Skip to main content

Assess macOS Security with cnspec

cnspec assesses your macOS assets for misconfigurations that put your organization at risk. You can evaluate a macOS asset for compliance with security policies created by Mondoo or the community, or create your own policies. You also can write individual tests to run on the fly or include in automated tasks.

For a list of macOS resources you can test, read Mondoo Operating Systems (OS) Resource Pack Reference and Mondoo Core Resource Pack Reference.


To test a macOS asset with cnspec, you must have:

Assess macOS security with policy-based scanning

The macOS Security by Mondoo policy is available to all in Mondoo's cnspec-policies GitHub repo. This collection of tests evaluates how well your environment follows fundamental macOS security best practices.

To scan a local machine using the macOS Security by Mondoo policy, run:

cnspec scan

To scan a remote machine using the macOS Security by Mondoo policy, run:

cnspec scan ssh user@IP_ADDRESS

For IP_ADDRESS, substitute the IP address of the remote macOS asset.

cnspec finds the default policy for macOS and runs a scan based on that policy. It returns a report summarizing the scan results.

To learn more about the command, read cnspec scan.

You can also create your own policies to meet your specific needs. To learn more about policies, read Policies.

Learn more

cnspec also provides an interactive shell in which you can explore. It helps you understand the checks that cnspec policies use, and write your own as well. It’s also a great way to interact with both local and remote targets on the fly. To learn more, read Create Checks in cnspec Shell.