Skip to content

How To Generate Configuration Profiles

The primary script for generating configuration profiles is located here in the macos_security repository:

  • Directorymacos_security/
    • Directoryscripts/ ---> Project scripts
      • generate_guidance.py ---> Script to generate configuration profiles

Follow these steps to generate configuration profiles:

  1. Prepare Your Rules YAML

    • Ensure your rules YAML file contains rules with mobileconfig: true and the appropriate mobileconfig_info section.
      Example:
      mobileconfig: true
      mobileconfig_info:
      com.apple.security.smartcard:
      enforceSmartCard: true
  2. Generate Unsigned Configuration Profiles

    • Run the following command to generate unsigned configuration profiles and corresponding plists:
      Terminal window
      ./scripts/generate_guidance.py -p build/baselines/800-53r5_moderate.yaml
  3. (Optional) Generate Signed Configuration Profiles

    • If you want to generate signed configuration profiles, you need the certificate Subject Key ID (not the SHA-1 hash).
    • Retrieve the Subject Key ID with:
      Terminal window
      skid=$(security find-certificate -c "CodeSigning Certificate Name" -p | openssl asn1parse | awk -F: '/X509v3 Subject Key Identifier/ {getline; print $1}')
      security find-certificate -c "CodeSigning Certificate Name" -p | openssl asn1parse -strparse $skid | awk -F: '/HEX DUMP/{print $4}'
    • Then use the -H flag with the Subject Key ID to generate signed profiles:
      Terminal window
      ./scripts/generate_guidance.py -p -H <HASHVALUE> build/baselines/800-53r5_moderate.yaml
  4. Locate the Generated Files

    • After running the script, the configuration profiles and plists will be created in the appropriate output directories.

For more information, see How to Generate Baselines or review the baseline file layout.