Notes
If you're migrating from Google Santa, please see the Migration Guide for details on how to upgrade.
Santa documentation can be found at northpole.dev.
Announcements
📣 Opt-In Stats Collection
Santa can now collect basic stats on an opt-in basis by setting the EnableStatsCollection configuration key to true. When enabled, some very limited, non-identifying information (such as Santa and macOS versions) is gathered and uploaded to North Pole Security. This information is extremely useful for us to understand more about our install base in order to inform the development of new features and drive support/deprecation decisions. For complete details about what is collected, see our Stats documentation.
Please consider opting in your organization to help us better maintain Santa for the whole community!
Fixed
❗ Sync service daemon no longer spins up if no sync service is configured
❗ The app field of the LaunchItem Add telemetry event added in 2025.3 contained wrong information
❗ Minor UI issues, such as long strings being truncated, label placements
Changed
↔️ Event uploads are more aggressively deduplicated over a given time window (either a full sync or 10 minutes, whichever is shorter). This will result in a overall decrease in the number of events uploaded during sync, potentially a substantial decrease for binaries that are heavily executed. Please note that event uploads have never intended to be the full view executions on a system. If this information is desired, Santa telemetry should be configured which can log all execs.
↔️ Improved Push Notification status in santactl status output
Added
➕ The santactl doctor subcommand was added to help surface and diagnose common issues with Santa deployments
➕ The santactl rule flags --clean/--clean-all can now be used to delete rules when rules are locally managed (neither sync server nor static rules are configured)
➕ Main blocked execution UI now also has a "Copy Details" button
➕ Notification center messages can now be displayed for newly approved apps (requires sync server support)
➕ New telemetry event: TCC modifications - when TCC permissions are granted or revoked
➕ New telemetry event: XProtect - when XProtect detects malicious content or takes action to remediate an issue
What's Changed
- Disable tamper protection for debug builds by @mlw in #335
- santactl/status: better output for push notification status by @russellhancox in #336
- Fix unused variable error in debug builds by @mlw in #338
- Add unique index to the filesha256 column in the events table by @mlw in #337
- santad: use santa cache for event upload backoff by @tburgin in #341
- general: Add SNTError, use where appropriate by @russellhancox in #339
- Add autoreleasepool per rule download batch by @mlw in #345
- Use clang-format-19 on ubuntu runner by @mlw in #347
- project: Update README.md by @russellhancox in #350
- project: Fix build visibility by @russellhancox in #349
- santactl: Add 'doctor' subcommand by @russellhancox in #340
- Add config bundling by @mlw in #346
- Add handling for TCC Modify telemetry event by @mlw in #348
- Add serializations for TCC modification events by @mlw in #351
- Fix serializing wrong field for LaunchItem Add registrant info by @mlw in #352
- Create a new build and entitlements for live debugging by @pmarkowsky in #353
- Stats state by @mlw in #354
- Fix crashing tests due to incorrect releasing behaviour by @dzonder in #357
- test: Fix the unitialized cache values when using ASAN by @pmarkowsky in #358
- sync service: fix needless spin up by @tburgin in #355
- build: Switch to cc_proto_library from com_google_protobuf by @russellhancox in #359
- Expand sync service connection state to handle more config keys by @mlw in #360
- santactl/rule: Allow deleting all rules by @russellhancox in #363
- build: fix clangd visibility for generated code by @tburgin in #364
- Add handling for XProtect events by @mlw in #365
- rule download: add support for notification app name by @tburgin in #366
- gui: truncate accessed path in FAA dialog, add full path to More Details popup by @russellhancox in #367
- santad: Fix 'UNIQUE constraint failed' and 'Unable to compute hash' errors by @russellhancox in #368
- Add serializations for XProtect events by @mlw in #369
- Add the Copy Details button to main block window by @mlw in #370
- Add animation to copy details button by @mlw in #371
- gui: Update default banned message by @russellhancox in #372
- gui: Fix labels around time picker by @russellhancox in #373
New Contributors
Full Changelog: 2025.3...2025.4