CIS Script implementation for macOS 11 Big Sur

New Contributor

Hi all,

I have been tasked with bringing our Mac clients to 75% compliance with the CIS Level 1 benchmark for macOS 11. I am currently using the Jamf-provided scripts ( to automate rollout to our machines. When I run these scripts manually, the scripts more or less run as they should. However, when trying to roll these out via policy in Jamf, I am only getting around 53% compliance. This is set up in Jamf as a single policy containing the 3 scripts, which runs once per user per computer. For those who have used this script, did you run into a similar issue? I am using our in-house vulnerability scanning tool to check compliance.


Just a disclaimer, I am not the Mac admin for our organization, just a guy from security tasked with secure configuration. Hopefully someone here has encountered a similar issue and can help me out


Any help is appreciated. 


Valued Contributor II

Did you create extension attributes/smart groups (proper scoping)/policies /configuration profiles to compliment the scripts you're running?

For example, In order to maintain compliance you need to pipe the script results (CIS Benchmark compliance results) into extension attributes, then create smart groups predicated upon a computers extension attribute results, then scope policies/configuration profiles to the smart groups in order to remediate the machines.


Thats just one way to skin this cat.

Looking for a Jamf Managed Service Provider? Look no further than Rocketman

Virtual MacAdmins Monthly Meetup - First Friday, Every Month

Are those required to do the actual remediation component of the scripts? From what I understood 2.5_Audit_List_Extension and 2.6_Audit_Count were only used for if you wanted to use smart groups to track non-compliant systems (I skipped this because we are using our vulnerability management tool for this task). 

Valued Contributor

I'm not saying it's perfectly ready for prime time. But the macOS Security Compliance Project is working on CIS compliance. You can check it out under the CIS branch.

I'll have to take a look at this. Thanks for the info.

New Contributor II

Just in case anyone is looking for this, go to this link to avoid the 404

is there some documentation on how to implement these benchmarks? I'm not a programmer by any stretch of the imagination and new to GH and managing Jamf Pro. I need to understand how I get what these GH repos are sharing into Jamf as a policy. I'm only used to the method of turning on the various config profiles, nothing with the scripting I see in GH. Any directional help would be greatly appreciated!

New Contributor

^^^ I'm in the same boat as you ReplicantJK - can anyone point to documentation/instructions?

Valued Contributor

@ReplicantJK @corydee There's a Getting Started on the Wiki

Also these two sessions will help some though a bit older

They're virtually the same presentation from 2020. 

On top of that if you are a member or can join the Mac Admins slack ( you can find help in #macos_security_compliance on the project.

This is a platform agnostic project (meant to be used with any MDM) so it will take a little tweaking to work within Jamf itself.