How to Generate Guidance

Generating guidance creates outputs from your baseline. By default it generates documentation (AsciiDoc, HTML, PDF). With additional flags, you can also generate compliance scripts, configuration profiles, and more.

---

Generate Guidance

mSCP 2.0 (Beta)

mSCP 2.0 is currently in Beta

mSCP 2.0 is under active development and should not be used in production. Please report any issues to the project. For production deployments, refer to mSCP 1.0.

1. Run the command with your baseline

   ./mscp.py guidance custom/baselines/BASELINE_NAME.yaml

   Example:

   ./mscp.py guidance custom/baselines/800-53r5_moderate_macos_26.0.yaml

2. Add flags for additional outputs

   ./mscp.py guidance custom/baselines/800-53r5_moderate_macos_26.0.yaml -s -p

   This generates guidance docs plus compliance script (-s) and configuration profiles (-p).

   Generate all outputs at once with -A:

   ./mscp.py guidance custom/baselines/800-53r5_moderate_macos_26.0.yaml -A

3. Find your files

   All outputs are saved to build/BASELINE_NAME/:

   • Directorybuild/

     • Directory800-53r5_moderate_macos_26.0/

       • 800-53r5_moderate_macos_26.0.adoc AsciiDoc source
       • 800-53r5_moderate_macos_26.0.html Web documentation
       • 800-53r5_moderate_macos_26.0.pdf Printable documentation
       • 800-53r5_moderate_macos_26.0.md Markdown (if -m)
       • 800-53r5_moderate_macos_26.0_compliance.sh Compliance script (if -s)
       • 800-53r5_moderate_macos_26.0.xlsx Excel spreadsheet (if -x)
       • Directorymobileconfigs/ Configuration profiles (if -p)

         • …
       • Directoryactivations/ DDM components (if -d)

         • …
       • Directoryconfigurations/

         • …
       • Directoryassets/

         • …
       • Directorypreferences/

         • …

mSCP 1.0

Always Use the Correct Branch

Each macOS version has its own branch (sequoia, sonoma, ventura, etc.). Never use the main branch — it won’t work for generating content.

1. Run the script with your baseline

   ./scripts/generate_guidance.py baselines/BASELINE_NAME.yaml

   Example:

   ./scripts/generate_guidance.py baselines/800-53r5_moderate.yaml

2. Add flags for additional outputs

   ./scripts/generate_guidance.py -s -p baselines/800-53r5_moderate.yaml

   This generates guidance docs plus compliance script (-s) and configuration profiles (-p).

3. Find your files

   All outputs are saved to build/BASELINE_NAME/:

   • Directorybuild/

     • Directory800-53r5_moderate/

       • 800-53r5_moderate.adoc AsciiDoc source
       • 800-53r5_moderate.html Web documentation
       • 800-53r5_moderate.pdf Printable documentation
       • 800-53r5_moderate_compliance.sh Compliance script (if -s)
       • 800-53r5_moderate.xls Excel spreadsheet (if -x)
       • Directorymobileconfigs/ Configuration profiles (if -p)

         • Directoryunsigned/ Unsigned profiles

           • …
         • Directorysigned/ Signed profiles (if -H)

           • …
         • Directorypreferences/ Preference plists

           • …
       • Directorydeclarative/ DDM components (if -D)

         • Directoryactivations/

           • …
         • Directoryconfigurations/

           • …
         • Directoryassets/

           • …
       • Directorypreferences/ Audit preference files

         • …

---

Command Reference

mSCP 2.0 (Beta)

mSCP 2.0 is currently in Beta

mSCP 2.0 is under active development and should not be used in production. Please report any issues to the project. For production deployments, refer to mSCP 1.0.

Flag	Output
(none)	Guidance documents (.adoc, .html, .pdf)
-A	All outputs
-s	Compliance script
-p	Configuration profiles
--consolidated-profile	Single consolidated configuration profile
--granular-profiles	Granular profiles
-d	DDM components
-x	Excel spreadsheet (.xlsx)
-m	Markdown documentation

Additional options:

Flag	Description
-l LOGO	Include custom logo in documentation
-L LANG	Language for output
-H HASH	Sign configuration profiles with certificate
--audit_name NAME	Custom name for audit plist and log
--reference REF	Use reference ID instead of rule ID
--dark	Dark mode output

mSCP 1.0

Always Use the Correct Branch

Each macOS version has its own branch (sequoia, sonoma, ventura, etc.). Never use the main branch — it won’t work for generating content.

Flag	Output
(none)	Guidance documents (.adoc, .html, .pdf)
-s	Compliance script
-p	Configuration profiles (one per payload)
-P	Single consolidated configuration profile
-D	DDM components
-x	Excel spreadsheet

Additional options:

Flag	Description
-h	Show help message
-l LOGO	Include custom logo in documentation
-H HASH	Sign configuration profiles with certificate
-a NAME	Custom name for audit plist and log
-r REF	Use reference ID instead of rule ID

---

Common Examples

mSCP 2.0 (Beta)

mSCP 2.0 is currently in Beta

mSCP 2.0 is under active development and should not be used in production. Please report any issues to the project. For production deployments, refer to mSCP 1.0.

Generate all outputs:

./mscp.py guidance custom/baselines/800-53r5_moderate_macos_26.0.yaml -A

Generate documentation only:

./mscp.py guidance custom/baselines/800-53r5_moderate_macos_26.0.yaml

Generate everything for MDM deployment:

./mscp.py guidance custom/baselines/DISA-STIG_macos_26.0.yaml -s -p -d

Generate with signed profiles:

./mscp.py guidance custom/baselines/cis_lvl2_macos_26.0.yaml -p -H YOUR_CERT_HASH

Generate documentation with custom logo:

./mscp.py guidance custom/baselines/800-53r5_moderate_macos_26.0.yaml -l /path/to/logo.png

Generate Markdown output:

./mscp.py guidance custom/baselines/800-53r5_moderate_macos_26.0.yaml -m

Generate documentation in a specific language:

./mscp.py guidance custom/baselines/800-53r5_moderate_macos_26.0.yaml -L de

The default language is English (en). Available languages are determined by the locales present in config/locales/. See Generate Localization for how to create and compile translation files.

mSCP 1.0

Always Use the Correct Branch

Each macOS version has its own branch (sequoia, sonoma, ventura, etc.). Never use the main branch — it won’t work for generating content.

Generate documentation only:

./scripts/generate_guidance.py baselines/800-53r5_moderate.yaml

Generate everything for MDM deployment:

./scripts/generate_guidance.py -s -p -D baselines/DISA-STIG.yaml

Generate with signed profiles:

./scripts/generate_guidance.py -p -H YOUR_CERT_HASH baselines/cis_lvl2.yaml

Generate documentation with custom logo:

./scripts/generate_guidance.py -l /path/to/logo.png baselines/800-53r5_moderate.yaml

---

Built-in vs Custom Baselines

mSCP 2.0 (Beta)

mSCP 2.0 is currently in Beta

mSCP 2.0 is under active development and should not be used in production. Please report any issues to the project. For production deployments, refer to mSCP 1.0.

Type	Location	Use Case
Generated	config/custom/baselines/	Baselines created by ./mscp.py baseline
Tailored	config/custom/baselines/	Tailored baselines for your organization

mSCP 1.0

Always Use the Correct Branch

Each macOS version has its own branch (sequoia, sonoma, ventura, etc.). Never use the main branch — it won’t work for generating content.

Type	Location	Use Case
Built-in	baselines/	Standard frameworks without customization
Custom	build/baselines/	Tailored baselines for your organization

Both produce the same outputs. Custom baselines reflect your organization’s specific settings and excluded rules.

---

Next Steps

• How to Generate Configuration Profiles — Details on the -p flag
• How to Generate Compliance Scripts — Details on the -s flag
• Guidance File Example — See a sample PDF output