Build
Generate deployment-ready artifacts from your compliance baseline.
Scripts, configuration profiles, DDM declarations, and more with a single build operation.
What Does Build Do?
When you click Build, MACE takes all your enabled compliance rules and generates files you can actually deploy to your Macs. Think of it like compiling code: you've configured your rules, now MACE creates the deliverables.
These deliverables fall into several categories:
Scripts
Shell scripts that run on Macs to check compliance status and fix non-compliant settings. Your MDM runs these scripts and reports results back.
Configuration Profiles
XML files that configure Mac settings automatically. Your MDM pushes these to devices and macOS applies the settings. No scripts needed.
DDM Declarations
Apple's modern management format. The device enforces settings autonomously instead of waiting for MDM commands.
Supporting Files
CSV exports, audit plists, and baseline files for documentation, tracking, and compatibility with other tools.
Why You Need All Three
A complete security baseline requires a combination of scripts, configuration profiles, and DDM. No single method can enforce everything.
Why not just use one?
Scripts alone won't work because some settings can only be enforced by macOS through profiles. A script can enable the firewall, but a user could disable it afterward. A profile locks it so they can't.
Profiles alone won't work because Apple doesn't provide profile payloads for every security setting. Many settings (like checking SIP status or audit configurations) have no profile equivalent and must be checked via script.
DDM alone won't work because it's newer (macOS 13+), not all MDMs fully support it, and not all settings have DDM declarations yet.
The solution: MACE generates all three from the same rule set. Each rule knows whether it needs a script, a profile, DDM, or a combination. When you build, MACE creates the right output for each rule automatically.
Understanding the Output Types
Scripts vs Profiles: What's the Difference?
This is one of the most important concepts to understand:
🔍 Scripts Check & Fix
Scripts run commands on the Mac. They can read current settings, compare against expected values, and execute fixes. Scripts are flexible but require the MDM to trigger them.
Example: A script runs defaults read to check if the firewall is enabled, then runs socketfilterfw --setglobalstate on to enable it if not.
⚙️ Profiles Configure
Profiles declare settings that macOS enforces automatically. Once installed, the Mac maintains those settings. Users often can't change them.
Example: A profile declares askForPassword = true for the screensaver. macOS enforces this setting and grays out the checkbox in System Settings.
When to use which?
- Profiles are preferred when available because they're enforced by macOS itself
- Scripts are needed when there's no profile payload for that setting, or when you need to check/report compliance status
- Most deployments use both: profiles to enforce settings, scripts to audit and fix what profiles can't handle
Why Multiple Profile Formats?
Different MDM solutions expect different file formats:
| 📱 | .mobileconfig | Standard Apple format. Works with any MDM and can be installed manually. |
| 🟢 | .plist (Jamf) | Jamf Pro's Custom Settings payload expects this format for preference domains. |
| 🔵 | .xml (Intune) | Microsoft Intune uses a specific XML schema for custom macOS settings. |
Build Pipeline
When you click Build, MACE processes your rules through these phases:
Build Options
Script Options
Master toggle for script generation. When enabled, MACE creates shell scripts from the check and fix commands defined in your rules.
Adds the check/audit commands to your script. These verify whether each setting is compliant and report pass/fail status.
Adds the fix commands to your script. These apply the correct settings when a check fails.
Creates individual scripts formatted for your MDM's extension attribute feature. These let your MDM collect compliance data and display it in device inventory.
Combined: One script containing all rules. Easier to manage and run everything at once.
Individual: Separate script per rule. Useful when you need to deploy specific checks to your MDM.
Profile Options
Creates one .mobileconfig file containing all payloads merged together. Simpler to deploy with just one profile to push to all devices.
Creates separate .mobileconfig files grouped by PayloadType (e.g., one for screensaver settings, one for firewall). Useful when you want granular control or need to scope different settings to different device groups.
Generates .plist files for Jamf Pro's Custom Settings payload. Use these when configuring preference domains in Jamf.
Generates .xml files formatted for Microsoft Intune's custom profile format.
Digitally signs profiles using a certificate from your Keychain. Signed profiles show as "Verified" when installed and can't be modified after deployment. Required by some organizations for security.
Other Options
Creates Declarative Device Management declarations. Apple's modern management format where the device enforces settings autonomously. Requires macOS 13+ and MDM support.
Exports all rules to a spreadsheet. Includes rule IDs, titles, check/fix commands, and all framework references (NIST, DISA, CIS). Great for documentation, auditor reviews, or importing into other systems.
Creates a preferences file that tracks which rules have exemptions. The compliance script reads this to skip rules you've marked as exempt for specific reasons.
Creates a YAML file compatible with the original mSCP Python scripts. Use this if you need to work with mSCP's generate_guidance.py or other mSCP tools.
Author Settings
Your name and organization appear in generated files including script headers, profile metadata, and documentation. Helps identify who created this baseline.
Removes MACE attribution from generated files if your organization prefers unbranded outputs.
Output Directory Structure
After building, you'll find these files organized in your project's build/ folder:
build/
├── {baseline}_compliance.sh # Main compliance script
├── {baseline}.mobileconfig # Combined configuration profile
├── org.{baseline}.audit.plist # Audit preferences (for exemptions)
├── org.{baseline}.audit.mobileconfig # Audit prefs as profile (for MDM)
├── {baseline}.csv # Spreadsheet export
├── {baseline}.yaml # mSCP-compatible baseline
├── README.md # Deployment instructions
├── scripts/ # Individual scripts (if enabled)
├── mobileconfigs/ # Individual profiles (if enabled)
├── plists/ # Jamf plist files (if enabled)
├── intune/ # Intune XML files (if enabled)
├── signed/ # Signed profiles (if enabled)
└── declarative/ # DDM declarations (if enabled)
├── activations/
├── assets/
└── configurations/
Build Engines
M.A.C.E. Build Engine
MACE's native Swift build engine. Fast, fully featured, and supports all customizations.
- Full ODV substitution
- All output formats
- Profile signing
- Custom rule support
mSCP Build Engine
Integration with the original mSCP Python scripts for organizations that need compatibility with existing workflows.
- Uses mSCP's generate_guidance.py
- (Planned for future release)
Starting a Build
Cmd+BWhat's Next?
After building, you need to deploy the generated files to your Macs. See these guides for detailed instructions:
- Scripts: How audit and remediation scripts work, and how to deploy them via MDM
- Configuration Profiles: How profiles enforce settings, and how to deploy them via MDM
- DDM Declarations: How Apple's declarative management works