Deploy Santa with Fleet GitOps and skip the sync server

Links to article series:

• Part 1: Deploy Santa with Fleet GitOps and skip the sync server
• Part 2: How we deployed Santa at Fleet

Santa is a binary authorization system for macOS. It has become important to organizations serious about application blocking and control. However, the traditional Santa deployment model comes with operational overhead at scale, primarily centered around the need for a dedicated Santa sync server.

In the conventional setup, Santa requires a custom sync server to:

• Distribute allow / deny rules across your fleet
• Collect execution events and blocked binary reports
• Manage configuration changes and rule updates

At the time of writing, there are currently three off-the-shelf sync server solutions available:

• Moroz - A golang server that serves hardcoded rules from simple configuration files.
• Rudolph - An AWS-based serverless sync service built on API GW, DynamoDB, and Lambda components.
• Zentral - An event hub to gather, process, and monitor system events and link them to an inventory.

Running any of these solutions may incur additional infrastructure costs and upkeep. You also might have to adopt an unfamiliar configuration language specific to the solution.

But, what if you could get all the benefits and functionality of a sync server using your existing device management solution?

Enter Fleet + GitOps + Santa

The combination of Fleet's device management platform, GitOps principles, and Santa's binary authorization creates a powerful alternative that eliminates the need for a traditional Santa sync server entirely.

How Fleet replaces the Santa sync server

Fleet acts as a modern, API-driven replacement for traditional Santa sync servers by using:

Configuration as code management

Fleet's GitOps workflow allows you to manage Santa configurations stored in Git repositories. Instead of hosting sync server infrastructure, you define Santa rules and configurations declaratively through familiar XML (mobileconfig) files.

Automated rule distribution

Fleet's agent (fleetd) and MDM automatically applies Santa configurations across your macOS devices. Changes pushed to your Git repository trigger automatic deployment through Fleet's GitOps pipeline.

Event collection and monitoring

Fleet's osquery integration captures Santa events, eliminating the need for custom event collection endpoints.

Implementation overview

Here is how the Fleet + GitOps + Santa workflow operates in practice:

1. Configuration Definition: Security and IT teams define Santa rules in files within a Git repository
2. Change Management: Rule updates go through standard pull request review processes
3. Automated Deployment: Fleet GitOps detects changes and applies configurations
4. Real-time Monitoring: osquery tables provide visibility into Santa events
5. Incident Response: Fleet's queries and policies trigger automated workflows for investigation or remediation

The next article in this series is a step-by-step guide showing how we implemented this deployment model for Santa internally at Fleet.