Harden 1.1 is a major update — 93 security checks (up from 64), dual compliance framework support (DISA STIG + CIS Benchmarks), exportable compliance reports, and a headless agent mode for fleet-scale scanning.

CIS Benchmark compliance

Harden now maps checks against the CIS Apple macOS 15.0 Sequoia Benchmark v1.1.0, the most widely adopted security standard outside the U.S. Department of Defense. 72 CIS rules are covered alongside the existing 47 DISA STIG rules. The new Compliance tab lets you switch between STIG and CIS views, each showing your system’s status from the framework’s perspective — for every rule, are you compliant or not?

CIS uses Level 1 (baseline for all organizations) and Level 2 (defense in depth). STIG uses CAT I/II/III severity. Harden covers both, giving you a single pane of glass for dual-framework compliance.

29 new security checks

Harden 1.1 adds checks in areas that didn’t exist when version 1.0 shipped:

Apple Intelligence controls — External AI extensions, Writing Tools, Mail Summary, Notes Transcription. These are new to macOS Sequoia and send data to Apple or third-party AI services. Harden flags them so you can decide whether the convenience is worth the privacy tradeoff.

Safari hardening — Auto-open downloads, fraudulent site warnings, cross-site tracking prevention, full URL display, status bar visibility. A new Applications category groups these with Terminal secure keyboard entry and Finder filename extension visibility.

System protection — Mobile File Integrity (AMFI), world-writable system folders, sudo timeout and logging configuration, root account status.

Privacy and telemetry — Personalized advertising, Siri/dictation data sharing, search query sharing, assistive voice data sharing. Nine checks covering Apple’s opt-in data collection programs.

Network and authentication — HTTP/NFS server detection, Power Nap, guest SMB access, password hints, guest home folder cleanup, system preferences password requirement.

The total is now 93 checks across 8 categories.

Compliance reports

The Compliance tab includes an Export menu with three formats:

  • HTML — A styled, self-contained compliance report with STIG and CIS summary tables, all checks grouped by category, and device identity. Supports dark mode. Share it with auditors or attach it to a compliance ticket.
  • JSON — Machine-readable export with full check details, STIG/CIS references, and device identity (Hardware UUID for deduplication). Ready for ingestion by a SIEM or compliance dashboard.
  • CSV — Flat export for spreadsheets and databases. Each row includes the check, its status, framework references, and device identifiers.

All exports include device identity — Hardware UUID (stable deduplication key), serial number, model, hostname, OS version, and current user. When you aggregate reports from multiple Macs, the Hardware UUID lets you track each device over time even if hostnames change.

Agent mode and scheduled scanning

Harden can now run headlessly from the command line:

Harden --agent                              # scan, output JSON to stdout
Harden --agent --output /path/to/report.json  # scan, write to file

Agent mode runs all 93 checks, compares against the previous scan, and posts a macOS notification if any checks regressed. No UI, no Dock icon — it runs and exits.

The Integration tab includes a one-click scheduled scanning setup. Pick an interval (1, 4, 8, or 24 hours), click Enable, and Harden installs a LaunchAgent that runs background scans automatically. You’ll get a notification if something changes. The latest scan is always at ~/Library/Application Support/Harden/latest-scan.json.

One-click fixes

38 of the 93 checks now have auto-fix support (up from 25). New fixes include: Remote Apple Events, Media Sharing, AirPlay Receiver, Content Caching, FileVault auto-login, console login, password hints, guest SMB access, personalized advertising, diagnostics sharing, Power Nap, root account, Terminal secure keyboard, file extensions, and Safari auto-open downloads.

Fleet integration (preview)

The Integration tab also shows a preview of fleet reporting — configure a server URL, account ID, and secret key to send compliance reports to a central server. This feature isn’t active yet, but it signals the direction: open-source endpoint tools that optionally report to an organization’s compliance server for fleet-wide visibility, without MDM.

What’s next

Harden is open source at github.com/subversivesoftwareorg/harden. The build and release pipeline is fully automated — one ./Scripts/create-dmg.sh invocation handles building, signing, notarization, appcast generation, GitHub release creation, and website staging.