What Are Compliance Scripts?
Compliance scripts are zsh scripts that check macOS security settings against your baseline and optionally fix non-compliant settings. They handle settings that can’t be enforced through configuration profiles or DDM.
The mSCP project generates a compliance script from your baseline, designed to be deployed via MDM or run locally.
What the Script Does
Section titled “What the Script Does”| Feature | Description |
|---|---|
| Check | Scan current settings against the baseline and report status |
| Fix | Remediate non-compliant settings to match the baseline |
| Exemptions | Respect rules marked as exempt (configured via MDM) |
| Interactive | Menu-driven mode for running scans and viewing reports |
When to Use Compliance Scripts
Section titled “When to Use Compliance Scripts”| Use Case | Description |
|---|---|
| Settings not supported by profiles | Some security settings can only be configured via script |
| Auditing | Generate compliance reports for review |
| Remediation | Fix settings that drift from the baseline |
| Standalone Macs | Devices not managed by MDM |
What the Project Generates
Section titled “What the Project Generates”| Output | Location |
|---|---|
BASELINE_NAME_compliance.sh | build/BASELINE_NAME/ |
org.BASELINE_NAME.audit.plist | build/BASELINE_NAME/preferences/ |
Next Steps
Section titled “Next Steps”- How to Generate Compliance Scripts - Create a script from your baseline
- Compliance Script Layout - Understand the script structure