Notes
Announcements
🎉 Santa has a new Workshop! North Pole Security is excited to announce the release of Workshop, an official sync service specifically designed to deeply integrate with Santa. It is fully featured, scalable, and enterprise ready. Come learn more at northpole.security.
📣 Ready for Tahoe. This version has been validated on macOS Tahoe 26.0.
📣 Santa will be ending support for macOS Ventura in January 2026.
📣 This release introduces a new private sync protocol that includes a limited set of features that can only be used by Workshop customers. The private protocol allows us to iterate more rapidly on certain features without the constraint of maintaining backward compatibility across all existing sync servers. This flexibility will help us deliver improvements faster and respond more quickly to customer needs.
We remain committed to the public sync protocol and will continue maintaining and improving it. Many new features will still be developed in the public protocol, and where feasible, we plan to migrate features from the private protocol back to the public one over time. Read more about this on the North Pole Security blog.
Fixed
❗ Loading an FAA policy with one or more invalid rules no longer causes the entire policy to fail to load
Changed
↔️ Allowed executions and audit-only FAA rule violations that get sent in the EventUpload phase of syncing are now deduplicated across a 4 hour window instead of being tied to the sync interval. Blocked executions and denied FAA rule accesses still adhere to previous semantics.
↔️ FAA rules now support the same TeamID:SigningID syntax for SigningID keys that is supported by the SIGNINGID rule type in execution rules.
Added
➕ Workshop customers: FAA rules can now be managed via the sync protocol.
If you're migrating from Google Santa, please see the Migration Guide for details on how to upgrade.
Santa documentation has undergone a complete overhaul and can be found at northpole.dev.
What's Changed
- docs: Add OS support matrix by @russellhancox in #596
- Support FAA rules with TID:SID notation by @mlw in #597
- Add FAA rule counts and rule hashes to sync protocol by @mlw in #598
- build: Split non-bazel deps into separate BUILD files by @russellhancox in #599
- Handle FAA rule data source transitions. Cleanup status output. by @mlw in #600
- BETA FAA rule download by @mlw in #603
- Allow loading FAA policies that are partially invalid by @mlw in #602
- Inject dates in monarch json tests in order to remove mocks by @mlw in #604
- Add FAA rule for protecting Chrome extensions to the cookbook by @pmarkowsky in #601
- Add a rule to stop obvious timestomping of launch daemons and agents by @pmarkowsky in #605
- docs: Update screenshots with updated logo by @russellhancox in #606
- feat: Add Google Analytics and Plausible tracking scripts by @statico in #607
- Add Cookbook rule for stopping osascript asking for passwords. by @pmarkowsky in #608
- pkg: Add version number to pkg by @russellhancox in #609
- Migrate stats state plist to be more generic by @mlw in #610
- docs: Split cookbook CEL into multiline by @russellhancox in #612
- Support timer restarts, change how startup delay works by @mlw in #611
- GitHub issue templates by @mlw in #473
- Pin NPS domains and cert PEMs by @mlw in #613
- Bump bazel and dep versions by @mlw in #615
- Handle v1 and v2 sync protocols by @mlw in #616
- Simplify templates using non-type parameters by @mlw in #617
- Silence deprecation warnings within protobuf dependency by @mlw in #618
- Support aliases and hyphens/underscores for santactl commands by @mlw in #619
- Improved error handling/logging for received rules and StaticRules by @mlw in #621
- Fix FAA rule counts by @mlw in #622
- Add a backoff cache for unactionable stored events by @mlw in #623
Full Changelog: 2025.9...2025.10