Skip to main content

Settings

The Settings interface provides a centralized control panel for configuring Workshop's global settings that affect all hosts in your organization. This dashboard allows administrators to manage default sync settings, USB blocking behavior, and user access.

Default Client Mode

The Client Mode setting determines the default enforcement behavior for all Santa agents across your organization:

  • Monitor: Allows all executions but logs them for review
  • Lockdown: Only allows executions that match allowlist rules
  • Standalone: Operates without connecting to the sync server

Individual hosts can be assigned different modes that override this global default.

Learn more about modes

On-Demand Monitor Mode

On-Demand Monitor Mode allows hosts to temporarily transition into Monitor Mode for a limited duration. This feature is useful when users need to execute applications that would normally be blocked in Lockdown mode, without permanently changing the host's enforcement mode.

When enabled, hosts can request temporary Monitor Mode access through the Santa client. The duration of this temporary access is controlled by two settings:

  • Max Minutes: The maximum number of minutes a machine is allowed to transition into Monitor Mode. Valid range: 1-43,200 minutes (1 minute to 30 days). This setting acts as an upper bound for any Monitor Mode request.

  • Default Duration Minutes: The default number of minutes of Monitor Mode granted when requested if no duration is explicitly specified. If set to 0 or not specified, the Max Minutes value is used as the default. This value must not exceed Max Minutes.

When On-Demand Monitor Mode is disabled, hosts cannot request temporary Monitor Mode access and must rely on their configured Client Mode setting.

USB Blocking

USB Blocking controls whether Santa will block the mounting of USB storage devices:

  • Disabled: USB devices can be mounted normally
  • Enabled: USB devices will be blocked from mounting
  • Enabled with Remount Flags: USB devices will be blocked, but can be remounted with specific flags

Sync Intervals

Sync Intervals control how frequently Santa agents communicate with the Workshop server to retrieve updated rules and configurations.

  • Full Sync Interval: Determines how often hosts perform a progressive sync with the server. Valid range: 60-86,400 seconds (1 minute to 24 hours). Default is 600 (10 min).

  • Push Notification Full Sync Interval: When Push Notifications are enabled, this setting determines how often hosts perform a progressive sync with the server. Valid range: 60-86,400 seconds (1 minute to 24 hours). Default is 14400 (4 hours).

Santa Auth

Workshop supports two methods for authenticating Santa clients. Changes to authentication methods will affect the generated config shown on the Santa tab. If both Token and mTLS authentication are enabled, the config will use the mTLS configuration.

Token Authentication

Token-based authentication allows Santa clients to authenticate using bearer tokens. You can manage authentication tokens from the Settings interface:

  • Multiple Tokens: Create and manage multiple authentication tokens for different deployments or environments
  • Last Used Tracking: Each token displays the timestamp of its last use, helping you identify active and inactive tokens
  • Token Deletion: Tokens can be deleted when they are no longer needed, immediately revoking access for any clients using that token

When using token authentication, Santa clients connect to the standard SyncBaseURL (e.g., https://tenant.workshop.cloud/santa).

mTLS Authentication

Mutual TLS (mTLS) authentication provides certificate-based authentication for enhanced security. Workshop supports configuring multiple Certificate Authority (CA) certificates from the Settings interface, allowing you to manage certificates for different organizational units or for seamless transition between issuing CAs.

When mTLS is enabled, the SyncBaseURL key in Santa's configuration will include an mtls. prefix (e.g., https://mtls.tenant.workshop.cloud/santa). This special URL only works when mTLS authentication is properly configured on both the Workshop server and the Santa client.

Important: The mTLS-prefixed URL will only accept connections from clients presenting valid certificates signed by one of the configured CA certificates. Standard token-based authentication will not work with the mTLS URL.

User Management

The User Management section allows you to configure access to Workshop.

Slack

See Slack Settings for more information.

MCP

See MCP for more information.