Skip to main content

App Signing Inspector 1.0, a macOS utility for inspecting app signatures and building macOS 27 DDM declarations

  • July 14, 2026
  • 1 reply
  • 57 views

Jerez1lla
Forum|alt.badge.img+2

Hi everyone,

I recently built a small native macOS utility called App Signing Inspector to make it easier to inspect applications and create application-execution declarations for the new macOS 27 Declarative Device Management controls.

I started working on it while testing the macOS 27 beta because gathering the correct signing information and manually building declaration JSON was becoming repetitive and easy to get wrong.

What it does

The Inspector lets you select a macOS .app bundle and displays information such as:

  • Bundle identifier
  • Application version and build
  • Executable path
  • Signing ID
  • Team ID
  • Signing authorities
  • Complete designated requirement
  • Hardened runtime status
  • Gatekeeper assessment
  • Locally reported notarization status
  • Apple Silicon, Intel, or Universal architecture classification

The separate Policy Builder lets you combine multiple applications and rules into a complete com.apple.configuration.app.settings declaration.

It currently supports:

  • Allow and deny rules
  • Signing ID and Team ID application rules
  • Developer-wide Team ID rules
  • Apple binary allowances using the documented *APPLE* value
  • Jamf developer-wide rules using a Team ID verified from a selected signed application
  • AlwaysAllowManagedApps
  • Optional PathPrefix values
  • Duplicate and redundancy warnings
  • JSON preview
  • Copying the declaration
  • Exporting the declaration as a JSON file
  • Automatic Identifier and ServerToken UUID generation

All inspection and declaration generation happens locally. The application does not upload app metadata, request Jamf credentials, or modify the applications being inspected.

Current limitations

Version 1.0 is focused on .app bundles. It does not currently provide:

  • Standalone executable inspection
  • Recursive inspection of embedded helpers, frameworks, or extensions
  • Importing or editing an existing declaration
  • Saved policy history
  • Direct upload to Jamf Blueprints
  • A signed and notarized prebuilt download

The macOS 27 application-execution declaration is also still based on beta documentation and behavior, so the supported schema may change before or after the final macOS release.

The project is currently distributed as source code through GitHub. It can be opened and built with Xcode on a compatible Mac. End users of a compiled build do not need Xcode or its command-line tools for normal inspection.

I would appreciate feedback from anyone testing the new DDM application controls, especially around additional rule combinations, uncommon signing configurations, or ways the Policy Builder could better fit real Jamf workflows.

GitHub: Jerez1lla/macos-app-signing-inspector

1 reply

thebrucecarter
Forum|alt.badge.img+16

Checking this out, sounds way cool!