How we deployed Santa at Fleet

Links to article series:

• Part 1: Deploy Santa with Fleet GitOps and skip the sync server
• Part 2: How we deployed Santa at Fleet

Here's a real-world example of deploying Santa with the Fleet GitOps approach that we are using internally:

Step 1: Deploy the Santa app via Fleet GitOps

Santa is a Fleet-maintained app making deployment easy. Alternatively, you can use our deployment YAML file: https://github.com/fleetdm/fleet/blob/main/it-and-security/lib/macos/software/santa.yml

Either method allows the Santa app to be installed on a test device group through self service. This can be changed to fit your needs, for example, by using automatic deployment instead of self service or deploying to multiple labels.

Step 2: Deploy the Santa configuration

Santa Configuration Profile: https://github.com/fleetdm/fleet/blob/main/it-and-security/lib/macos/configuration-profiles/santa-configuration.mobileconfig

Santa rules Configuration Profile: https://github.com/fleetdm/fleet/blob/main/it-and-security/lib/macos/configuration-profiles/santa-rules.mobileconfig

Our suggested best practice is to deploy two Configuration Profiles: one for managing the Santa app configuration and the other for managing Santa rules. Keeping the two configurations modular and separate minimizes the risk of Santa rules changes from interfering with the app config.

Santa configuration

Santa rules

Step 3. Deploy Santa Extensions

Policy to check if extensions exist: https://github.com/fleetdm/fleet/blob/main/it-and-security/lib/macos/policies/install-santa-extension.yml

Script to install the extensions: https://github.com/fleetdm/fleet/blob/main/it-and-security/lib/macos/scripts/install-santa-extension.sh

We chose to deploy these via policy automation since the Santa extensions don't exist natively in Fleet. We have a policy that checks for the existence of the Santa extension. If it is not found, Fleet will immediately run a remediation script that handles the download and configuration of fleetd to start using the extension.

Step 4. Collect Santa Events

Collect Santa denied logs: https://github.com/fleetdm/fleet/blob/main/it-and-security/lib/macos/queries/collect-santa-denied-logs.yml

Here we are collecting every time a device attempts to open a blocklisted app. These logs can then be collected in our SIEM or used to fire a webhook to alert us via Slack.

SIEM dashboard

Slack message

The GitOps advantage

By leveraging GitOps principles through Fleet, Santa management becomes:

• Version Controlled: Every rule change is tracked in Git with full audit trails
• Peer Reviewed: Pull request workflows ensure rule changes are reviewed before deployment
• Automatically Deployed: CI/CD pipelines handle rule distribution without manual intervention
• Easily Rollbacked: Git reverts enable instant rollback of problematic rule changes

Pull Request adding an additional rule

The bottom line

Fleet believes in reducing complexity. Fleet's GitOps-native approach provides all the functionality of a custom Santa sync server while adding enterprise device management, operational simplicity, and modern change management capabilities while eliminating infrastructure maintenance. It's a more scalable and secure approach to binary authorization that aligns with modern infrastructure practices.

Ready to modernize your Santa deployment? Fleet's open-source platform makes it easier than ever to implement GitOps-driven binary authorization without the operational overhead of traditional sync servers.

Additional progress and discussion on a native Santa + Fleet integration can be tracked in this feature request: https://github.com/fleetdm/fleet/issues/24910

Fleet is an open-source device management platform that provides GitOps-native configuration management, comprehensive device visibility, and enterprise-grade security for organizations managing thousands of endpoints. Learn more at https://fleetdm.com.