Anybody care to share their experiences with application WhiteListing tools? I've been asked to investigate what's available in that arena, and two tools that were specifically mentioned are Google's open source Santa project, and Avecto's Defendpoint for Mac. Santa seems to be a non-starter as you have to compile a kext, and Apple has all but explicitly said that organizations are not going to get a kext signing certificate for internal use.
Defendpoint for Mac has been mentioned on Jamf Nation before, but my take on those comments is that it's not yet a mature product (and with the usual potential of the kext breaking every time Apple issues an OS update). Zentral or Moroz are both open source TLS servers for Santa configuration and receive results back from Santa - both can work on premise. However you start to deploy them - you have to accept it's all open source software with all pros/cons.
Upvote is also open source, that is the new TLS solution Google (GoogleApp based) team has released for Santa. Well the 'just released' gives you a hint the 'santa-dev' discussion could happen somewhere else ¯(ツ)/¯.
Oct 17, 2018 - If you need something more advanced, check out our separate guide to the best pro photo editors for Mac. Buy from Pixelmator. Adobe Photoshop Elements 2019. Buy from Adobe. Affinity Photo. Buy from App Store. Google Photos. PhotoScape X. Best free raw photo editor for mac. Aug 18, 2018 - Best Photo Editing Apps for Mac in 2018. Affinity Photo. Fotor Photo Editor. Feb 13, 2018 - The best free Mac photo editor 2018: for when Preview isn't enough. Preview and Photos. Pixlr Editor. Fotor Photo Editor. Google Photos.
You may either want to sharpen your research skills, look again into Santa, find (if) a vital community is involved which suits your needs or go commercial, see where you can lead with Avecto (which works sort of as advertised). Your response does nothing to address the major drawbacks to Santa: it's a Google project not a product, and you're at the mercy of Google to update the kext as Apple is highly unlikely to grant a kext signing certificate to organizations hoping to roll their own. Please don't lecture me on the issues involved with open source.
A little research on my background will quickly show it's an area I have experience with. For my current WhiteList tool requirements, something officially supported is an absolute necessity, so commercial is what I'm looking at. I was not intending to be ranting on Google, they've made some great tools available under open source.
If you can live with the risks associated with an open source project, and Santa meets your needs, that's great. My response to was more of a rant at AW for implying that Santa was a practical solution for organizations needing BlackList functionality that might be unaware of, and/or unable/unwilling to take on the issues that come with it.
Much like Jamf could not get away with directing users to rely on AutoPkgr/AutoPkg in lieu of integrated patch management. Not that many of us haven't used, or are still using, those tools, but they come with a different level of burden than Santa.
As you've probably seen from the other posts, I am running Defendpoint at our org on both Windows and Mac. We also evaluated Powerbroker from BeyondTrust. Yes, I would agree that Defendpoint has Windows as a primary focus, but I've had a reasonable experience with Mac support. Most of the major issues I've run into were (IMHO) more caused by changes Apple made than bugs in Defendpoint. What I have the most issues with is tuning the white-list. We have a lot of varied software and some pieces need multiple white-list entries depending on how the application runs/updates. Well, I think you're referring to what Jamf calls 'Restricted Software', which, yes, is a thing in the product.
Buy Avecto Defendpoint For Mac Pro
It's not quite the same as Application Whitelisting though. If you research what Application Whitelisting is, you'll see it tends to work on a deeper level in the OS, hence why some of the products mentioned use KEXTs for this. Jamf's Restricted Software is a combination of LaunchDaemon and a local tool (jamfAgent) to do it's work. For our purposes, Restricted Software can take care of most of our requirements, but some environments have stricter requirements and might need something more robust than what Jamf offers.