Project Atlas AetherDev project hub
Atlas project development

macOS Baseline Configurator (Compliance Pass)

Make device setup and ongoing compliance boring by reasserting baseline configuration silently. It ingests machine state; org policy (desired state) and produces enforced configuration; compliance logs.

Type
Component
Lifecycle
Active
Last touched
2025-11-11 (feature direction)
Visibility
Public
Why it's showcased

Represents idempotent compliance automation that keeps device baselines enforced without manual intervention.

Purpose

Make device setup and ongoing compliance boring by reasserting baseline configuration silently.

Current state

Requirements defined for official silent installs and default browser enforcement without third-party tooling.

Next step

Add a compliance report summary showing what was already compliant vs changed.

Interfaces

Inputs
  • machine state
  • org policy (desired state)
Outputs
  • enforced configuration
  • compliance logs

Reality to Action trace

Reality Ingestion

Not in scope.

Canonical Storage

Not in scope.

Automation Engines

Contributes in this stage.

Human Interfaces

Not in scope.

Operational Adoption

Contributes in this stage.

Core workflow

  1. Collect current system state and installed components.
  2. Compare against baseline policy.
  3. Install required tooling via official Apple mechanisms.
  4. Enforce default browser handlers and scheme mappings.
  5. Apply configuration changes and permissions.
  6. Write compliance summary and exit codes.

Data integrity and contracts

Canonical schema definitions

  • Baseline policy definition (settings, packages, defaults).
  • Compliance report schema (compliant, changed, failed).
  • Handler/default browser mapping table.

Source of truth rules

  • Baseline policy is the authoritative desired state.
  • Machine state is reconciled to match baseline each run.

Data quality checks

  • Verify required binaries are present after install.
  • Confirm browser handler changes applied.
  • Record failures per step with return codes.

Safe handling

  • Avoid logging user content or secrets.
  • Run with least privilege necessary for changes.
  • Store reports locally with restricted permissions.

Downstream integration map

  • IT compliance reporting.
  • Technician runbooks.
  • Device baseline monitoring.

Operational notes

Reliability posture

Idempotent compliance pass; minimize external dependencies.

Observability

  • run logs
  • exit codes
  • optional report file (recommended)

Security and privacy

Moderate; avoid logging user content.

Dependencies

Upstream
  • device enrollment/MDM context (adjacent)
Downstream
  • consistent staff experience
  • lower support load

Ownership

Owners

Josh Barton

Users

IT technicians, end users (indirect), Josh Barton (owner)