You were compliant yesterday – but are you today?

Using third-party libraries, including open-source projects can significantly boost product delivery: reduce required development efforts, shorten time to market, get early revenue. When it comes to keeping pace with updates to prevent exploits via disclosed vulnerabilities, a never-ending marathon is on.

What happens if your product relies on an open-source project for its core functionality? And even more — the core functionality requires you to adopt the latest changes as quickly as possible because your customers expect you to do so?

The compliance benchmarks capability has been available in Jamf Pro for two months already. It seamlessly integrates the macOS Security Compliance Project (mSCP) — an Apple recommended open-source project that translates various compliance baselines into specific script and configuration profile snippets — into the management console Mac admins use every day. This decreases the effort required to implement a baseline from weeks or months of manual work to literally minutes of easy-to-use UI workflows.

Deploy, monitor, remediate, report, review — repeat!

You can configure and deploy compliance benchmarks with Jamf Pro by using configuration profiles, scripts delivered via policies, extension attributes and smart computer groups. The journey isn't over here. It's just beginning; not only in terms of monitoring the compliance status of the entire fleet and remediating failing rules, but also in keeping up to date with the baseline itself. CIS, NIST and other standards are constantly evolving as the security and compliance space does.

If a rule is added, removed, or changed in a way that impact's the rule's enforcement or checks, mSCP gets published with a new revision in GitHub covering the specific update. We at Jamf are monitoring the repository and carefully review every new version. It undergoes internal validations from security and quality (functional) standpoints to make sure we always deliver capabilities that help our admins keep their fleet compliant to the latest standards, all while requiring minimal effort and granting them control over the process.

Update available

Typically taking no longer than couple of days for small regular changes, once the new mSCP version is verified internally, it gets enabled for general use in the compliance benchmarks capability. From that point on, any newly created benchmark is based on that source version of the open-source project. The more complex and common scenario comes with already deployed benchmarks, where the admins — and the auditors — expect compliance aligned with the latest set of rules.

Built on the principle of empowering IT teams to be more effective, the workflow for updating the existing benchmark to use the newest mSCP source data only takes a few clicks. Any deployed benchmark that requires an update is visually highlighted with the "Update available" label, and the same applies to the benchmark rules once its detail is opened. The admin is still in control of the process, as they can review the changed rules before they deploy them to the computers in scope. This workflow is not only simple, but also very similar to editing the benchmark rules manually, seamlessly loading the necessary mSCP changes for the admin automatically.

What comes tomorrow?

All aspects affecting compliance keep evolving — security, features, baselines, operating systems. The same must apply to the tools we provide to the customers that rely on us when implementing compliance standards into their organizations. We are constantly gathering feedback and enhancing product capabilities to address the most pressing needs.

The next big thing is expected when Apple releases macOS Tahoe and users start upgrading their computers, expecting to stay productive using the latest operating system. What do admins expect? To stay productive as well, while ensuring compliance of their fleet. So, look for the "Update available" label and follow the simple workflow to include macOS 26 in your existing compliance benchmarks using just a few clicks!