How to Generate Configuration Profiles

Configuration profiles are generated as part of the guidance output using the -p flag. The script reads your baseline and creates .mobileconfig files ready for MDM deployment.

Note

You need a baseline first. See How to Generate Baselines if you haven’t created one.

---

Generate Configuration Profiles

mSCP 2.0 (Beta)

mSCP 2.0 is currently in Beta

mSCP 2.0 is under active development and should not be used in production. Please report any issues to the project. For production deployments, refer to mSCP 1.0.

1. Generate unsigned profiles

   ./mscp.py guidance custom/baselines/BASELINE_NAME.yaml -p

   Example:

   ./mscp.py guidance custom/baselines/800-53r5_moderate_macos_26.0.yaml -p

2. Find your files

   Profiles are saved to build/BASELINE_NAME/mobileconfigs/:

   • Directorybuild/

     • Directory800-53r5_moderate_macos_26.0/

       • Directorymobileconfigs/

         • Directoryunsigned/ Unsigned profiles (.mobileconfig)

           • …
         • Directorypreferences/ Preference plists (.plist)

           • …
         • Directorygranular/ Granular profiles (if —granular-profiles)

           • …

mSCP 1.0

Always Use the Correct Branch

Each macOS version has its own branch (sequoia, sonoma, ventura, etc.). Never use the main branch — it won’t work for generating content.

1. Generate unsigned profiles

   ./scripts/generate_guidance.py -p baselines/BASELINE_NAME.yaml

   Example:

   ./scripts/generate_guidance.py -p baselines/800-53r5_moderate.yaml

2. Find your files

   Profiles are saved to build/BASELINE_NAME/mobileconfigs/:

   • Directorybuild/

     • Directory800-53r5_moderate/

       • Directorymobileconfigs/

         • Directoryunsigned/ Unsigned profiles (.mobileconfig)

           • …
         • Directorypreferences/ Preference plists (.plist)

           • …

---

Generate Signed Profiles

Container Users

Signed profiles are not functional when running mSCP through a container. You must use the manual (local) installation method to sign profiles.

Signed profiles verify authenticity and prevent tampering. You need a signing certificate installed in your keychain.

Step 1: Get your certificate’s Subject Key ID

First, find the offset:

security find-certificate -c "Your Certificate Name" -p | \
  openssl asn1parse | \
  awk -F: '/X509v3 Subject Key Identifier/ {getline; print $1}'

Then extract the hash using that offset (replace OFFSET with the number from above):

security find-certificate -c "Your Certificate Name" -p | \
  openssl asn1parse -strparse OFFSET | \
  awk -F: '/HEX DUMP/{print $4}'

Replace "Your Certificate Name" with your signing certificate’s common name.

Step 2: Generate signed profiles

mSCP 2.0 (Beta)

mSCP 2.0 is currently in Beta

mSCP 2.0 is under active development and should not be used in production. Please report any issues to the project. For production deployments, refer to mSCP 1.0.

./mscp.py guidance custom/baselines/BASELINE_NAME.yaml -p -H SUBJECT_KEY_ID

Example:

./mscp.py guidance custom/baselines/800-53r5_moderate_macos_26.0.yaml -p -H ABC123DEF456

mSCP 1.0

Always Use the Correct Branch

Each macOS version has its own branch (sequoia, sonoma, ventura, etc.). Never use the main branch — it won’t work for generating content.

./scripts/generate_guidance.py -p -H SUBJECT_KEY_ID baselines/BASELINE_NAME.yaml

Example:

./scripts/generate_guidance.py -p -H ABC123DEF456 baselines/800-53r5_moderate.yaml

Step 3: Find your signed files

• Directorybuild/

  • DirectoryBASELINE_NAME/

    • Directorymobileconfigs/

      • Directoryunsigned/ Unsigned profiles

        • …
      • Directorysigned/ Signed profiles

        • …
      • Directorypreferences/ Preference plists

        • …

Tip

Signing is optional. Signed profiles verify the profile hasn’t been modified and can prevent unauthorized changes.

---

Command Reference

mSCP 2.0 (Beta)

mSCP 2.0 is currently in Beta

mSCP 2.0 is under active development and should not be used in production. Please report any issues to the project. For production deployments, refer to mSCP 1.0.

Flag	Description
-p	Generate individual profiles (one per payload type)
--consolidated-profile	Generate a single consolidated profile
--granular-profiles	Generate granular profiles
-H HASH	Sign profiles with your certificate’s Subject Key ID

mSCP 1.0

Always Use the Correct Branch

Each macOS version has its own branch (sequoia, sonoma, ventura, etc.). Never use the main branch — it won’t work for generating content.

Flag	Description
-p	Generate individual profiles (one per payload type)
-P	Generate a single consolidated profile
-H HASH	Sign profiles with your certificate’s Subject Key ID

---

Individual vs Consolidated Profiles

mSCP 2.0 (Beta)

mSCP 2.0 is currently in Beta

mSCP 2.0 is under active development and should not be used in production. Please report any issues to the project. For production deployments, refer to mSCP 1.0.

Type	Flag	Best For
Individual	-p	Flexibility — deploy only the profiles you need
Consolidated	--consolidated-profile	Simplicity — one profile with all settings
Granular	--granular-profiles	Fine-grained control per payload

mSCP 1.0

Always Use the Correct Branch

Each macOS version has its own branch (sequoia, sonoma, ventura, etc.). Never use the main branch — it won’t work for generating content.

Type	Flag	Best For
Individual	-p	Flexibility — deploy only the profiles you need
Consolidated	-P	Simplicity — one profile with all settings

Most organizations prefer individual profiles (-p) for easier management and troubleshooting.

---

Next Steps

• Configuration Profile Layout — Understand the file structure
• How to Generate Guidance — Generate all outputs at once