mSCP 2.0 Beta

mSCP 2.0 is a major architectural evolution — a unified codebase that eliminates the need for separate branches per macOS version.

What’s New

📦

Unified RepositoryOne branch for all macOS versions — no more per-version branches.

📋

Multi-Version RulesEach rule contains configs for macOS 14, 15, 26+ in one file.

🗂️

Organized ReferencesReferences grouped by source: nist, disa, cis.

⚡

Simplified SetupJust pip3 install -r requirements.txt to get started.

At a Glance

	mSCP 1.0	mSCP 2.0
Repository	Branch per macOS version	Single unified branch
Rules	One version per file	All versions in one file
References	Flat (`800-53r5`, `disa_stig`)	Nested (`nist.800-53r5`, `disa.disa_stig`)
Maintenance	Update each branch	Single source of truth

Rule Comparison

The biggest change is how rules handle multiple macOS versions:

mSCP 1.0 — Separate file per version in each branch:

macOS: ['15.0']
references:
  cce: [CCE-94195-5]
  disa_stig: [APPL-15-002064]

mSCP 2.0 — All versions in one file:

references:
  nist:
    cce:
      macos_26: [CCE-95195-4]
      macos_15: [CCE-94195-5]
      macos_14: [CCE-92795-4]
  disa:
    disa_stig:
      macos_26: [APPL-26-002064]
      macos_15: [APPL-15-002064]
      macos_14: [APPL-14-002064]

platforms:
  macOS:
    '26.0':
      benchmarks:
        - name: disa_stig
          severity: high
    '15.0':
      benchmarks:
        - name: disa_stig
          severity: high

Directory Structure

macos_security/
├── config/
│   └── default/
│       ├── rules/           # Rule YAML files
│       │   ├── audit/
│       │   ├── auth/
│       │   ├── os/
│       │   ├── pwpolicy/
│       │   └── system_settings/
│       └── baselines/       # Baseline definitions
├── src/
│   └── mscp/                # Python CLI package
│       ├── cli.py
│       ├── classes/
│       └── generate/
├── schema/                  # YAML schema definitions
├── rules → config/default/rules      # Symlink
├── baselines → config/default/baselines
└── custom/                  # User customizations

Installation

There are three ways to run mSCP 2.0. Choose the method that works best for your environment.

Option 1: Python + Ruby

Manual setup with virtual environment.

Requirements:

Python >= 3.12.1 (3.14 is not supported)
- Recommended: Macadmins Python
Ruby >= 3.4.4

Clone the Repository

git clone -b dev_2.0 https://github.com/usnistgov/macos_security.git
cd macos_security

Python Setup

# Create virtual environment
python3 -m venv .venv
source .venv/bin/activate

# Install requirements
python3 -m pip install .

Having Python version issues? Click to expand

Check your Python version:

python3 --version

Check version inside the venv:

source .venv/bin/activate
python --version

List all installed Python versions:

ls /opt/homebrew/bin/python3*
ls /usr/local/bin/python3*

Create venv with a specific version:

# Remove old venv if needed
rm -rf .venv

# Use full path to the Python version you want
/opt/homebrew/bin/python3.13 -m venv .venv
source .venv/bin/activate

Ruby Setup
Section titled “Ruby Setup”
Terminal window
```
bundle install --binstubs --path mscp_gems
```

Generate Content

# Create a baseline
./mscp.py baseline -k cis_lvl1

# Generate guidance with all outputs
./mscp.py guidance custom/baselines/cis_lvl1_macos_26.0.yaml -A

# When done, deactivate the virtual environment
deactivate

Option 2: Container

The easiest way to get started — no local dependencies required.

Requirements:

Apple Container or Docker

Create Local Folders
Section titled “Create Local Folders”
Terminal window
```
mkdir -p ~/Desktop/mscp/custom
```

Run the Container

Using Apple Container:

container run -it \
  --volume ~/Desktop/mscp:/mscp/build \
  --volume ~/Desktop/mscp/custom:/mscp/custom \
  ghcr.io/brodjieski/mscp_2.0:latest

Apple Container commands Click to expand

Start the container service (required before first run):

container system start

Exit the container:

exit

Stop the container service:

container system stop

Check container service status:

container system status

Or Using Docker:

# Note: Docker requires full paths for volume mounts
docker run -it \
  --volume /Users/<username>/Desktop/mscp:/mscp/build \
  --volume /Users/<username>/Desktop/mscp/custom:/mscp/custom \
  ghcr.io/brodjieski/mscp_2.0:latest

Generate Content

# Create a baseline
./mscp.py baseline -k cis_lvl1
# Generate guidance with all outputs
./mscp.py guidance custom/baselines/cis_lvl1_macos_26.0.yaml -A
# Output: MSCP DOCUMENT GENERATION COMPLETE! All documents in: /build/cis_lvl1_macos_26.0/

Option 3: UV Workflow

A fast, modern Python workflow using uv.

Requirements:

uv
Ruby

Clone and Setup

git clone https://github.com/usnistgov/macos_security.git
cd macos_security
git checkout dev_2.0
bundle install --binstubs --path mscp_gems

Run Commands

uv run --python 3.13 mscp.py guidance config/default/baselines/macos/15/cis_lvl1.yaml

Why the Change?

Faster Updates — Rule changes apply to all versions at once
Less Maintenance — No branch synchronization headaches
Clear Version Support — See all supported versions in one file
Version Overrides — Different checks per macOS version when needed
Easier Contributions — Work in one branch, not many

Status

Completed

Unified multi-version rule format
Restructured references (nist/disa/cis)
New directory layout
Python package setup

In Progress

Full feature parity with 1.0
CLI documentation
Migration guide
Production release

Get Involved

Test the BetaTry the dev_2.0 branch Report IssuesGitHub Issues DiscussGitHub Discussions Chat#macos_security_compliance

Next Steps

Getting Started (mSCP 1.0) — Current stable version
Resources — Training and tools

mSCP 2.0 Beta

What’s New

At a Glance

Rule Comparison

Directory Structure

Installation

Option 1: Python + Ruby

Clone the Repository

Python Setup

Ruby Setup

Generate Content

Option 2: Container

Create Local Folders

Run the Container

Generate Content

Option 3: UV Workflow

Clone and Setup

Run Commands

Why the Change?

Status

Get Involved

Next Steps