Custom Rules
Create your own compliance rules using the mSCP YAML format.
Custom rules integrate with baseline rules and work with Audit, Build, and Documentation.
Why Create Custom Rules?
Enforce settings unique to your environment that aren't covered by standard baselines.
Codify your security team's requirements into auditable, enforceable rules.
Check settings for applications not covered by mSCP baselines.
Address controls not covered by existing NIST, CIS, or STIG baselines.
Custom Rules vs Customizing Rules
Customizing Rules means modifying existing mSCP rules (change ODVs, edit scripts, adjust expected values). See Customizing Rules.
Custom Rules means creating entirely new rules that don't exist in any baseline.
Rule Builder Hub
The Rule Builder Hub provides a guided interface for creating mSCP-compliant security rules.
Rule Builder Interface
Define the rule's identity with Category (sets the ID prefix), Rule ID, Title, and Discussion. Required fields are clearly marked.
Select target platforms (macOS, iOS/iPadOS), versions (26.0, 15.0, 14.0), and compliance benchmarks (CIS Level 1, CIS Level 2, DISA STIG). References are auto-generated based on your selections.
Live preview shows the generated YAML as you fill in fields. Copy the YAML or verify the structure before saving.
Where Custom Rules Live
Custom rules are saved in your project's custom/rules/ folder:
YourProject.maceproj
└── custom/
└── rules/
├── os/ ← Organize by category
│ └── os_my_rule.yaml
└── my_other_rule.yaml ← Or use flat structure
The Rule Builder automatically saves rules to this folder when you click Save Rule.
Place rules in subfolders matching section names (audit/, os/, pwpolicy/, etc.) or use a flat structure.
Custom rules are never overwritten when you update mSCP baseline rules.
Copy the custom/rules/ folder to share rules between projects or team members.
What Custom Rules Can Do
Custom rules have the same capabilities as baseline rules:
| 🔍 | Check commands | Verify compliance with shell scripts |
| 🔧 | Fix commands | Remediate non-compliant settings |
| 📱 | Configuration profiles | Deploy via MDM with mobileconfig |
| 📲 | DDM declarations | Use Declarative Device Management |
| 🔢 | ODV support | Define organization-specific values |
| 🔗 | References | Link to NIST, CIS, DISA standards |
Custom Rules in the UI
Custom rules are visually identified in the Compliance Editor:
| 🔧 | Custom Rule Icon | Wrench icon identifies rules you created |
| + | New Rule Status | Plus sign shows newly created rules |
| ✏️ | Editable | Custom rules can be modified or deleted |
Compatibility
Custom rules use the standard mSCP YAML format. This means your custom rules are:
| ✅ | Compatible with mSCP | Can be used directly with the mSCP project |
| ✅ | Shareable | Share with other MACE or mSCP users |
| ✅ | Version controlled | Track changes with git |