the apps that legitimately need it. Even if a malicious binary somehow runs, it cannot access the files you've protected. What is the difference between Monitor mode and Lockdown mode? Monitor mode allows all executions but logs everything, giving you full visibility into what's running across your fleet. Lockdown mode blocks any binary that isn't explicitly approved. Most organizations start in Monitor to build their allowlist and understand their software landscape, then move to Lockdown once they're confident in their rules. Workshop makes this transition gradual with risk scoring and approval workflows. ## Sitemap - [Home](https://northpole.security/index.md) - [Workshop](https://northpole.security/workshop.md) - [Santa](https://northpole.security/santa.md) - [Features](https://northpole.security/features.md) - [Cookbook](https://northpole.security/cookbook.md) - [Docs](https://northpole.security/docs.md) - [Blog](https://northpole.security/blog.md) - [Glossary](https://northpole.security/glossary.md) - [About](https://northpole.security/about.md) - [Contact](https://northpole.security/contact.md)