Application WhiteList tool experiences?

sdagley
Esteemed Contributor II

Anybody care to share their experiences with application WhiteListing tools? I've been asked to investigate what's available in that arena, and two tools that were specifically mentioned are Google's open source Santa project, and Avecto's Defendpoint for Mac.

Santa seems to be a non-starter as you have to compile a kext, and Apple has all but explicitly said that organizations are not going to get a kext signing certificate for internal use.

Defendpoint for Mac has been mentioned on Jamf Nation before, but my take on those comments is that it's not yet a mature product (and with the usual potential of the kext breaking every time Apple issues an OS update).

Thanks.

19 REPLIES 19

mm2270
Legendary Contributor III

Thanks for mentioning Santa. The AW folks keep talking about Santa as their "answer" to Jamf's Restricted Software functionality, and I had looked at it and was like, uh, a kext? No thanks! I'm not sure they fully understand what they are recommending to customers. Santa could be a dead end product now with HS and the kext blocking stuff.

sdagley
Esteemed Contributor II

@mm2270 The AW folks must be overindulging in recreational chemicals if they think Santa is a realistic solution for most organizations. Especially given Google's graveyard of deceased projects, and it's not even a Google "product" as the Santa README mentions in a large disclaimer section. That the santa-dev discussion group mentioned in that same README hasn't seen a post since July 2017 also doesn't foster warm fuzzy feelings about its viability.

h_stamerjohann
New Contributor III
New Contributor III

@sdagley Zentral or Moroz are both open source TLS servers for Santa configuration and receive results back from Santa - both can work on premise. However you start to deploy them - you have to accept it's all open source software with all pros/cons. Upvote is also open source, that is the new TLS solution Google (GoogleApp based) team has released for Santa. Well the "just released" gives you a hint the "santa-dev" discussion could happen somewhere else ¯_(ツ)_/¯.

You may either want to sharpen your research skills, look again into Santa, find (if) a vital community is involved which suits your needs or go commercial, see where you can lead with Avecto (which works sort of as advertised).

sdagley
Esteemed Contributor II

@h_stamerjohann Your response does nothing to address the major drawbacks to Santa: it's a Google project not a product, and you're at the mercy of Google to update the kext as Apple is highly unlikely to grant a kext signing certificate to organizations hoping to roll their own.

Please don't lecture me on the issues involved with open source. A little research on my background will quickly show it's an area I have experience with.

For my current WhiteList tool requirements, something officially supported is an absolute necessity, so commercial is what I'm looking at.

h_stamerjohann
New Contributor III
New Contributor III

@sdagley sorry I have not investigated your background so far. IMO ranting on Google will not really lead to something useful. Ho w ever I may be biased and well for our needs as MSP Santa is great to have.

I fully understand your needs are different. I can recommend Avecto as commercial option.

sdagley
Esteemed Contributor II

@h_stamerjohann I was not intending to be ranting on Google, they've made some great tools available under open source. If you can live with the risks associated with an open source project, and Santa meets your needs, that's great.

My response to @mm2270 was more of a rant at AW for implying that Santa was a practical solution for organizations needing BlackList functionality that might be unaware of, and/or unable/unwilling to take on the issues that come with it. Much like Jamf could not get away with directing users to rely on AutoPkgr/AutoPkg in lieu of integrated patch management. Not that many of us haven't used, or are still using, those tools, but they come with a different level of burden than Santa.

h_stamerjohann
New Contributor III
New Contributor III

ok. yes valid points. thanks for further clarification

h_stamerjohann
New Contributor III
New Contributor III

Be aware that Avecto is not a very mac focused shop. The Defendpoint mac dev team is/was based in UK (Leeds or Manchester IIRC). We've POC'ed Avecto for a Project/Client - gave them feedback on few issues/quirks we've found. Not sure they addressed it in later updates. But some stuff in Avecto is working well. However they also use a kext so you are literally in the same boat as Santa in terms of need to whitelist the solution.

prbsparx
Contributor II

CarbonBlack has a product that used to be called Bit9, it is a commercial app, but uses kernel extensions and like most Security companies is not Mac centric but it has a sufficient company user base to actually have Mac Admins dealing with it.

Search for Bit9 and CarbonBlack on these forums and you’ll find info.

I’d recommend you try to get a length pilot to test how it works with updates AND upgrades.

sdagley
Esteemed Contributor II

@h_stamerjohann Thanks for the Avecto feedback. I learned today our PC team has experience with the Windows version, so that will favor asking for an evaluation of Defendpoint.

I don't believe any viable WhiteList solution can function today without a kext. It will be interesting to see if Apple announces anything at this year's WWDC that will change that requirement.

sdagley
Esteemed Contributor II

@prbsparx Thanks for the CB feedback. I had seen it mentioned in other threads, but the most recent posts seemed related to it causing kernel panics due to an incompatibility between their kext and Apple's Security Updates so that kind of cast it in negative light.

prbsparx
Contributor II

@sdagley unfortunately, you’re correct. Almost all whitelisting apps require a Kernel Extension at this time.

Unfortunately CarbonBlack’s appears to rely on private APIs and therefore breaks at times.

Santa is the one I’ve heard that performs best, but it’s made by Google’s Mac management department.

I’m not sure you’ll find a better one, but if you do, let me know!

hulsebus
New Contributor III

As you've probably seen from the other posts, I am running Defendpoint at our org on both Windows and Mac. We also evaluated Powerbroker from BeyondTrust.

Yes, I would agree that Defendpoint has Windows as a primary focus, but I've had a reasonable experience with Mac support. Most of the major issues I've run into were (IMHO) more caused by changes Apple made than bugs in Defendpoint. What I have the most issues with is tuning the white-list. We have a lot of varied software and some pieces need multiple white-list entries depending on how the application runs/updates.

sdagley
Esteemed Contributor II

@hulsebus I had seen your other posts on Defendpoint, thanks for the follow up.

@prbsparx It looks like we've asked for an evaluation install of Defendpoint, so we may not be expanding the field but should be able to add to the Defendpoint feedback.

gmarnin
New Contributor III

Curious, does Jamf Pro not have the ability to do Application Whitelisting natively? I recently saw a demo of Jamf Pro and it looked like that was a feature. If Jamf Pro can do it, why look for a 3rd party solution?

hulsebus
New Contributor III

@gmarnin JAMF Pro offers "black-listing" or restrictions as far as being able to kill/delete processes. Defendpoint does white-listing in the sense that applications that are white-listed can be allowed to elevate to admin privileges without the user needing their own admin privileges. Defendpoint also let you define processes that aren't allowed to run similar to JAMF Pro. We purchased Defendpoint with the intention of not giving any users admin-privileged accounts.

mm2270
Legendary Contributor III

@gmarnin Well, I think you're referring to what Jamf calls "Restricted Software", which, yes, is a thing in the product. It's not quite the same as Application Whitelisting though. If you research what Application Whitelisting is, you'll see it tends to work on a deeper level in the OS, hence why some of the products mentioned use KEXTs for this. Jamf's Restricted Software is a combination of LaunchDaemon and a local tool (jamfAgent) to do it's work. For our purposes, Restricted Software can take care of most of our requirements, but some environments have stricter requirements and might need something more robust than what Jamf offers.

prbsparx
Contributor II

One of the biggest drawbacks of Jamf's Restricted Software is that it doesn't kill any processes that are already running when it's enabled. If a process is running and you enable a restricted software, you have to wait until the computer restarts or the process is quit for the restricted software rules to kick in for that process.

sdagley
Esteemed Contributor II

A Public Service Announcement for anyone using Avecto Defendpoint and @pbowden's Jamf helper script to control msupdate - it's broken in Defendpoint 5.0.19950.0. Specifically the script's usage of sudo to call the defaults and msupdate tools as the logged in user does not work. There should be a new Defendpoint release in late August that corrects this issue.