The best, secure & easiest way of allowing apps

[the123blackjack]

I am using Santa in lockdown mode.

1. What is the best way of allowing apps?

Currently my primary way of allowing apps has been TeamID rules as when i trust the developer say google.

Binary is out of the question as it will break when an update comes out.

2. How do you compare Regex Paths vs Certificate , Team rules on a security standpoint?

3)What about allowing Apple Root CA? Instead of google cert?

With that i will be allowing wider range of apps which is apple root ca signed ? However are there security implications in this approach and can we generally say the apps with apple root ca are safe?

Signing Chain:

1. SHA-256 : 345a8e098bd04794aaeefda8c9ef56a0bf3d3706d67d35bc0e23f11bb3bffce5
   SHA-1 : c9a99324ca3fcb23dbcc36bd5fd4f9753305130a
   Common Name : Developer ID Application: Google, Inc. (EQHXZ8M8AV)
   Organization : Google, Inc.
   Organizational Unit : EQHXZ8M8AV
   Valid From : 2017/03/09 21:08:37 +0000
   Valid Until : 2022/03/10 21:08:37 +0000
2. SHA-256 : 7afc9d01a62f03a2de9637936d4afe68090d2de18d03f29c88cfb0b1ba63587f
   SHA-1 : 3b166c3b7dc4b751c9fe2afab9135641e388e186
   Common Name : Developer ID Certification Authority
   Organization : Apple Inc.
   Organizational Unit : Apple Certification Authority
   Valid From : 2012/02/01 22:12:15 +0000
   Valid Until : 2027/02/01 22:12:15 +0000
3. SHA-256 : b0b1730ecbc7ff4505142c49f1295e6eda6bcaed7e2c68c5be91b5a11001f024
   SHA-1 : 611e5b662c593a08ff58d14ae22452d198df6c60
   Common Name : Apple Root CA
   Organization : Apple Inc.
   Organizational Unit : Apple Certification Authority
   Valid From : 2006/04/25 22:40:36 +0100
   Valid Until : 2035/02/09 21:40:36 +0000

[russellhancox]

What is the best way of allowing apps?
Currently my primary way of allowing apps has been TeamID rules as when i trust the developer say google.
Binary is out of the question as it will break when an update comes out.

This depends on a huge number of factors, including your environment (large enterprise with dedicated helpdesk and diverse users vs small 10 person company), risk tolerance, overhead tolerance, etc.

Allowing by Team ID is a great choice for a small set of developers that you trust and expect to continue doing so. Allowing by binary is recommended for apps that you want to use now but you don't necessarily trust that updates will continue to be acceptable. How agreeable this approach is depends on how often the apps in question are updated and how many apps are being used.

How do you compare Regex Paths vs Certificate , Team rules on a security standpoint?

The order that rules are applied codifies how we see the security of rules:
Binary > Certificate > Team ID > Regex.

Calling out regex paths specifically: we recommend against their use - the feature exists to make initial adoption easier and as an escape hatch for situations that are not easily handled any other way but they are generally risky.

3)What about allowing Apple Root CA? Instead of google cert?

Santa doesn't allow you to do this; while fileinfo will show you the full signing chain, only the leaf (or first) certificate is considered in decision making.