Rule groups

Rule groups are a way of organizing rules by topic so that they can be enabled or disabled with a single click.

There are three types of rule groups:

Factory rule groups such as the “macOS Services” or “Apple Apps” groups.
Remote rule groups. These are downloaded and updated from a server in .lsrules format. They can be used to keep a set of rules in sync on several computers, e.g. in a corporate environment.
Local rule groups. These are a way to organize your own rules by topic.

The rules in remote rule groups are global by design, so any changes you make to them (enable, disable) will affect all users on the computer and therefore require the Allow Global Rule Editing option to be turned on in Settings > Security.

To add a new rule group, click on the “+” right to the “Rule Groups” section header:

Adding Rule Group

Factory rule groups

Factory rule groups cover topics which many users want to allow as a whole:

macOS Services: Some people trust nobody but Apple, others trust everybody else but not Apple. If you trust Apple and don’t want to review any of the connections made by the operating system or connections to servers under Apple’s control, enable this rule group. It allows all system background processes to connect wherever they like and all apps to connect to Apple servers. These rules cover most of the connections made by a freshly installed macOS, but no apps.
iCloud Services: Likewise, this rule group covers connections from any app into iCloud domains. This is a separate group because you may not be using iCloud even though you trust Apple.
Applications from Apple: This rule group is created at the time you add it, based on currently installed apps. Little Snitch searches the standard locations for apps from Apple (recognized by their code signature) and creates rules allowing them any outgoing connection. This rule group makes sure that all Apple Apps can communicate without restriction. Note, however, that most of the apps found this way will never connect to a remote computer at all. Review the rules after several weeks and delete those which have a use count of zero.
Third Party Applications: This rule group is also created at the time you add it by searching the standard locations for apps which are not from Apple. We do not recommend adding these rules because it defeats much of the purpose of Little Snitch. Some users still want to allow all pre-existing apps to prevent the flood of connection alerts after a new install. They argue that they trusted these apps before Little Snitch was installed and that they are only interested in new processes which they did not install intentionally.

You can enable or disable rule groups at any time. Open Little Snitch Configuration and have a look at the Rule Groups section in the left sidebar.

Remote rule groups

Remote rule groups are used to share a set of rules among multiple computers.

Sharing a group

In order to set up a share point, you need a secure web server (https) with a trusted certificate. Insecure transport is not supported. Little Snitch loads and updates rule groups in the lsrules format, which in JSON syntax.

The easiest way to prepare a file in .lsrules format is to select the rules which should go into the file in Little Snitch and choose File > Export Selected Rules… from the main menu.