Build, customize, audit, and deploy macOS security baselines — no command line required.
- About
- Why MACE?
- Quick Start
- Screenshots
- Features
- Build Capabilities
- Documentation Hub
- Audit & Verification
- Import & Integration
- Status
- Upcoming Features
- Community & Feedback
- Credits
M.A.C.E. (macOS Advanced Compliance Editor) is a native macOS app that simplifies compliance baseline creation, customization, auditing, and deployment using NIST's mSCP 2.0.
The problem: Compliance folks need better tools. The mSCP project is fantastic, but for those of us who are less command-line savvy, customizing baselines can be intimidating. We needed something that makes compliance simple and customizable — without requiring scripting knowledge.
The solution: M.A.C.E. fills that gap. This is my first app, and I have a lot to learn, but I'm building what I've needed for years: a tool that puts powerful compliance capabilities in a visual, approachable interface. The community decides where it goes next.
Built for:
- macOS Security Administrators
- Compliance Officers & IT Audit Teams
- MDM Administrators (Jamf, Workspace ONE, Intune)
- Government & Enterprise Security Teams
| No command line required | Visual interface for creating and managing compliance baselines |
| Native macOS app | Built with SwiftUI for a fast, responsive experience |
| Dual build engines | Native MACE engine and official mSCP Python scripts |
| All-in-one workflow | Create, customize, audit, document, and export from a single app |
| MDM-ready exports | Generate deployment-ready profiles for Jamf, Workspace ONE, Intune, and more |
| Direct MDM upload | Upload profiles, scripts, and extension attributes straight to Jamf Pro, Workspace ONE, or Intune |
| Free & open source | Community-driven development with no licensing fees |
- Download the latest release
- Create a new project and select your compliance framework
- Customize rules to fit your organization's needs
- Build scripts and configuration profiles for deployment
- Audit your Mac and export compliance reports
Main menu & project dashboard |
Compliance editor & rule hub |
Build hub & artifact generation |
Audit results & compliance dashboard |
Documentation generation options |
Rule builder with YAML preview |
View sample audit outputs generated by M.A.C.E.:
New project wizard — select platform, version, and compliance framework
- Create compliance projects for macOS, iOS/iPadOS, and visionOS
- Open and manage existing projects (
.macefile format) - Import Jamf Compliance Editor (
.jce) files with auto-detected platform, version, and framework - Import mSCP 1.0 baselines
- Duplicate existing projects
- Recent projects list for quick access
- Platform and compliance framework selection wizard
- Automatic project saving with unsaved changes detection
- Three-panel interface: Sections sidebar, searchable rule list, and detailed editor
- Browse 500+ security rules organized by section
- Search, filter, and sort by:
- Compliance framework (STIG, CIS, NIST, etc.)
- Section/category
- Tags and metadata
- Modification status (modified vs. baseline)
- Enabled/disabled status
- Sort modes: Title, Rule ID, Section, Included status, Modified status, or STIG/CIS ID (ascending/descending)
- "Show All" mode to view all available rules regardless of framework
- Hide disabled rules toggle
- Search within rule details across all fields
- Keyboard shortcuts for power users (Space bar to toggle rules)
- Edit all rule fields:
- Discussion, check criteria, and remediation instructions
- References and citations (NIST, DISA, CIS)
- Tags and metadata
- Mobile configuration payloads
- DDM (Declarative Device Management) declarations
- Organizational Defined Values (ODVs) with type hints, validation, and constraints
- Shell scripts for fixes
- Platform compatibility
- Disable/enable rules with custom justification text
- Include/exclude rules from baselines
- Flag rules for review with comments
- Track customizations with visual modification indicators and color-coded status
- Side-by-side comparison: baseline vs. custom rule versions
- Automatic YAML structure preservation
- Create custom security rules from templates
- Edit standalone rule YAML files
- Full validation of rule ID and structure
- Section/category assignment, tags, references, mobileconfig, DDM, and ODV support
Rule update detection with change summary
- Check for rule updates from the mSCP repository
- Detect updated, new, and removed rules with detailed change reports
- Auto-download latest rules from GitHub on app launch (configurable)
- Batch update management with framework filtering
Settings — general, appearance, and advanced options
- Light, Dark, and System theme support
- 13+ seasonal and holiday app icons (automatically switch by date)
- Auto-save functionality
- Display settings memory (remember preferences across all hubs)
- Release channel selection: Alpha, Beta, Stable
- Application logging console with real-time logs, export, and log levels
- Advanced options: clear cache, reset Python/Ruby environments, open data folder
| Output | Description |
|---|---|
| Audit Scripts | Shell scripts for compliance checking |
| Remediation Scripts | Shell scripts to fix non-compliant settings |
| Extension Attributes | Scripts for Jamf Pro and other MDMs |
| Format | Use Case |
|---|---|
.mobileconfig |
Apple Configuration Profiles (combined or individual) |
| Plist | Jamf Pro Custom Settings |
| XML | Microsoft Intune |
| Signed Profiles | Digital signature support with certificate verification |
- Generate DDM declarations and artifacts
- Support for Apple's modern management APIs
- Service path configuration for system services
| Format | Description |
|---|---|
| Shell Scripts | Combined or individual audit/remediation scripts |
.mobileconfig |
Combined or individual Apple Configuration Profiles |
| DDM JSON | Declarative Device Management declarations |
| Plist / XML | Jamf Pro and Intune configuration formats |
| Excel / CSV | Spreadsheet export for analysis |
| Audit Plist | Audit preference files for system scanning |
| Baseline YAML | Updated baseline file |
| README | Auto-generated build information |
- M.A.C.E. Build Engine: Native Swift engine with full customization and advanced output options
- mSCP Build Engine: Official NIST Python scripts with real-time output monitoring and progress tracking
| Target | Description |
|---|---|
| Local | Generate files for local deployment |
| Jamf Pro | Upload profiles, scripts, and extension attributes directly (Basic Auth & OAuth) |
| Workspace ONE | Upload profiles, scripts, and sensors directly (Basic Auth, OAuth2 & Token) |
| Microsoft Intune | Upload profiles, scripts, and custom attributes directly (Tenant/Client auth) |
| Kandji | Profile and script export (coming soon) |
| Mosyle | Configuration push (coming soon) |
- Configurable output options per artifact type
- Author metadata, organization name, and baseline versioning
- Custom output directory selection
- Profile signing with certificate verification
- Jamf Pro category creation and assignment
- Workspace ONE organization group selection and region configuration
- Intune tenant and client credential configuration
| Type | Description |
|---|---|
| Compliance Guide | Full documentation with discussions, check procedures, and remediation steps |
| Technical Reference | Technical details, scripts, commands, and configuration examples |
| Executive Summary | High-level overview suitable for management with key metrics |
| Format | Description |
|---|---|
| Styled documents with headers, footers, table of contents, and page breaks | |
| HTML | Interactive web-ready reports with navigation and syntax highlighting |
| Excel | Workbooks with multiple sheets, formatted tables, and summary statistics |
- Configurable content: discussions, check procedures, remediation, references, platform info
- Author, organization, benchmark name, and timestamp metadata
- Both MACE and mSCP documentation engines available
- M.A.C.E. Audit Engine: Native Swift engine with advanced filtering and detailed result analysis
- mSCP Audit Engine: Official NIST Python scripts with real-time output monitoring
- Run automated compliance checks against your baseline
- Real-time progress tracking with live watch capability
- Status tracking: Pass, Fail, Error, Manual Review, Not Applicable
- Section-by-section compliance analysis
- User comments and notes on individual results
- Manual override capability for audit results
- Device metadata display (hostname, model, serial number, OS version)
- Privileged helper for system-level compliance checks
- Comprehensive summary dashboard with pass/fail counts and percentages
- Detailed rule-by-rule results with expected vs. actual output
- Color-coded status indicators
- Execution time per rule
| Format | Description |
|---|---|
| DISA STIG CKL | Compatible with STIG Viewer; automatic STIG ID mapping |
| CSV | Spreadsheet-friendly with summary statistics and device info |
| HTML | Interactive web-viewable reports with charts and navigation |
| Professional documents with headers, summaries, and details | |
| Excel (XLSX) | Formatted workbook with color coding and summary sheet |
| Format | Description |
|---|---|
Jamf Compliance Editor (.jce) |
Import JCE files with auto-detected platform, version, compliance framework, and rule exclusions |
| mSCP 1.0 Baselines | Import existing mSCP 1.0 baselines into M.A.C.E. projects |
- Upload configuration profiles, remediation scripts, and extension attributes directly to Jamf Pro
- Authentication via Basic Auth or OAuth
- Category creation and assignment
- Connection testing and duplicate handling
- Upload progress tracking
- Upload configuration profiles, scripts, and sensors directly to Workspace ONE
- Authentication via Basic Auth, OAuth2, or Token-based
- Region selection (North America, Europe, Asia-Pacific, China)
- Organization group discovery and selection
- Connection testing and upload progress tracking
- Upload configuration profiles, scripts, and custom attributes directly to Intune
- Authentication via Tenant ID, Client ID, and Client Secret
- Connection testing and upload progress tracking
In-app update dialog with changelog
- Background update checking with release channel selection (Alpha, Beta, Stable)
- Download progress tracking with signature verification
- Privileged helper for seamless installation
Alpha Release This is an alpha release. Many features are still in development and some are disabled until ready. This release is for early adopters to preview progress and provide feedback.
Current Focus:
- Expanding MDM platform integrations (Kandji, Mosyle)
- Improving audit export accuracy for MDM platforms
- Adding mSCP 2.0 baseline import support
Known Limitations:
- Rules may not reflect the latest guidance until mSCP 2.0 is finalized
- Some export formats may have issues with specific MDM platforms (Intune, Jamf)
- Currently supports American English only
Feedback:
- Bug reports are welcome via GitHub Issues
- Feature suggestions and "nice to have" ideas help guide development
Website: Visit getmace.com for tutorials, usage guides, and the latest news.
- Import existing mSCP 2.0 baselines into M.A.C.E.
- Convert external configurations to projects
- Apply fixes directly from audit results
- Compare audits over time
- Track compliance history
- Kandji direct integration
- Mosyle direct integration
- Additional language support
- Visual and functional improvements across all features
M.A.C.E. is a community-driven project. I personally work with STIGs, so many features were built around that workflow but I want this app to work for everyone. Whether you're using CIS, NIST 800-53, CMMC, or something else entirely, your input matters.
I'd love to hear from you:
- What compliance frameworks do you use?
- What features would make your workflow easier?
- What's missing or could be improved?
Open an issue, start a discussion, or visit getmace.com — your feedback directly shapes development.
Powered by NIST mSCP 2.0. Created by a Mac admin for the macOS admin community.
Website • Download Latest Release • Report an Issue • Discussions
