PATTERN Cited by 1 source

Static allowlist for critical rules¶

When an enforcement tool pulls its ruleset from a central sync server, there's a dependency chain: network → sync server → complete ruleset delivery → local enforcement. Break any link and the enforcer is either lying (missing allow rules → valid binaries blocked) or silent (no rules at all → fail-open or fail-closed depending on config).

Static allowlist for critical rules breaks the dependency for the handful of rules that must never fail-closed: pin them in the local configuration shipped with the enforcer's install image, so they're valid regardless of sync-server state.

Shape¶

Identify the minimum set of must-run binaries — typically MDM client (the only way to fix a broken device remotely), browser (gateway to support docs / self-service portals), chat client (how the user gets help), VPN client (if that's how users reach the corporate network).
Hard-code those rules in the enforcer's local config — this is config that ships with the agent install, managed by the MDM deploy pipeline, not distributed by the sync server.
Keep the list very short — every static rule is a rule that skips the normal review workflow. Static ≠ "all rules that seem important"; static = "rules whose failure would prevent us from ever fixing this machine remotely".
Audit when changed — static-rule updates flow with the agent release, which goes through the full software-release pipeline (code review, signed builds, staged rollout), not the rule-change pipeline.

Why this matters specifically¶

With small rulesets (hundreds of entries), rule sync is sub-second and rarely fails. The pattern matters when the ruleset grows enough that initial sync on a new device takes long enough to occasionally fail mid-delivery:

User gets a brand new laptop.
MDM installs the enforcer agent.
Agent attempts first full sync.
Connection drops mid-sync; agent has partial ruleset.
Critical apps (MDM itself, Chrome, Slack) aren't in the partial set.
User boots to a locked-down machine they can't communicate through to ask for help.

The static allowlist is the minimum set needed to get the user back to a state where they can receive help and the agent can complete its sync.

Why this isn't cheating¶

Static rules are a bounded surface (a dozen rules, all for apps users would install anyway). The sync-server path handles the other 79,000+ rules.
The release pipeline for agent config is not the rule-change pipeline — static rules go through strict code-review + package-signing, while sync-server rules go through the day-to-day rule-edit workflow. Trust levels are different on purpose.
Without this pattern the team has a sync-at-install-time single-point-of-failure baked into their rollout strategy.

Cost¶

Any change to static rules requires an agent re-release, so they can't churn.
The set of apps in the static allowlist is effectively a "cannot be killed by security" list — which means those apps' supply chains need appropriate vetting.

Seen in¶

sources/2026-04-21-figma-rolling-out-santa-without-freezing-productivity — Figma's Santa deployment grew to ~80,000 Binary rules via Package Rule auto-generation. Initial sync times for new machines reached several minutes, occasionally dropping the connection mid-sync → incomplete rule set → valid apps blocked. Mitigation: pin MDM, Chrome, Slack, Zoom as Santa static rules in the local configuration. Critical apps work regardless of sync state. Canonical wiki instance. Figma flags "improve Package rule maintenance" and "expire older-version rules" as ongoing work to shrink the ruleset over time.

concepts/binary-authorization — the canonical enforcement context.
systems/santa — the reference tool.
patterns/package-rule-auto-generation — the pattern whose scale introduces the failure mode this pattern hedges.
patterns/emergency-bypass — the steady-state bigger-hammer alternative (skip the gates entirely); static allowlist is the preventive rather than reactive form.