Handle Parallels App Certificates

[j-steig]

Description

When launching apps in Parallels, the applications are getting blocked because the application which is being launched in Parallels appears to use a different app signing certificate format.

This is what it returns with santa fileinfo ... Code-signed: Yes, but signing is not consistent across all architectures.

[pmarkowsky]

None of us on the team have parallels so the more information you could give us the better.

Can you paste the full output of the santactl fileinfo command?

Also when you say launching apps in parallels are you talking about coherence mode?

[andyury]

The main issue with Parallels is even if the app is approved, there are dependencies that run in macOS that get blocked.

An example includes WinAppHelper is blocked by Santa

• There are several instances in Santa events for WinAppHelper. For example, apps like Microsoft Edge.ap, Node.js, Windows Terminal.app, Windows installer.app running each have their own Santa event
• They each follow the file path ~/Applications (Parallels)/{UNIQUE_ID} Applications.localized/{Windows App name}.app/Contents/MacOS
• Exiting Coherence mode did not resolve their issue

[pmarkowsky]

@andyury so looking at that WinAppHelper screenshot. The application is unsigned and depending on your configuration and Santa rules this is working as intended.

You'd need to approve each of the helpers / dependencies to make this work. I'd recommend writing a script to use the santactl fileinfo command to find the hashes for those helpers and/or create allow rules if you're not using a sync server.

Alternatively you could also use the file path matching to support this by setting AllowedPathRegex in your configuration profile to match this for your users. The second option is not as great as anything that ends up at paths matching the regexp will be allowed to execute.

[pmarkowsky]

Marking this as closed since it's been stale for a while. Please feel free to reopen.