How to Generate Configuration Profiles

Configuration profiles are generated using the generate_guidance.py script with the -p flag. The script reads your baseline and creates .mobileconfig files ready for MDM deployment.

Note

You need a baseline first. See How to Generate Baselines if you haven’t created one.

Always Use the Correct Branch (mSCP 1.0)

Each macOS version has its own branch (sequoia, sonoma, ventura, etc.). Never use the main branch — it won’t work for generating content.

mSCP 2.0 (currently in beta) will remove the per-branch requirement and introduce easier installation methods.

---

Generate Configuration Profiles

1. Generate unsigned profiles

   ./scripts/generate_guidance.py -p baselines/BASELINE_NAME.yaml

   Example:

   ./scripts/generate_guidance.py -p baselines/800-53r5_moderate.yaml

2. Find your files

   Profiles are saved to build/BASELINE_NAME/mobileconfigs/:

   • Directorybuild/

     • Directory800-53r5_moderate/

       • Directorymobileconfigs/

         • Directoryunsigned/ - Unsigned profiles (.mobileconfig)

           • …
         • Directorypreferences/ - Preference plists (.plist)

           • …

---

Generate Signed Profiles

Signed profiles verify authenticity and prevent tampering. You need a signing certificate installed in your keychain.

1. Get your certificate’s Subject Key ID

   First, find the offset:

   security find-certificate -c "Your Certificate Name" -p | \
     openssl asn1parse | \
     awk -F: '/X509v3 Subject Key Identifier/ {getline; print $1}'

   Then extract the hash using that offset (replace OFFSET with the number from above):

   security find-certificate -c "Your Certificate Name" -p | \
     openssl asn1parse -strparse OFFSET | \
     awk -F: '/HEX DUMP/{print $4}'

   Replace "Your Certificate Name" with your signing certificate’s common name.

2. Generate signed profiles

   ./scripts/generate_guidance.py -p -H SUBJECT_KEY_ID baselines/BASELINE_NAME.yaml

   Example:

   ./scripts/generate_guidance.py -p -H ABC123DEF456 baselines/800-53r5_moderate.yaml

3. Find your signed files

   • Directorybuild/

     • Directory800-53r5_moderate/

       • Directorymobileconfigs/

         • Directoryunsigned/ - Unsigned profiles

           • …
         • Directorysigned/ - Signed profiles

           • …
         • Directorypreferences/ - Preference plists

           • …

Tip

Signing is optional. Signed profiles verify the profile hasn’t been modified and can prevent unauthorized changes.

---

Command Reference

Flag	Description
-p	Generate individual profiles (one per payload type)
-P	Generate a single consolidated profile
-H HASH	Sign profiles with your certificate’s Subject Key ID

---

Individual vs Consolidated Profiles

Type	Flag	Best For
Individual	-p	Flexibility - deploy only the profiles you need
Consolidated	-P	Simplicity - one profile with all settings

Most organizations prefer individual profiles (-p) for easier management and troubleshooting.

---

Next Steps

• Configuration Profile Layout - Understand the file structure
• How to Generate Guidance - Generate all outputs at once