From Scripts to Clicks (CIS for macOS)

How to automate macOS compliance and replace scripts with Jamf Pro

Speakers:

• Henk Codfried, Mac Admin, UMC Utrecht
• Jan Voženílek, Senior Product Owner, Jamf
• Milind Patel, Director, Product Management, Jamf

At JNUC 2025, we showed how Jamf Pro now helps you turn complex security scripts into simple clicks. The new, built-in compliance benchmarks feature streamlines how you enforce and report on industry-standard baselines for your macOS fleet. This automated workflow removes the need for manual scripting and the standalone Jamf Compliance Editor, giving you a single, powerful tool to monitor, remediate and report on the security posture of your Mac computers.

Key points:

• From scripts to clicks: Replace cumbersome, manual compliance scripting with a fully automated, integrated Jamf Pro workflow.
• Audit-ready reporting: Generate audit-ready documentation for baselines like the Center for Internet Security (CIS) Benchmarks and National Institute of Standards and Technology (NIST) directly from the console.
• Continuous compliance: Continuously monitor and enforce your chosen security configurations to ensure your macOS fleet remains hardened and secure.

Why should you automate security benchmarks?

Automating security benchmarks hardens your macOS fleet against opportunistic threats, ensures you meet regulatory requirements and protects company reputation without sacrificing user productivity. For organizations in regulated industries, adhering to a benchmark is mandatory. For others, it is a critical best practice that closes security gaps and mitigates risk.

However, one size does not fit all. Effective compliance requires tailoring controls to fit your organization’s unique needs and user workflows. As Patel noted in the JNUC session, “It doesn’t matter if you have a super secure Mac or iPhone if users can’t be productive with them.” The goal is to establish a strong security posture that enables work, rather than hinders it. Automation through Jamf Pro allows you to set a strong foundation and then create targeted exceptions where needed, ensuring both security and productivity.

What is the evolution of macOS compliance at Jamf?

Administrators once relied on manual spreadsheets and custom scripts to audit and remediate their fleets—a time-consuming and error-prone process. The introduction of the macOS Security Compliance Project (mSCP) significantly streamlined these efforts by providing a community-driven set of scripts. From there, Jamf Protect introduced compliance visibility and dashboards, and the Jamf Compliance Editor provided a graphical user interface (GUI) for the mSCP. While each step was an improvement, the feedback was clear: customers wanted a single, consolidated workflow. As announced at last year’s JNUC and made generally available in June 2025, Jamf delivered by building Compliance Benchmarks directly into Jamf Pro, creating a fully automated, native experience.

How do you implement and manage compliance benchmarks in Jamf Pro?

You can create, audit and enforce industry-standard benchmarks like CIS and NIST in just a few clicks, directly within the Jamf Pro interface. The entire workflow is designed to be simple, fast and fully automated.

It’s a simple process:

ADVERTISEMENT

1. Create a benchmark: Navigate to the compliance benchmarks section in Jamf Pro. You can choose a baseline, such as CIS or NIST, and select whether to “Monitor only” or “Monitor and Enforce.”

2. Assign and deploy: Scope the benchmark to a target Smart Group. Jamf Pro automatically generates and deploys all the necessary configuration profiles, scripts and extension attributes.

3. Audit and report: Use the rule report to see the compliance status of your entire fleet. You can drill down into individual rules to see which devices are passing or failing and export the full report to a CSV file.

4. Generate documentation: For auditing purposes, you can generate comprehensive documentation that details your configuration for any given macOS version, ready to hand over to auditors and stakeholders.

This workflow replaces the need to manage scripts, configuration profiles and reporting separately, saving significant time and effort for endpoint security specialists and IT administrators.

What’s next for compliance benchmarks?

Jamf is expanding support to include more baselines, enhancing scoping capabilities, and preparing for future technologies like Declarative Device Management (DDM) and iOS support. The roadmap is shaped directly by customer feedback and the evolving security landscape.

Upcoming enhancements include:

• Expanded baseline support: Work is underway to add all remaining mSCP baselines, including DISA STIG, NIST and CMMC.
• Flexible scoping: Soon, you will be able to scope benchmarks to multiple groups at once, including static groups, for more granular control.
• Enhanced auditing: Change management logs are being improved to show exactly which administrator made a change, moving beyond the generic “Jamf Pro system” entry.
• Future-proofing: Integration with Blueprints and DDM is a key priority to align with the future of Apple device management. Support for iOS compliance benchmarks is also on the horizon.

Key takeaways

• Automation is here: Compliance Benchmarks in Jamf Pro automate the enforcement and reporting of security baselines for macOS.
• Consolidation is key: This feature integrates the functionality of mSCP, Jamf Compliance Editor, and Jamf Protect reporting into a single workflow inside Jamf Pro.
• Audit ready: Generate detailed compliance and auditing documentation with just a few clicks.
• The future is bright: The roadmap includes support for more benchmarks, iOS, and modern management technologies like DDM.