VMware Workspace ONE Apple Device Management

Creating custom macOS security baselines with the macOS Security Compliance Project and Workspace ONE

Specific types of organizations are required to configure their endpoint security protocols in accordance with designated standards and benchmarks, such as those established by the National Institute of Standards and Technology (NIST) or the Center for Internet Security (CIS). Some organizations choose to align with these standards simply because it’s good practice.

The macOS Security Compliance Project (mSCP) is an open-source tool that allows admins to create security profiles based on these well-defined standards, customize them based on their organization’s specific needs, and import them into Workspace ONE. By leveraging this integration, admins can streamline the deployment and management of their security profiles, solidifying the overall security posture of their macOS fleet.

Benefits of using mSCP

mSCP provides a comprehensive set of security guidelines based on the combined wisdom of industry best practices and Apple’s own security documentation. The tool includes supported baselines from organizations including the aforementioned NIST and CIS, plus the Defense Information Systems Agency (DISA) and the Committee on National Security Systems Instruction (CNSSI). By using mSCP, organizations can establish a baseline security configuration that aligns with the standards that these institutions have carefully constructed to protect their macOS devices against threats and vulnerabilities.

Some of the key benefits of mSCP are flexibility and reliability. Because admins can customize the baseline settings, it’s relatively easy for admins to strike the right balance between higher levels of security and usability for their specific company’s needs. In terms of reliability, mSCP is regularly updated to reflect the latest security guidance from Apple, helping organizations stay ahead of emerging threats.

Enhancing deployment with Workspace ONE

Workspace ONE offers a seamless way to deploy and manage security profiles generated by mSCP. The profile upload functionality in Workspace ONE allows admins to upload the mSCP .mobileconfig profiles directly into the Workspace ONE console.

This integration simplifies the deployment process, allowing admins to apply security configurations to their macOS devices quickly and efficiently. Furthermore, Workspace ONE provides robust management capabilities, such as compliance checks and remote wipe capabilities, ensuring that devices remain secure throughout their lifecycle.

If you want to get started with this process right away, we have a resource on Tech Zone that can help you: Enforcing macOS Security Compliance Project Baselines: Workspace ONE Operational Tutorial.

Workspace ONE mobileconfig Importer
Importing the .mobileconfig file


In conclusion, leveraging the mSCP in conjunction with Workspace ONE can significantly enhance the security of your macOS fleet. By creating a security baseline based on industry best practices and seamlessly deploying it using Workspace ONE, organizations can better protect their macOS devices against a wide range of threats.

Additional resources