Working in only in 1 of 7 devices

[jesb92]

Hi,

I'm a bit lost here, I've trying to deploy Santa for the last weeks but for some strange reason is only working for 1 device of 7 (test group), all of them have the same configuration and Santa version.
Not sure if was the way of deployment or order (not sure if it's important) but I decided to remove everything and try again and now with the same configuration before I have 0/7 devices working.

I've followed the steps from santa.dev and using the templates just adding to block one app for test purposes, but same result.

Not sure what I'm doing wrong or different.

Any help is appreciated.
Thanks.

[pmarkowsky]

Thanks for trying it. Hard to say what's happening without more information.

You may want to look at https://www.radiotope.com/posts/santa_client_troubleshooting/ It's a little old but has some good pointers for debugging.

Off the top of my head I can think of a few things to check

1. What does santactl status return when you run it from the terminal?
2. What does systemextensionctl status return?
3. Did you give the Santa daemon full disk access and approved it via your MDM or System settings?
4. Have you checked your santa.mobileconfig with plutil to make sure its well formed?
5. Do you see any error logs in Console.app when you search for santa?

[jesb92]

Thanks @pmarkowsky, I wasn't sure what info I should share. I will explain my configuration a little bit more.
Have to say first of all that I'm using Intune.
I have 3 different profiles.

1. SantaTCC -> .mobileconfig, got the info from here
2. Santa System Extensions -> .mobileconfig, info from here
3. Santa Block app list -> .mobileconfig, info from here

Running santactl status and systemextensionctls status the results are the same command not found: santactl // systemextensionctl.

I never have used plutil before, can you please give me an example? I'll google some examples online anyway.
No info in console.app if I search for santa

[mlw]

Re: santactl: The installer places a symbolic link in /usr/local/bin/, perhaps that's not in your PATH? You could try:

/usr/local/bin/santactl status

If that doesn't work, please make sure the application is actually installed (/Applications/Santa.app).

Re: Checking system extension status: There was a minor typo in the command. Please run:

systemextensionsctl list

[jesb92]

Hi,
Today I can see some information in the console.app.

For some reason Intune was reporting that Santa was installed but actually it wasn't. After I installed Santa manually, I've received some information.
santactl status

Daemon Info
Mode | Monitor
Log Type | file
File Logging | No
USB Blocking | No
On Start USB Options | None
Watchdog CPU Events | 0 (Peak: 0.17%)
Watchdog RAM Events | 0 (Peak: 4.57MB)
Cache Info
Root cache count | 9
Non-root cache count | 0
Database Info
Binary Rules | 0
Certificate Rules | 0
TeamID Rules | 0
SigningID Rules | 0
Compiler Rules | 0
Transitive Rules | 0
Events Pending Upload | 2
Static Rules
Rules | 1
Watch Items
Enabled | No
Sync Info
Sync Server | https://sync-server-hostname/api/santa/
Clean Sync Required | Yes
Last Successful Full Sync | Never
Last Successful Rule Sync | Never
Push Notifications | Disconnected
Bundle Scanning | No

Running systemextensionsctl list
EQHXZ8M8AV com.google.santa.daemon (2024.2/2024.2.605404402) santad [activated enabled]

Thanks.

[mlw]

It's not clear from the reply - now that you've verified installation are things working as expected? If not, what issues specifically are you seeing?