Quick Guide

A complete start to finish walkthrough of the macOS Security Compliance Project. Install, generate your first baseline, and create compliance documents all in one page.

mSCP 2.0 (Beta)

mSCP 2.0 is currently in Beta

mSCP 2.0 is under active development and should not be used in production. Please report any issues to the project. For production deployments, refer to mSCP 1.0.

Quick Start (Container)

Prefer to install manually with Python and Ruby? See the Getting Started guide for the manual method.

Requirements:

• A container solution is required:
  • Apple Container (Recommended)
  • Docker

1. Create Local Folders

   mkdir -p ~/Desktop/mscp/custom

2. Run the Container

   Using Apple Container:

   container run -it \
     --volume ~/Desktop/mscp:/mscp/build \
     --volume ~/Desktop/mscp/custom:/mscp/custom \
     ghcr.io/usnistgov/macos_security:latest

   Apple Container commands Click to expand

   Start the container service (required before first run):

   container system start

   Exit the container:

   exit

   Stop the container service:

   container system stop

   Check container service status:

   container system status

   Or Using Docker:

   # Note: Docker requires full paths for volume mounts
   docker run -it \
     --volume /Users/<username>/Desktop/mscp:/mscp/build \
     --volume /Users/<username>/Desktop/mscp/custom:/mscp/custom \
     ghcr.io/usnistgov/macos_security:latest

3. Generate a Baseline

   List baselines: ./mscp.py baseline -l

   Generate: ./mscp.py baseline -k BASELINE_NAME

   With tailoring: ./mscp.py baseline -k BASELINE_NAME -t

   config/custom/baselines/cis_lvl1_macos_26.0.yaml

   # Example: Generate CIS Level 1 baseline
   ./mscp.py baseline -k cis_lvl1

4. Generate Outputs

   ./mscp.py guidance custom/baselines/BASELINE_NAME.yaml [flags]

   Flag	Output
   -A	All outputs
   -s	Compliance script
   -p	Configuration profiles
   -d	DDM components
   -x	Excel spreadsheet
   -m	Markdown

   Example — Generate all outputs:

   /build/cis_lvl1_macos_26.0/

   ./mscp.py guidance custom/baselines/cis_lvl1_macos_26.0.yaml -A

5. Use Your Files

   Everything goes to build/BASELINE_NAME/:

   build/cis_lvl1_macos_26.0/
   ├── cis_lvl1_macos_26.0.adoc
   ├── cis_lvl1_macos_26.0.html
   ├── cis_lvl1_macos_26.0.pdf
   ├── cis_lvl1_macos_26.0_compliance.sh
   ├── mobileconfigs/
   ├── preferences/
   ├── activations/
   ├── assets/
   └── configurations/

---

Running the Compliance Script

Note

The script must run in zsh (default on macOS). Using bash or sh will cause errors.

Interactive mode:

sudo ./build/cis_lvl1_macos_26.0/cis_lvl1_macos_26.0_compliance.sh

Automated mode:

Flag	What it does
--check	Run checks only
--fix	Run fixes only
--cfc	Check → Fix → Check
--stats	Show last run statistics
--compliant	Report compliant count
--non_compliant	Report non-compliant count
--reset	Clear results for this baseline
--reset-all	Clear results for all baselines
--quiet=1	Show failed/exempt only
--quiet=2	Minimal output

# Quick check
sudo ./build/cis_lvl1_macos_26.0/cis_lvl1_macos_26.0_compliance.sh --check

# Full remediation
sudo ./build/cis_lvl1_macos_26.0/cis_lvl1_macos_26.0_compliance.sh --cfc --quiet=2

---

Script Reference

mscp.py baseline — Creates the baseline YAML file.

Flag	Purpose
-l	List available baselines
-k NAME	Generate baseline
-t	Interactive tailoring
-c	Show 800-53 controls
--os_name	Target OS name
--os_version	Target OS version

mscp.py guidance — Generates all outputs from a baseline.

Flag	Purpose
-A	All outputs
-s	Compliance script
-p	Config profiles
--consolidated-profile	Single consolidated profile
--granular-profiles	Granular profiles
-d	DDM components
-x	Excel file
-m	Markdown
-l LOGO	Custom logo
-L LANG	Language
-H HASH	Sign profiles
--audit_name NAME	Custom audit name
--reference REF	Custom reference ID
--dark	Dark mode output

mscp.py scap — Generates SCAP/OVAL content.

Flag	Purpose
-x	XCCDF file
-o	OVAL file
-b NAME	Specific baseline
-l	List tags

mscp.py mapping — Generates control mappings.

---

Common Workflows

Compliance Check — Scan a Mac for compliance issues:

./mscp.py baseline -k 800-53r5_moderate
./mscp.py guidance custom/baselines/800-53r5_moderate_macos_26.0.yaml -s
sudo ./build/800-53r5_moderate_macos_26.0/800-53r5_moderate_macos_26.0_compliance.sh --check

MDM Deployment Package — Generate profiles and DDM for device management:

./mscp.py baseline -k DISA-STIG
./mscp.py guidance custom/baselines/DISA-STIG_macos_26.0.yaml -p -d -s

Full Documentation Set — Create all outputs for documentation and audit:

./mscp.py baseline -k cis_lvl2
./mscp.py guidance custom/baselines/cis_lvl2_macos_26.0.yaml -A

mSCP 1.0

Always Use the Correct Branch

Each macOS version has its own branch (sequoia, sonoma, ventura, etc.). Never use the main branch — it won’t work for generating content.

Quick Start

Requirements:

• Python >= 3.12.1 (3.14 is not supported)
  • Recommended: Macadmins Python
• Ruby >= 3.4.4 (optional — for PDF output)

1. Clone & Checkout Branch

   git clone https://github.com/usnistgov/macos_security.git
   cd macos_security
   git checkout sequoia

   Replace sequoia with your target macOS version (sequoia, sonoma, ventura, etc.).

2. Install Dependencies

   # Create virtual environment
   python3 -m venv .venv
   source .venv/bin/activate
   
   # Install requirements
   pip3 install -r requirements.txt

   Ruby (optional — for PDF output):

   bundle install --binstubs --path mscp_gems

3. Generate a Baseline

   List baselines: ./scripts/generate_baseline.py -l

   Generate: ./scripts/generate_baseline.py -k BASELINE_NAME

   With tailoring: ./scripts/generate_baseline.py -k BASELINE_NAME -t

   # Example: Generate NIST 800-53 Moderate baseline
   ./scripts/generate_baseline.py -k 800-53r5_moderate

4. Generate Outputs

   Run generate_guidance.py with the flags you need:

   ./scripts/generate_guidance.py [flags] baselines/BASELINE_NAME.yaml

   Flag	Output
   (none)	Guidance docs (.adoc, .html, .pdf)
   -s	Compliance script
   -p	Configuration profiles (one per payload)
   -P	Single consolidated profile
   -D	DDM components
   -x	Excel spreadsheet

   Example — Generate all common outputs:

   ./scripts/generate_guidance.py -s -p -x baselines/800-53r5_moderate.yaml

5. Use Your Files

   Everything goes to build/BASELINE_NAME/:

   build/800-53r5_moderate/
   ├── 800-53r5_moderate.adoc
   ├── 800-53r5_moderate.html
   ├── 800-53r5_moderate.pdf
   ├── 800-53r5_moderate_compliance.sh
   ├── mobileconfigs/
   ├── preferences/
   ├── activations/    ← DDM (if -D used)
   ├── assets/
   └── configurations/

---

Running the Compliance Script

Note

The script must run in zsh (default on macOS). Using bash or sh will cause errors.

Interactive mode:

sudo ./build/800-53r5_moderate/800-53r5_moderate_compliance.sh

Automated mode:

Flag	What it does
--check	Run checks only
--fix	Run fixes only
--cfc	Check → Fix → Check
--stats	Show last run statistics
--compliant	Report compliant count
--non_compliant	Report non-compliant count
--reset	Clear results for this baseline
--reset-all	Clear results for all baselines
--quiet=1	Show failed/exempt only
--quiet=2	Minimal output

# Quick check
sudo ./build/800-53r5_moderate/800-53r5_moderate_compliance.sh --check

# Full remediation
sudo ./build/800-53r5_moderate/800-53r5_moderate_compliance.sh --cfc --quiet=2

---

Available Baselines

Example baselines (may vary by branch):

Framework	Baseline Name
NIST 800-53 Rev 5	800-53r5_high, 800-53r5_moderate, 800-53r5_low
NIST 800-171	800-171
DISA STIG	DISA-STIG
CIS Benchmarks	cis_lvl1, cis_lvl2, cisv8
CMMC 2.0	cmmc_lvl1, cmmc_lvl2
CNSSI 1253	cnssi-1253_high, cnssi-1253_moderate, cnssi-1253_low
All Rules	all_rules

---

Script Reference

generate_baseline.py — Creates the baseline YAML file.

Flag	Purpose
-l	List available baselines
-k NAME	Generate baseline
-t	Interactive tailoring
-c	Show 800-53 controls

generate_guidance.py — Generates all outputs from a baseline.

Flag	Purpose
-s	Compliance script
-p	Config profiles
-P	Consolidated profile
-D	DDM components
-x	Excel file
-l LOGO	Custom logo
-H HASH	Sign profiles
-a NAME	Custom audit name
-r REF	Custom reference ID

generate_scap.py — Generates SCAP/OVAL content for compliance scanning tools.

Flag	Purpose
-x	XCCDF file
-o	OVAL file
-b NAME	Specific baseline
-d FILE	Include DISA STIG references from file
-l	List tags

---

Common Workflows

Compliance Check — Scan a Mac for compliance issues:

./scripts/generate_baseline.py -k 800-53r5_moderate
./scripts/generate_guidance.py -s baselines/800-53r5_moderate.yaml
sudo ./build/800-53r5_moderate/800-53r5_moderate_compliance.sh --check

MDM Deployment Package — Generate profiles and DDM for device management:

./scripts/generate_baseline.py -k DISA-STIG -t
./scripts/generate_guidance.py -p -D -s build/baselines/DISA-STIG.yaml

Full Documentation Set — Create all outputs for documentation and audit:

./scripts/generate_baseline.py -k cis_lvl2
./scripts/generate_guidance.py -s -p -x baselines/cis_lvl2.yaml

---

Learn More

Baselines Learn what baselines are, how to generate them, and how to tailor them for your organization.

Guidance Generate HTML, PDF, and other documentation from your baseline.

Configuration Profiles Create and deploy configuration profiles via MDM.

Compliance Scripts Scan Macs against your baseline and remediate non-compliant settings.

DDM Components Generate Declarative Device Management components for modern MDM workflows.

Personalization Customize rules, tailor baselines, and exempt rules for your organization.

Repository Reference Explore the directory layout, rule files, and script arguments.

mSCP 2.0 Overview Learn about the new unified architecture and what's changed in mSCP 2.0.