Capabilities
The capabilities listed below are the ones that are currently actively supported by macOS Compliance Spotter.
Any idea to enrich macOS Compliance Spotter capabilities or being able to adopt macOS Compliance Spotter ? Feel free to send a feature request via the form available on the Introduction page.
General information | |
Execution frequency | • mCS is executed during installation and then, by default, automatically every day when the computer is awake • The interval between executions can be set anywhere from 1 hour to 30 days, and an execution can also be triggered manually |
Visibility modes | • The graphical user interface offers flexible visibility modes to align with how IT teams wish to inform end users • None : no interface is displayed • Informative : only notifications are displayed • Interactive : the complete interface is displayed |
User support | • The Help pane can display both a message and an image, with the message being localizable in multiple languages • The image displayed can either be a standard image or a QR code, which can be shown in any RGB color • When scanned from a mobile device, the QR code should either redirect to a support page or open a pre-filled email addressed to the support team ; the pre-filled email includes a subject, a body, and optional information such as the computer name, serial number, model name, hardware UUID, and macOS version |
Native modules | |
Account statuses | • Accounts can be automatically promoted to admin accounts or demoted to standard accounts • By default, all accounts are demoted to standard accounts except those listed • The list of exceptions can include account and group names • Regular expressions (regex) can be used to define patterns for account names |
External modules | |
Bring your own scripts | • mSCP can execute any script embedded in the Content package and referenced by its configuration profile • Each script configuration includes a timeout after which the script execution is interrupted • When the script terminates with a zero exit code, the Flight Recorder reports the display name and the string that the script sends to standard output, which is enclosed within tags of any name, following the structure <tag>string</tag> • When the script terminates with a non-zero exit code, the Flight Recorder reports the display name and the exit code. • When the script terminates due to a timeout, the Flight Recorder reports the display name along with the message « Timeout » |
Script tampering detection | • Scripts are automatically hashed, and the hashes are signed during the conversion of an mCS configuration file into a configuration profile • If the signature cannot be verified, the script is not executed and the Flight Recorder reports the display name along with the message « Unverified signature » |
Integrations | |
macOS Security Compliance Project (mSCP) | • mSCP aims to develop and maintain security guidance for organizations that must adhere to specific security compliance frameworks and policies • The integration enables IT Support to monitor the security posture of a Mac • The integration allows the application of one of the supported security baselines • The integration includes two optional steps : a compliance remediation and a compliance scan • The mSCP compliance report, which includes a compliance score, is displayed in the Landing pane and can be shared via Slack and Teams webhooks • The MDM-specific status message, as described in the following MDM-specific capabilities, can include the baseline name and the compliance score associated with the compliance scan |
Slack / Microsoft Teams | • mCS can report to a dedicated channel the successive status of a running workflow • Messages can be customized with strings, expected variables and emojis • This integration requires the implementation of Slack Incoming Webhooks, or a Teams workflow of the type « Post to a channel when a webhook request is received » |
FileWave specific capabilities | |
Custom fields | • The last execution date, status message, MDM-specific status message and mSCP compliance score can be uploaded to Custom fields via API calls for immediate reporting • These values are stored in the device’s inventory |
Jamf Pro specific capabilities | |
Extension attributes | • The last execution date, status message, MDM-specific status message and mSCP compliance score can be uploaded to Extension attributes via provided scripts, or API calls for immediate reporting (Jamf Pro API and Classic API) • mCS can request the Jamf Binary to generate a device inventory at the end of the workflow, making API calls optional for immediate reporting • These values stored in the device’s inventory may be used as criteria for Smart groups |
Microsoft Intune specific capabilities | |
Custom attributes and Extension attributes | • The last execution date, status message, MDM-specific status message and mSCP compliance score can be uploaded to Custom attributes via provided scripts, or to Extension attributes via API calls for immediate reporting (API Graph Beta) • Custom attributes are stored in the device details accessible in Microsoft Intune • Extension attributes are stored in the device details accessible in the Microsoft Entra admin center |
VMware Workspace ONE UEM specific capabilities | |
Custom attributes | • The last execution date, status message, MDM-specific status message and mSCP compliance score can be uploaded to Custom attributes via provided scripts, or API calls for immediate reporting (REST API) • These values are stored in the device’s inventory |
Software dependencies | |
Graphical user interface | • mCS relies on swiftDialog to provide a graphical user interface • swiftDialog is dynamically downloaded from the editor’s website but can be encapsulated in the Content package if Internet connectivity is not available at the time of execution • mCS can revert to a lightweight AppleScript-only interface if swiftDialog integration is not available |
QR code generation | mCS relies on Libqrencode to generate the QR code which can be displayed in the Help pane |
Implementation | |
Localization | • mCS is fully localizable to match the preferred language of the logged-in user • The localization is mostly based on building a custom PO file from a template POT file • A PO file for French language is provided |
Configuration | mCS is configured with one property list file ; this file is received from the MDM as a Configuration profile and mCS waits for its reception before proceeding |
Content | • Content is pictures, scripts and files used during the workflow, wrapped in an signed package • The Content package is installed from the MDM and mCS waits for its installation before proceeding |
Logs | • By default, mCS is executed silently and does not produce Logs • The production of Logs, used for information and debugging purposes and stored only locally on the device, must be explicitly requested |
Trust | • mCS is signed and notarized so you are confident that the software has been checked for any malicious code • Agnosys can sign your mCS-Content package if necessary as part of a support action |
macOS support | mCS supports macOS 15 (Sequoia), macOS 14 (Sonoma), macOS 13 (Ventura), macOS 12 (Monterey), macOS 11 (Big Sur) and macOS 10.15 (Catalina) |
Processor support | mCS supports Apple silicon and Intel processors |