mSCP 2.0 Beta

mSCP 2.0 is a major architectural evolution — a unified codebase that eliminates the need for separate branches per macOS version.

What’s New

📦

Unified RepositoryOne branch for all macOS versions — no more per-version branches.

📋

Multi-Version RulesEach rule contains configs for macOS 14, 15, 26+ in one file.

🗂️

Organized ReferencesReferences grouped by source: nist, disa, cis.

⚡

Simplified SetupRun via container with zero local dependencies, or install locally with pip.

At a Glance

	mSCP 1.0	mSCP 2.0
Repository	Branch per macOS version	Single unified branch
Rules	One version per file	All versions in one file
References	Flat (`800-53r5`, `disa_stig`)	Nested (`nist.800-53r5`, `disa.disa_stig`)
Maintenance	Update each branch	Single source of truth

Rule Comparison

The biggest change is how rules handle multiple macOS versions:

mSCP 1.0 — Separate file per version in each branch:

macOS: ['15.0']
references:
  cce: [CCE-94195-5]
  disa_stig: [APPL-15-002064]

mSCP 2.0 — All versions in one file:

references:
  nist:
    cce:
      macos_26: [CCE-95195-4]
      macos_15: [CCE-94195-5]
      macos_14: [CCE-92795-4]
  disa:
    disa_stig:
      macos_26: [APPL-26-002064]
      macos_15: [APPL-15-002064]
      macos_14: [APPL-14-002064]

platforms:
  macOS:
    '26.0':
      benchmarks:
        - name: disa_stig
          severity: high
    '15.0':
      benchmarks:
        - name: disa_stig
          severity: high

Directory Structure

macos_security/
├── config/
│   ├── default/
│   │   ├── rules/           # Rule YAML files
│   │   │   ├── audit/
│   │   │   ├── auth/
│   │   │   ├── icloud/
│   │   │   ├── os/
│   │   │   ├── pwpolicy/
│   │   │   ├── settings/
│   │   │   └── system_settings/
│   │   └── baselines/       # Baseline definitions
│   ├── custom/              # User customizations
│   ├── includes/            # Shared includes
│   └── locales/             # Localization files
├── src/
│   └── mscp/                # Python CLI package
│       ├── cli.py
│       ├── admin_utils/
│       ├── classes/
│       ├── common_utils/
│       └── generate/
├── schema/                  # YAML schema definitions
├── rules → config/default/rules      # Symlink
├── baselines → config/default/baselines
└── custom → config/custom

Installation

Option 1: Container (Recommended)

The easiest way to get started — no local dependencies required.

Requirements:

A container solution is required:
- Apple Container (Recommended)
- Docker

Create Local Folders
Section titled “Create Local Folders”
Terminal window
```
mkdir -p ~/Desktop/mscp/custom
```

Run the Container

Using Apple Container:

container run -it \
  --volume ~/Desktop/mscp:/mscp/build \
  --volume ~/Desktop/mscp/custom:/mscp/custom \
  ghcr.io/usnistgov/macos_security:latest

Apple Container commands Click to expand

Start the container service (required before first run):

container system start

Exit the container:

exit

Stop the container service:

container system stop

Check container service status:

container system status

Or Using Docker:

# Note: Docker requires full paths for volume mounts
docker run -it \
  --volume /Users/<username>/Desktop/mscp:/mscp/build \
  --volume /Users/<username>/Desktop/mscp/custom:/mscp/custom \
  ghcr.io/usnistgov/macos_security:latest

Generate Content

# Create a baseline
./mscp.py baseline -k cis_lvl1
# Generate guidance with all outputs
./mscp.py guidance custom/baselines/cis_lvl1_macos_26.0.yaml -A
# Output: MSCP DOCUMENT GENERATION COMPLETE! All documents in: /build/cis_lvl1_macos_26.0/

Option 2: Manual Method (Python + Ruby)

Manual setup with virtual environment.

Requirements:

Python >= 3.14
- Recommended: Macadmins Python
Ruby >= 3.4.4

Clone the Repository

git clone -b dev_2.0 https://github.com/usnistgov/macos_security.git
cd macos_security

Python Setup

# Create virtual environment
python3 -m venv .venv
source .venv/bin/activate

# Update and install tools
python3 -m pip install --upgrade pip setuptools wheel
python3 -m pip install --upgrade -r requirements.txt

Having Python version issues? Click to expand

Check your Python version:

python3 --version

Check version inside the venv:

source .venv/bin/activate
python --version

List all installed Python versions:

ls /opt/homebrew/bin/python3*
ls /usr/local/bin/python3*

Create venv with a specific version:

# Remove old venv if needed
rm -rf .venv

# Use full path to the Python version you want
/opt/homebrew/bin/python3.13 -m venv .venv
source .venv/bin/activate

Ruby Setup

bundle config path mscp_gems
bundle config bin mscp_gems/bin
bundle install
bundle binstubs --all

Generate Content

# Create a baseline
./mscp.py baseline -k cis_lvl1

# Generate guidance with all outputs
./mscp.py guidance custom/baselines/cis_lvl1_macos_26.0.yaml -A

# When done, deactivate the virtual environment
deactivate

Why the Change?

Faster Updates — Rule changes apply to all versions at once
Less Maintenance — No branch synchronization headaches
Clear Version Support — See all supported versions in one file
Version Overrides — Different checks per macOS version when needed
Easier Contributions — Work in one branch, not many

Status

Completed

Unified multi-version rule format
Restructured references (nist/disa/cis)
New directory layout
Python package setup

In Progress

Full feature parity with 1.0
CLI documentation
Migration guide
Production release

Get Involved

Test the BetaTry the dev_2.0 branch Report IssuesGitHub Issues DiscussGitHub Discussions Chat#macos_security_compliance

Next Steps

Getting Started — Set up mSCP 1.0 or 2.0
Quick Guide — Complete start to finish walkthrough
Resources — Training and tools

mSCP 2.0 Beta

What’s New

At a Glance

Rule Comparison

Directory Structure

Installation

Option 1: Container (Recommended)

Create Local Folders

Run the Container

Generate Content

Option 2: Manual Method (Python + Ruby)

Clone the Repository

Python Setup

Ruby Setup

Generate Content

Why the Change?

Status

Get Involved

Next Steps