Hi everyone,
I recently built a small native macOS utility called App Signing Inspector to make it easier to inspect applications and create application-execution declarations for the new macOS 27 Declarative Device Management controls.
I started working on it while testing the macOS 27 beta because gathering the correct signing information and manually building declaration JSON was becoming repetitive and easy to get wrong.
What it does
The Inspector lets you select a macOS .app bundle and displays information such as:
- Bundle identifier
- Application version and build
- Executable path
- Signing ID
- Team ID
- Signing authorities
- Complete designated requirement
- Hardened runtime status
- Gatekeeper assessment
- Locally reported notarization status
- Apple Silicon, Intel, or Universal architecture classification
The separate Policy Builder lets you combine multiple applications and rules into a complete com.apple.configuration.app.settings declaration.
It currently supports:
- Allow and deny rules
- Signing ID and Team ID application rules
- Developer-wide Team ID rules
- Apple binary allowances using the documented
*APPLE*value - Jamf developer-wide rules using a Team ID verified from a selected signed application
AlwaysAllowManagedApps- Optional
PathPrefixvalues - Duplicate and redundancy warnings
- JSON preview
- Copying the declaration
- Exporting the declaration as a JSON file
- Automatic Identifier and ServerToken UUID generation
All inspection and declaration generation happens locally. The application does not upload app metadata, request Jamf credentials, or modify the applications being inspected.
Current limitations
Version 1.0 is focused on .app bundles. It does not currently provide:
- Standalone executable inspection
- Recursive inspection of embedded helpers, frameworks, or extensions
- Importing or editing an existing declaration
- Saved policy history
- Direct upload to Jamf Blueprints
- A signed and notarized prebuilt download
The macOS 27 application-execution declaration is also still based on beta documentation and behavior, so the supported schema may change before or after the final macOS release.
The project is currently distributed as source code through GitHub. It can be opened and built with Xcode on a compatible Mac. End users of a compiled build do not need Xcode or its command-line tools for normal inspection.
I would appreciate feedback from anyone testing the new DDM application controls, especially around additional rule combinations, uncommon signing configurations, or ways the Policy Builder could better fit real Jamf workflows.
