Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Fleet logo An 'X' icon indicating that this can be interacted with to close the navigation menu.

Solutions

a small chevron
Device management

Device management

Remotely manage, and protect laptops and mobile devices.

Orchestration

Orchestration

Automate tasks across devices, from app installs to scripts.

Software management

Software management

Inventory, patch, and manage installed software.

GitOps

Infrastructure as code

See every change, undo any error, repeat every success.

Deployment

Deployment

Run Fleet the way that fits your team.

Extend Fleet

Extend Fleet

Integrate your favorite tools with Fleet.


Customers
Pricing

More

a small chevron
Docs

Docs

Guides

Guides

Support

Support

News

News

Get your license

Get your license

The handbook

The handbook

GitOps for device management

In-person workshop for beginners.

Join us
Get a demo
Solutions A small chevron
Device management

Device management

Remotely manage, and protect laptops and mobile devices.

Orchestration

Orchestration

Automate tasks across devices, from app installs to scripts.

Software management

Software management

Inventory, patch, and manage installed software.

GitOps

Infrastructure as code

See every change, undo any error, repeat every success.

Deployment

Deployment

Run Fleet the way that fits your team.

Extend Fleet

Extend Fleet

Integrate your favorite tools with Fleet.

Customers Pricing
More A small chevron

GitOps for device management

In-person workshop for beginners.

Join us
Docs

Docs

Guides

Guides

Support

Support

News

News

Get your license

Get your license

The handbook

The handbook

Get a demo
{{categoryFriendlyName}}/
{{thisPage.meta.articleTitle}}
search

Deploy Santa with Fleet GitOps and skip the sync server

{{articleSubtitle}}

Last updated on |
The author's GitHub profile picture

Allen Houchins

Share

Share this article on Hacker News Share this article on LinkedIn Share this article on Twitter

On this page

{{topic.title}}
Docs Docs REST API REST API Guides Guides Get a demoGet a demo
Suggest an editSuggest an edit

Deploy Santa with Fleet GitOps and skip the sync server

{{articleSubtitle}}

Last updated on | The author's GitHub profile picture

Allen Houchins

Deploy Santa with Fleet GitOps and skip the sync server

Links to article series:

  • Part 1: Deploy Santa with Fleet GitOps and skip the sync server
  • Part 2: How we deployed Santa at Fleet

Santa is a binary authorization system for macOS. It has become important to organizations serious about application blocking and control. However, the traditional Santa deployment model comes with operational overhead at scale, primarily centered around the need for a dedicated Santa sync server.

In the conventional setup, Santa requires a custom sync server to:

  • Distribute allow / deny rules across your fleet
  • Collect execution events and blocked binary reports
  • Manage configuration changes and rule updates

At the time of writing, there are currently three off-the-shelf sync server solutions available:

  • Moroz - A golang server that serves hardcoded rules from simple configuration files.
  • Rudolph - An AWS-based serverless sync service built on API GW, DynamoDB, and Lambda components.
  • Zentral - An event hub to gather, process, and monitor system events and link them to an inventory.

Running any of these solutions may incur additional infrastructure costs and upkeep. You also might have to adopt an unfamiliar configuration language specific to the solution.

But, what if you could get all the benefits and functionality of a sync server using your existing device management solution?

Enter Fleet + GitOps + Santa

The combination of Fleet's device management platform, GitOps principles, and Santa's binary authorization creates a powerful alternative that eliminates the need for a traditional Santa sync server entirely.

How Fleet replaces the Santa sync server

Fleet acts as a modern, API-driven replacement for traditional Santa sync servers by using:

Configuration as code management

Fleet's GitOps workflow allows you to manage Santa configurations stored in Git repositories. Instead of hosting sync server infrastructure, you define Santa rules and configurations declaratively through familiar XML (mobileconfig) files.

Automated rule distribution

Fleet's agent (fleetd) and MDM automatically applies Santa configurations across your macOS devices. Changes pushed to your Git repository trigger automatic deployment through Fleet's GitOps pipeline.

Event collection and monitoring

Fleet's osquery integration captures Santa events, eliminating the need for custom event collection endpoints.

Implementation overview

Here is how the Fleet + GitOps + Santa workflow operates in practice:

  1. Configuration Definition: Security and IT teams define Santa rules in files within a Git repository
  2. Change Management: Rule updates go through standard pull request review processes
  3. Automated Deployment: Fleet GitOps detects changes and applies configurations
  4. Real-time Monitoring: osquery tables provide visibility into Santa events
  5. Incident Response: Fleet's queries and policies trigger automated workflows for investigation or remediation

The next article in this series is a step-by-step guide showing how we implemented this deployment model for Santa internally at Fleet.

Fleet logo
Solutions Device management Orchestration Software management Integrations Pricing
Documentation Support Docs API Release notes Get your license
Company About Trust Jobs Logos/artwork Why open source?
a small checkmarkSOC2 Type 2 Creative Commons Licence CC BY-SA 4.0
© 2026 Fleet Inc. Privacy
Slack logo GitHub logo LinkedIn logo X (Twitter) logo Youtube logo Mastadon logo