Build, customize, audit, and deploy macOS security baselines — no command line required.
Join us in #mace-app on Mac Admins Slack
M.A.C.E. (macOS Advanced Compliance Editor) is a native macOS app that simplifies compliance baseline creation, customization, auditing, and deployment using NIST's mSCP 2.0.
The problem: Compliance folks need better tools. The mSCP project is fantastic, but for those of us who are less command-line savvy, customizing baselines can be intimidating. We needed something that makes compliance simple and customizable — without requiring scripting knowledge.
The solution: M.A.C.E. fills that gap. This is my first app, and I have a lot to learn, but I'm building what I've needed for years: a tool that puts powerful compliance capabilities in a visual, approachable interface. The community decides where it goes next.
Built for:
- macOS Security Administrators
- Compliance Officers & IT Audit Teams
- MDM Administrators (Jamf, Workspace ONE, Intune)
- Government & Enterprise Security Teams
| No command line required | Visual interface for creating and managing compliance baselines |
| Native macOS app | Built with SwiftUI for a fast, responsive experience |
| Dual build engines | Native MACE engine and official mSCP Python scripts |
| All-in-one workflow | Create, customize, audit, document, and export from a single app |
| MDM-ready exports | Generate deployment-ready profiles for Jamf, Workspace ONE, Intune, and more |
| Direct MDM upload | Upload profiles, scripts, and extension attributes straight to Jamf Pro, Workspace ONE, or Intune |
| Free to use | Community-driven development with no licensing fees (source code is not public — see Status) |
- Download the latest release
- Create a new project and select your compliance framework
- Customize rules to fit your organization's needs
- Build scripts and configuration profiles for deployment
- Audit your Mac and export compliance reports
Main menu & project dashboard
New project wizard — select platform, version, and compliance framework
- Create compliance projects for macOS, iOS/iPadOS, and visionOS
- Application platform (in testing) — build baselines for Chrome, Edge, and Firefox
- Open and manage existing projects (
.macefile format) - Import Jamf Compliance Editor (
.jce) files with auto-detected platform, version, and framework - Import mSCP 1.0 baselines (coming soon)
- Duplicate existing projects
- Recent projects list for quick access
- Platform and compliance framework selection wizard
- Automatic project saving with unsaved changes detection
Compliance editor & rule hub
- Three-panel interface: Sections sidebar, searchable rule list, and detailed editor
- Browse 500+ security rules organized by section
- Search, filter, and sort by:
- Compliance framework (STIG, CIS, NIST, etc.)
- Section/category
- Tags and metadata
- Modification status (modified vs. baseline)
- Enabled/disabled status
- Sort modes: Title, Rule ID, Section, Included status, Modified status, Severity, or STIG/CIS ID (ascending/descending)
- "Show All" mode to view all available rules regardless of framework
- Hide disabled rules toggle
- Search within rule details across all fields
- Keyboard shortcuts for power users (Space bar to toggle rules)
- Edit all rule fields:
- Discussion, check criteria, and remediation instructions
- References and citations (NIST, DISA, CIS)
- Tags and metadata
- Mobile configuration payloads
- DDM (Declarative Device Management) declarations
- Organizational Defined Values (ODVs) with type hints, validation, and constraints
- Shell scripts for fixes
- Platform compatibility
- Disable/enable rules with custom justification text
- Include/exclude rules from baselines
- Flag rules for review with comments
- Track customizations with visual modification indicators and color-coded status
- Side-by-side comparison: baseline vs. custom rule versions
- Automatic YAML structure preservation
Rule builder with YAML preview
- Create custom security rules from templates
- Edit standalone rule YAML files
- Full validation of rule ID and structure
- Section/category assignment, tags, references, mobileconfig, DDM, and ODV support
Rule update detection with change summary
- Check for rule updates from the mSCP repository
- Detect updated, new, and removed rules with detailed change reports
- Auto-download latest rules from GitHub on app launch (configurable)
- Batch update management with framework filtering
Build hub & artifact generation
| Output | Description |
|---|---|
| Audit Scripts | Shell scripts for compliance checking |
| Remediation Scripts | Shell scripts to fix non-compliant settings |
| Extension Attributes | Scripts for Jamf Pro and other MDMs |
| Format | Use Case |
|---|---|
.mobileconfig |
Apple Configuration Profiles (combined or individual) |
| Plist | Jamf Pro Custom Settings |
| XML | Microsoft Intune |
| Signed Profiles | Digital signature support with certificate verification |
- Generate DDM declarations and artifacts
- Support for Apple's modern management APIs
- Service path configuration for system services
| Format | Description |
|---|---|
| Shell Scripts | Combined or individual audit/remediation scripts |
.mobileconfig |
Combined or individual Apple Configuration Profiles |
| DDM JSON | Declarative Device Management declarations |
| Plist / XML | Jamf Pro and Intune configuration formats |
| Excel / CSV | Spreadsheet export for analysis |
| Audit Plist | Audit preference files for system scanning |
| Baseline YAML | Updated baseline file |
| README | Auto-generated build information |
- M.A.C.E. Build Engine: Native Swift engine with full customization and advanced output options
- mSCP Build Engine: Official NIST Python scripts with real-time output monitoring and progress tracking (coming soon)
| Target | Description |
|---|---|
| Local | Generate files for local deployment |
| Jamf Pro | Upload profiles, scripts, and extension attributes directly (Basic Auth & OAuth) |
| Workspace ONE | Upload profiles, scripts, and sensors directly (Basic Auth, OAuth2 & Token) |
| Microsoft Intune | Upload profiles, scripts, and custom attributes directly (Tenant/Client auth) |
| Kandji | Profile and script export (coming soon) |
- Configurable output options per artifact type
- Author metadata, organization name, and baseline versioning
- Custom output directory selection
- Profile signing with certificate verification
- Jamf Pro category creation and assignment
- Workspace ONE organization group selection and region configuration
- Intune tenant and client credential configuration
- Upload configuration profiles, remediation scripts, and extension attributes directly to Jamf Pro
- Authentication via Basic Auth or OAuth
- Category creation and assignment
- Connection testing and duplicate handling
- Upload progress tracking
- Upload configuration profiles, scripts, and sensors directly to Workspace ONE
- Authentication via Basic Auth, OAuth2, or Token-based
- Region selection (North America, Europe, Asia-Pacific, China)
- Organization group discovery and selection
- Connection testing and upload progress tracking
- Upload configuration profiles, scripts, and custom attributes directly to Intune
- Authentication via Tenant ID, Client ID, and Client Secret
- Connection testing and upload progress tracking
| Format | Description |
|---|---|
Jamf Compliance Editor (.jce) |
Import JCE files with auto-detected platform, version, compliance framework, and rule exclusions |
| mSCP 1.0 Baselines | Import existing mSCP 1.0 baselines into M.A.C.E. projects (coming soon) |
Documentation generation options
| Type | Description |
|---|---|
| Compliance Guide | Full documentation with discussions, check procedures, and remediation steps |
| Technical Reference | Technical details, scripts, commands, and configuration examples |
| Executive Summary | High-level overview suitable for management with key metrics |
| Format | Description |
|---|---|
| Styled documents with headers, footers, table of contents, and page breaks | |
| HTML | Interactive web-ready reports with navigation and syntax highlighting |
| Excel | Workbooks with multiple sheets, formatted tables, and summary statistics |
| Markdown | Portable plain-text format for version control and wiki integration |
- Configurable content: discussions, check procedures, remediation, references, platform info
- Author, organization, benchmark name, and timestamp metadata
- Both MACE and mSCP documentation engines available
Click any preview below to download the sample file and open it locally. GitHub limits in-browser viewing of HTML and Excel files, so downloading is the best way to see the full output.
PDF document |
HTML document |
Excel document |
Markdown document |
Audit results & compliance dashboard
- M.A.C.E. Audit Engine: Native Swift engine with advanced filtering and detailed result analysis
- mSCP Audit Engine: Official NIST Python scripts with real-time output monitoring
- Run automated compliance checks against your baseline
- Real-time progress tracking with live watch capability
- Status tracking: Pass, Fail, Error, Manual Review, Not Applicable
- Section-by-section compliance analysis
- User comments and notes on individual results
- Manual override capability for audit results
- Device metadata display (hostname, model, serial number, OS version)
- Privileged helper for system-level compliance checks
- Comprehensive summary dashboard with pass/fail counts and percentages
- Detailed rule-by-rule results with expected vs. actual output
- Color-coded status indicators
- Execution time per rule
| Format | Description |
|---|---|
| DISA STIG CKL | Compatible with STIG Viewer; automatic STIG ID mapping |
| CSV | Spreadsheet-friendly with summary statistics and device info |
| HTML | Interactive web-viewable reports with charts and navigation |
| Professional documents with headers, summaries, and details | |
| Excel (XLSX) | Formatted workbook with color coding and summary sheet |
Click any preview below to download the sample file and open it locally. GitHub limits in-browser viewing of HTML and CSV files, so downloading is the best way to see the full output.
PDF report |
HTML report |
CSV report |
Excel report |
Settings — general, appearance, and advanced options
- Light, Dark, and System theme support
- 40+ seasonal, holiday, and character app icons (automatically switch by date)
- Auto-save functionality
- Display settings memory (remember preferences across all hubs)
- Release channel selection: Alpha, Beta, Stable
- Application logging console with real-time logs, export, and log levels
- Advanced options: clear cache, reset Python/Ruby environments, open data folder
In-app update dialog with changelog
- Background update checking with release channel selection (Alpha, Beta, Stable)
- Download progress tracking with signature verification
- Privileged helper for seamless installation
Beta Release This is a beta release. Core features are stable and ready for real-world use, but some features are still being refined based on community feedback.
Source Code Availability The full source code for M.A.C.E. is not public. This repository hosts releases, documentation, and issue tracking only. Development is limited to a smaller group involved with the macOS Security Compliance Project while mSCP 2.0 is still evolving — keeping things more controlled helps avoid introducing issues while the tooling and underlying data are still changing. Security is also the priority from the start given how closely the tool interacts with compliance workflows.
Why open sourcing isn't a simple "yes": Many high compliance environments — federal, defense, and other regulated sectors — operate under policies that restrict or prohibit open source software for security-critical workflows. These organizations represent a significant portion of M.A.C.E.'s user base and are precisely the audience the tool was built to serve. Releasing the source publicly could cut off access for the very users who need it most.
Open sourcing is being actively considered, but it is not a guarantee. The decision depends on how mSCP 2.0 stabilizes, the security posture of the codebase, and whether it can be done without losing the high compliance users this tool was built for. This README will be updated if anything changes.
Current Focus:
- Expanding MDM platform integrations (Kandji)
- Improving audit export accuracy for MDM platforms
Known Limitations:
- Rules may not reflect the latest guidance until mSCP 2.0 is finalized
- Some export formats may have issues with specific MDM platforms (Intune, Jamf)
- Currently supports American English only
- Source code is not publicly available, and may not be in the future (see note above)
Feedback:
- Bug reports are welcome via GitHub Issues
- Feature suggestions and "nice to have" ideas help guide development
Website: Visit getmace.com for tutorials, usage guides, and the latest news.
- Convert external configurations to projects
- Apply fixes directly from audit results
- Compare audits over time
- Track compliance history
- Kandji direct integration
- Additional language support
- Visual and functional improvements across all features
M.A.C.E. is a community-driven project. I personally work with STIGs, so many features were built around that workflow but I want this app to work for everyone. Whether you're using CIS, NIST 800-53, CMMC, or something else entirely, your input matters.
Note: While community feedback drives the roadmap, the source code is not public and may remain that way. See Status for context. Bug reports, feature requests, and discussion are still very welcome via the channels below.
I'd love to hear from you:
- What compliance frameworks do you use?
- What features would make your workflow easier?
- What's missing or could be improved?
Join the conversation on Slack: Chat with other MACE users, share tips, and get help in the #mace-app channel on the Mac Admins Slack.
Open an issue, start a discussion, or visit getmace.com — your feedback directly shapes development.
Powered by NIST mSCP 2.0. Created by a Mac admin for the macOS admin community.
Website • Download Latest Release • Report an Issue • Discussions • #mace-app on Mac Admins Slack
