Build, customize, audit, and deploy macOS security baselines — no command line required.
- About
- Why MACE?
- Quick Start
- Screenshots
- Features
- Build Capabilities
- Documentation Hub
- Audit & Verification
- Import & Integration
- Status
- Upcoming Features
- Community & Feedback
- Credits
M.A.C.E. (macOS Advanced Compliance Editor) is a native macOS app that simplifies compliance baseline creation, customization, auditing, and deployment using NIST's mSCP 2.0.
The problem: Compliance folks need better tools. The mSCP project is fantastic, but for those of us who are less command-line savvy, customizing baselines can be intimidating. We needed something that makes compliance simple and customizable — without requiring scripting knowledge.
The solution: M.A.C.E. fills that gap. This is my first app, and I have a lot to learn, but I'm building what I've needed for years: a tool that puts powerful compliance capabilities in a visual, approachable interface. The community decides where it goes next.
Built for:
- macOS Security Administrators
- Compliance Officers & IT Audit Teams
- MDM Administrators (Jamf, Intune)
- Government & Enterprise Security Teams
| No command line required | Visual interface for creating and managing compliance baselines |
| Native macOS app | Built with SwiftUI for a fast, responsive experience |
| Dual build engines | Native MACE engine and official mSCP Python scripts |
| All-in-one workflow | Create, customize, audit, document, and export from a single app |
| MDM-ready exports | Generate deployment-ready profiles for Jamf, Intune, and more |
| Direct Jamf upload | Upload profiles, scripts, and extension attributes straight to Jamf Pro |
| Free & open source | Community-driven development with no licensing fees |
- Download the latest release
- Create a new project and select your compliance framework
- Customize rules to fit your organization's needs
- Build scripts and configuration profiles for deployment
- Audit your Mac and export compliance reports
Main menu & project dashboard |
Compliance editor & rule hub |
Build hub & artifact generation |
Audit results & compliance dashboard |
Documentation generation options |
Rule builder with YAML preview |
View sample audit outputs generated by M.A.C.E.:
New project wizard — select platform, version, and compliance framework
- Create compliance projects for macOS, iOS/iPadOS, and visionOS
- Open and manage existing projects (
.macefile format) - Import Jamf Compliance Editor (
.jce) files with auto-detected platform, version, and framework - Duplicate existing projects
- Recent projects list for quick access
- Platform and compliance framework selection wizard
- Automatic project saving with unsaved changes detection
- Three-panel interface: Sections sidebar, searchable rule list, and detailed editor
- Browse 500+ security rules organized by section
- Search, filter, and sort by:
- Compliance framework (STIG, CIS, NIST, etc.)
- Section/category
- Tags and metadata
- Modification status (modified vs. baseline)
- Enabled/disabled status
- Sort modes: Title, Rule ID, or Section (ascending/descending)
- "Show All" mode to view all available rules regardless of framework
- Hide disabled rules toggle
- Search within rule details across all fields
- Keyboard shortcuts for power users (Space bar to toggle rules)
- Edit all rule fields:
- Discussion, check criteria, and remediation instructions
- References and citations (NIST, DISA, CIS)
- Tags and metadata
- Mobile configuration payloads
- DDM (Declarative Device Management) declarations
- Organizational Defined Values (ODVs) with type hints, validation, and constraints
- Shell scripts for fixes
- Platform compatibility
- Disable/enable rules with custom justification text
- Include/exclude rules from baselines
- Track customizations with visual modification indicators and color-coded status
- Side-by-side comparison: baseline vs. custom rule versions
- Automatic YAML structure preservation
- Create custom security rules from templates
- Edit standalone rule YAML files
- Full validation of rule ID and structure
- Section/category assignment, tags, references, mobileconfig, DDM, and ODV support
Rule update detection with change summary
- Check for rule updates from the mSCP repository
- Detect updated, new, and removed rules with detailed change reports
- Auto-download latest rules from GitHub on app launch (configurable)
- Batch update management with framework filtering
Settings — general, appearance, and advanced options
- Light, Dark, and System theme support
- 13+ seasonal and holiday app icons (automatically switch by date)
- Auto-save functionality
- Display settings memory (remember preferences across all hubs)
- Release channel selection: Alpha, Beta, Stable
- Application logging console with real-time logs, export, and log levels
- Advanced options: clear cache, reset Python/Ruby environments, open data folder
| Output | Description |
|---|---|
| Audit Scripts | Shell scripts for compliance checking |
| Remediation Scripts | Shell scripts to fix non-compliant settings |
| Extension Attributes | Scripts for Jamf Pro and other MDMs |
| Format | Use Case |
|---|---|
.mobileconfig |
Apple Configuration Profiles (combined or individual) |
| Plist | Jamf Pro Custom Settings |
| XML | Microsoft Intune |
| Signed Profiles | Digital signature support with certificate verification |
- Generate DDM declarations and artifacts
- Support for Apple's modern management APIs
- Service path configuration for system services
| Format | Description |
|---|---|
| Shell Scripts | Combined or individual audit/remediation scripts |
.mobileconfig |
Combined or individual Apple Configuration Profiles |
| DDM JSON | Declarative Device Management declarations |
| Plist / XML | Jamf Pro and Intune configuration formats |
| Excel / CSV | Spreadsheet export for analysis |
| Audit Plist | Audit preference files for system scanning |
| Baseline YAML | Updated baseline file |
| README | Auto-generated build information |
- M.A.C.E. Build Engine: Native Swift engine with full customization and advanced output options
- mSCP Build Engine: Official NIST Python scripts with real-time output monitoring and progress tracking
| Target | Description |
|---|---|
| Local | Generate files for local deployment |
| Jamf Pro | Upload profiles, scripts, and extension attributes directly (Basic Auth & OAuth) |
| Microsoft Intune | Configuration profile export (coming soon) |
| Workspace ONE | Profile deployment (coming soon) |
| Kandji | Profile and script export (coming soon) |
| Mosyle | Configuration push (coming soon) |
- Configurable output options per artifact type
- Author metadata, organization name, and baseline versioning
- Custom output directory selection
- Profile signing with certificate verification
- Jamf Pro category creation and assignment
| Type | Description |
|---|---|
| Compliance Guide | Full documentation with discussions, check procedures, and remediation steps |
| Technical Reference | Technical details, scripts, commands, and configuration examples |
| Executive Summary | High-level overview suitable for management with key metrics |
| Format | Description |
|---|---|
| Styled documents with headers, footers, table of contents, and page breaks | |
| HTML | Interactive web-ready reports with navigation and syntax highlighting |
| Excel | Workbooks with multiple sheets, formatted tables, and summary statistics |
- Configurable content: discussions, check procedures, remediation, references, platform info
- Author, organization, benchmark name, and timestamp metadata
- Both MACE and mSCP documentation engines available
- M.A.C.E. Audit Engine: Native Swift engine with advanced filtering and detailed result analysis
- mSCP Audit Engine: Official NIST Python scripts with real-time output monitoring
- Run automated compliance checks against your baseline
- Real-time progress tracking with live watch capability
- Status tracking: Pass, Fail, Error, Manual Review, Not Applicable
- Section-by-section compliance analysis
- User comments and notes on individual results
- Manual override capability for audit results
- Device metadata display (hostname, model, serial number, OS version)
- Privileged helper for system-level compliance checks
- Comprehensive summary dashboard with pass/fail counts and percentages
- Detailed rule-by-rule results with expected vs. actual output
- Color-coded status indicators
- Execution time per rule
| Format | Description |
|---|---|
| DISA STIG CKL | Compatible with STIG Viewer; automatic STIG ID mapping |
| CSV | Spreadsheet-friendly with summary statistics and device info |
| HTML | Interactive web-viewable reports with charts and navigation |
| Professional documents with headers, summaries, and details | |
| Excel (XLSX) | Formatted workbook with color coding and summary sheet |
| Format | Description |
|---|---|
Jamf Compliance Editor (.jce) |
Import JCE files with auto-detected platform, version, compliance framework, and rule exclusions |
| mSCP Baselines | Import existing mSCP 1.0/2.0 baselines (coming soon) |
- Upload configuration profiles, remediation scripts, and extension attributes directly to Jamf Pro
- Authentication via Basic Auth or OAuth
- Category creation and assignment
- Connection testing and duplicate handling
- Upload progress tracking
In-app update dialog with changelog
- Background update checking with release channel selection (Alpha, Beta, Stable)
- Download progress tracking with signature verification
- Privileged helper for seamless installation
Alpha Release This is an alpha release. Many features are still in development and some are disabled until ready. This release is for early adopters to preview progress and provide feedback.
Current Focus:
- Expanding MDM platform integrations (Intune, Workspace ONE, Kandji, Mosyle)
- Improving audit export accuracy for MDM platforms
- Adding mSCP 1.0/2.0 baseline import support
Known Limitations:
- Rules may not reflect the latest guidance until mSCP 2.0 is finalized
- Some export formats may have issues with specific MDM platforms (Intune, Jamf)
- Currently supports American English only
Feedback:
- Bug reports are welcome via GitHub Issues
- Feature suggestions and "nice to have" ideas help guide development
Website: Visit getmace.com for tutorials, usage guides, and the latest news.
- Import existing mSCP 1.0/2.0 baselines into M.A.C.E.
- Convert external configurations to projects
- Apply fixes directly from audit results
- Compare audits over time
- Track compliance history
- Microsoft Intune direct integration
- Workspace ONE direct integration
- Kandji direct integration
- Mosyle direct integration
- Additional language support
- Visual and functional improvements across all features
M.A.C.E. is a community-driven project. I personally work with STIGs, so many features were built around that workflow but I want this app to work for everyone. Whether you're using CIS, NIST 800-53, CMMC, or something else entirely, your input matters.
I'd love to hear from you:
- What compliance frameworks do you use?
- What features would make your workflow easier?
- What's missing or could be improved?
Open an issue, start a discussion, or visit getmace.com — your feedback directly shapes development.
Powered by NIST mSCP 2.0. Created by a Mac admin for the macOS admin community.
Website • Download Latest Release • Report an Issue • Discussions
