NIST SP 800-219 macOS Security Compliance Project (mSCP) Guidance

Apple; baseline; configuration management; endpoint device security; macOS; macOS Security Compliance Project (mSCP); operating system security; security compliance.

This publication is available free of charge from:

Jamf Pro Extension Attributes for the mSCP (macOS Security Compliance project)

Checking out older versions

As per getting started: check to work locally, first clone into the repository and install the required Python3 modules and Ruby gems:

Getting Started: from macOS Terminal
a. git clone
b. cd macos_security
c. pip3 install -r requirements.txt --user
d. bundle install

1. older macOS Security Releases from Github: This project is Catalina Guidance Revision 6

Photograph of Git checkout (a100688) I am using to load the older Catalina STIG

Follow these steps in Terminal
Link to updated-legacy Catalina resource(s).
1. Get Catalina to overwrite current (Monterey) resources locally
git checkout a100688

git switch -c a100688


Baseline files are used for the creation of the guide, scripts, and mobileconfig files. Each baseline defines the associated controls which are used to meet a given security profile.

2. Generate STIG baseline:
If you want to create your own baseline or modify an existing baseline, the found in the scripts folder will generate a {baseline}.yaml file containing all the rules corresponding with the provided tag (baseline). This {baseline}.yaml is required to run the script.

Run this for the STIG
sudo ./scripts/ -k stig Usage

python3 scripts/ -h
usage: [-h] [-c] [-k KEYWORD] [-l]

Given a keyword tag, generate a generic baseline.yaml file containing rules
with the tag.

optional arguments:
-h, --help show this help message and exit
-c, --controls Output the 800-53 controls covered by the rules.
-k KEYWORD, --keyword KEYWORD
Keyword tag to collect rules containing the tag.
-l, --list_tags List the available keyword tags to search for.

—- EOF Baselines


3. Generate STIG Mobile Configuration Profiles (-p)
sudo ./scripts/ -p build/baselines/stig.yaml

Generate code signed STIG Mobile Configuration Profiles (-p) (-H) with hashvalue
sudo ./scripts/ -p -H build/baselines/stig.yaml

python3 ./scripts/ -h
usage: [-h] [-l LOGO] [-p] [-r REFERENCE] [-s] [-x] [-H HASH] baseline

Given a baseline, create guidance documents and files.

positional arguments:
baseline Baseline YAML file used to create the guide.

optional arguments:
-h, –help show this help message and exit
-l LOGO, –logo LOGO Full path to logo file to be included in the guide.
-p, –profiles Generate configuration profiles for the rules.
Use the reference ID instead of rule ID for identification.
-s, –script Generate the compliance script for the rules.
-x, –xls Generate the excel (xls) document for the rules.
-H HASH, –hash HASH sign the configuration profiles with subject key ID (hash value without spaces)

4. Generate STIG Guidance Script (-s)
sudo ./scripts/ -s build/baselines/stig.yaml

The supplied macOS Security Compliance Project (mSCP) Portable Network Graphics is a raster-graphics file type logo is a large 1024×1024 pixels in size; also note to save this in the more compressed-legacy compatible format available to your graphics program. I also had to experiment with reducing the sizes of the custom logos. To apply a new logo note the (-l) followed by the path to your png file.
mscp logo

NOTE: VARIATION -> Generate STIG Guidance Script (-s), Excel file (-x) and Path to custom logo (-l)

./scripts/ -s -x -l /Users/username_here/Library/Application\ Support/macos_security/templates/images/YOURLogo_logo.png build/baselines/stig.yaml 

5. Generate STIG Rules Export to Excel
sudo ./scripts/ -x build/baselines/stig.yaml

Big Sur Guidance: (REPEAT STEPS 1-4 AFTER following this step)
git checkout 3903e57
– 3903e57

Monterey Guidance: (REPEAT STEPS 1-4 AFTER following this step)
git checkout e8cdc49
– e8cdc49

Undo Git Commit to older Catalina from 1st steps above:
git switch –


Cloning older gits

Previous releases

Instructions for Generating DISA STIG Guidance – Catalina rev6

1. Downloaded
2. Saved to Desktop and unzipped:
cd ~/Desktop/macos_security-catalina_rev6/

3. Generate a baseline
sudo ./scripts/ -k stig
4. Generate Profiles
sudo ./scripts/ -p build/baselines/stig.yaml
5. Generate guidance
sudo ./scripts/ -s build/baselines/stig.yaml
6. Generate Excel guidance: Generate the excel (xls) document for the rules.
sudo ./scripts/ -x build/baselines/stig.yaml

IMPORTANT NOTES REGARDING Editing the compliance script so it can be loaded into Jamf MDM
remove everything after
echo “$(date -u) Remediation complete” >> “$audit_log”


Generate Oval Content

The generate oval script creates the OVAL checks required for SCAP generation. Link

python3 scripts/ -h
usage: [-h] baseline

Given a profile, create oval checks.

positional arguments:
baseline Baseline YAML file used to create the oval.

optional arguments:
-h, –help show this help message and exit

cd /Users/USERFOLDER/Library/Application Support/macos_security/scripts

Utilizing this
python3 scripts/ baselines/DISA-STIG.yaml

./ -j /Users/edarnold/Library/Application\ Support/macos_security/baselines/DISA-STIG.yamlpython3 ./ -j /Users/edarnold/Library/Application\ Support/macos_security/baselines/DISA-STIG.yaml

————– EOF Oval instructions

—————– new code below

echo "$(date -u) Remediation complete" >> "$audit_log"

and add
case $4 in
        exit 0

—————– check fix

then under the policy where you add the script you can add –check or –fix


No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *