---
title: "Glossary"
description: "Plain-language definitions for Santa, Workshop, and the macOS endpoint security concepts North Pole Security works with every day."
doc_version: "1"
last_updated: "2026-05-22"
canonical: "https://northpole.security/glossary"
---
# Glossary

Santa, Workshop, and macOS endpoint security terms

This page collects the vocabulary that comes up most often in conversations about Santa and Workshop. It mixes general macOS security terms with concepts specific to how Santa authorizes binaries and how Workshop manages a fleet of Macs. Each entry links to itself, so you can share a definition with a teammate using a URL like `/glossary#lockdown-mode`.

## Allowlist

A list of programs explicitly permitted to run. Santa is an allowlisting agent: in lockdown mode it blocks anything that is not on the allowlist, rather than chasing threats after they execute.

## Approval workflow

The process by which a user requests permission to run a blocked binary, and an administrator or designated approver reviews and decides on that request inside Workshop.

## Binary authorization

Santa's core function. It intercepts every execution on a Mac and decides whether to allow or block it based on configured rules, before the process is allowed to run.

## Bundle

A macOS application package (typically a .app directory) that contains an executable along with its resources, frameworks, and metadata. Many Mac apps ship as a bundle that includes several Mach-O binaries.

## Bundle hash

A SHA-256 fingerprint that identifies a macOS bundle as a whole. It is computed from the hashes of every Mach-O executable inside the bundle, sorted by path. Workshop uses it to group related binaries so an administrator can approve an entire application in one step.

## CDHash

A binary's signed code directory hash. It is the most specific identifier Santa supports for a binary and applies to programs running under Apple's Hardened Runtime.

## CEL

Common Expression Language. An embedded expression language used to write dynamic Santa rules and to filter telemetry events in Workshop.

## EDR

Endpoint Detection and Response. A category of security tools focused on detecting suspicious activity on a host, containing it, and helping analysts investigate after the fact.

## EPP

Endpoint Protection Platform. A category of security tools focused on preventing malicious code from executing on a host in the first place, rather than reacting to it after the fact.

## Event

A recorded action observed by Santa, captured with the surrounding process and file context. Workshop ingests events to drive approval workflows, audit trails, and investigations.

## Execution rule

A rule that tells Santa whether a binary or application is allowed to run. Execution rules are distinct from file access rules, which govern reads and writes rather than execution.

## File Access Authorization

Often shortened to FAA. A Santa feature that lets administrators monitor specific filesystem paths and optionally deny processes that read or write sensitive files. Useful for protecting credentials, configuration, and source code.

## File access rule

A rule that applies to File Access Authorization. It specifies which paths are watched and which processes are allowed to touch them, separate from execution policy.

## Identity provider

Often shortened to IdP. The system of record for user identities and authentication, such as Okta or Google Workspace. Workshop integrates with an IdP to sign in administrators and tie events back to real users.

## Lockdown mode

A Santa operating mode that blocks the execution of any binary that does not have an explicit allow rule. The prevention-first posture: unknown software is denied by default.

## Monitor mode

A Santa operating mode that allows any execution that is not explicitly blocked. Useful while building an initial picture of a fleet's software inventory before transitioning to lockdown.

## Multi-party approval

Often shortened to MPA. A Workshop control that requires more than one administrator to sign off on a sensitive change, such as approving a new rule, before it takes effect.

## Push notification

A message sent from a sync server, such as Workshop, that asks Santa clients to act immediately, for example to pick up a new policy. Without push, clients fall back to polling on a regular interval.

## Removable media control

A Santa capability that restricts USB, SD, and Thunderbolt storage devices from mounting on a Mac. Used to prevent data exfiltration and to keep unapproved media out of the environment.

## Santa

The open source macOS security agent originally built at Google and now maintained by North Pole Security. Santa provides binary authorization, file access control, removable media blocking, and security telemetry.

## Signing certificate

An X.509 certificate used by a developer to sign code. Santa can write rules against the SHA-256 fingerprint of a leaf signing certificate, which covers every binary signed with it.

## Signing ID

A developer-controlled identifier baked into a binary at signing time. Santa rules typically reference a signing ID together with its Team ID prefix, for example EQHXZ8M8AV:com.google.Chrome.

## Standalone mode

A Santa operating mode in which the local user is prompted to approve or deny an unknown binary at the moment it tries to run, instead of relying entirely on a central administrator.

## Sync server

The service that distributes rules and configuration to a fleet of Santa clients and receives events back from them. Workshop is a sync server, and Santa speaks a documented sync protocol.

## System extension

A modern macOS mechanism, supported by Apple's Endpoint Security framework, that lets a security product observe and control activity outside the kernel. Santa ships as a system extension.

## Tags

A hierarchical targeting mechanism in Workshop. Tags decide which rules and settings apply to which hosts. Workshop defines a precedence order so the most specific tag wins, ranging from an individual host up to the full fleet.

## TCC

Transparency, Consent, and Control. The macOS subsystem that governs which applications can access protected resources such as files, the camera, the microphone, and the calendar.

## Team ID

A 10-character identifier issued by Apple and tied to a developer account. Santa can write a single rule against a Team ID to cover every binary signed by that developer, making it the broadest identifier in the rule precedence order.

## Telemetry

The stream of enriched security events Santa records about what happens on a Mac, used for investigation and detection. Workshop ingests this stream and lets administrators query it for audits and incident response.

## Transitive allowlisting

A Santa feature that lets a trusted compiler authorize the binaries it writes. When enabled, executables produced by the compiler are automatically allowed for a bounded window, which keeps lockdown mode practical for developer workstations.

## Workshop

North Pole Security's control plane for Santa. Workshop manages rules, hosts, events, approvals, telemetry, and audit trails across an entire fleet of Macs.

Need something that is not on this page? See the [Santa documentation](https://northpole.security/docs/santa) or the [Workshop documentation](https://northpole.security/docs/workshop) for deeper reference material.

## Sitemap

- [Home](https://northpole.security/index.md)
- [Workshop](https://northpole.security/workshop.md)
- [Santa](https://northpole.security/santa.md)
- [Features](https://northpole.security/features.md)
- [Cookbook](https://northpole.security/cookbook.md)
- [Docs](https://northpole.security/docs.md)
- [Blog](https://northpole.security/blog.md)
- [Glossary](https://northpole.security/glossary.md)
- [About](https://northpole.security/about.md)
- [Contact](https://northpole.security/contact.md)