CLI for control, AI for intent — ship consistent, declarative Apple configurations at scale
A Swiss Army Knife for Apple Device Management tasks
Status: Preview — almost feature-complete for core workflows, APIs and flags may still change before 1.0.
contour turns intent into valid .mobileconfig profiles and Declarative Device Management (DDM) declarations for macOS, iOS, iPadOS, tvOS, watchOS, and visionOS — every one checked against Apple's official device-management schema, so an agent can't ship config that won't apply.
One signed binary that makes common device management tasks simpler. Contour validates, normalizes, and processes Apple device management artifacts using embedded Apple schemas — producing clean diffs, clear errors, and predictable output every time. Designed for terminal workflows, CI pipelines, and AI agents, it brings consistency and reliability to modern device management operations.
Contour works primarily with your existing profiles and DDM configuration payloads — whether created by you, your MDM vendor, or an AI agent. It can also generate new configurations from scratch, reverse-engineer existing plists on mdm managed devices, and transform everything into a clean, consistent format optimized for modern Git-driven device management workflows.
Two modes, same core — every artifact is validated against the embedded Apple schema.
Device config deserves the same rigor as the code you ship to production.
Profiles, DDM declarations, Santa rules, osquery policies — some of this config already runs in your device management solution. But the tooling around it has lived in GUIs and copy-paste for years. Drift happens over time. Typos slip through. And AI agents are now generating config without validation. Contour adds a validation step you can apply when useful.
- How. The Apple schema for MDM/profiles, declarative management, and osquery is embedded. Processors and the generator validate against it before writing normalized config out. Identifiers and UUIDs are handled deterministically.
- What. One signed binary. Output is normalized to diff cleanly, work consistently, and fail loud when something's wrong — whether you or an agent wrote it.
Two modes — hand it to an AI agent, or run the CLI directly on macOS or Linux. Same core: every artifact is processed with built-in tools and validated against the embedded schemas. For details on each tool, see the docs.
Because validation is baked into every generator, Contour is safe to hand to an AI agent. Install it as a skill for Claude Code (and similar), or let the agent call the CLI directly:
# Install as a Claude Code skill — agent receives Apple schema and SOP routing
contour setup-agent
# Or let agent call the CLI directly — enables easy discovery of commands index and usage
contour help-aiThe AI agent gets the Apple schema, routed SOPs for each task, and a generator that refuses to write a broken file. You ask in plain English; the agent picks the right command and Contour keeps it straight — grounding Apple device-management profiles, mSCP compliance rules, and osquery queries against the real embedded schema instead of guessing table or column names.
Contour is a CLI, not an MCP tool — the agent invokes Contour with a selector and receives exactly the schema fragment embedded in the binary. No large context window to collapse, no MCP orchestration, no web fetches — just the precise schema slice the agent requested.
# CLI routing for AI agents using designated SOPs
contour help-ai --sop profile # profile generation SOP
contour help-ai --sop osquery # osquery schema lookup + query patterns
contour help-ai --sop fleet-migrate # GitOps repo migration SOPEach tool can be used in CI, GitHooks, Scripts or the Terminal.
| Tool | Description |
|---|---|
contour profile |
Normalize, validate, sign, generate, search, and import Apple configuration profiles against the embedded schema. |
contour profile synthesize |
Reverse-engineer managed preference plists into validated mobileconfigs. |
contour profile import --jamf |
Import from Jamf Pro backup YAML — extract, normalize, validate in one step. |
contour profile command |
Generate MDM command plist payloads (RestartDevice, DeviceLock, EraseDevice, …) with --base64 for the Fleet API. |
contour profile enrollment |
Generate ADE enrollment profiles from Setup Assistant skip keys, platform/version-gated. |
contour osquery |
Search and inspect the embedded osquery schema for writing queries and policies. |
contour pppc |
Generate TCC/Privacy Preferences profiles from app bundles. Scan → configure → generate. |
contour santa |
Santa allowlists, CEL toolkit (compile, eval, validate, dry-run, classify), and FAA plist generation. |
contour mscp |
mSCP baseline transformer with embedded schema query API and ODV support. |
contour btm |
Generate Background Task Management profiles for managed login items. |
contour notifications |
Generate notification settings profiles with per-app control. |
Common commands:
# Normalize and validate profiles for GitOps
contour profile normalize ./profiles -r --org com.acme --name "Acme Corp"
# Import from Jamf backup
contour profile import --jamf /path/to/jamf-backup/profiles/macos/ --all -o profiles/ --org com.acme
# Synthesize mobileconfigs from managed preference plists
contour profile synthesize /Library/Managed\ Preferences/ -o profiles/ --org com.acme --validate
# Search + generate a profile
contour profile search passcode --json
contour profile generate com.apple.mobiledevice.passwordpolicy --full --org com.acme
# MDM command for Fleet API
contour profile command generate DeviceLock --set PIN=123456 --uuid --base64
# ADE enrollment profile
contour profile enrollment generate --platform macOS --interactive -o enrollment.dep.json
# Query mSCP compliance rules
contour mscp schema baselines --json
contour mscp schema rules --baseline cis_lvl1 --json
# PPPC profile
contour pppc scan -p /Applications -o pppc.toml --org com.acme
contour pppc generate pppc.toml -o pppc.mobileconfig
# Santa allowlist
contour santa scan -f csv -o apps.csv
contour santa allow -i apps.csv --org com.acme -o santa.mobileconfigDownload the latest .pkg from Releases:
contour --help # Overview of all tools
contour <tool> --help # Tool-specific help
contour help-ai # LLM-optimized help for AI-assisted workflowsThe binary is signed + notarized by Apple, stapled for offline verification.
- Profile Toolkit — normalize, validate, sign, diff, DDM declarations, payload extraction
- PPPC Toolkit — TCC services, interactive and batch configuration, CSV input
- Santa Toolkit — rule management, multiple fetch sources,
prepfor full Santa deployment - mSCP Toolkit — Fleet/Jamf/Munki output, ODV overrides, cross-baseline deduplication
- BTM Toolkit — launch item scanning, DDM declarations (macOS 15+), multi-machine merge
- Notifications Toolkit — per-app alert control, interactive configuration wizard
Apache-2.0