Mac Health Check (3.0.0)

A practical, MDM-agnostic, user-friendly approach to surfacing Mac compliance information directly to end-users via your MDM's Self Service

Overview

Mac Health Check provides a practical, MDM-agnostic, user-friendly approach to surfacing Mac compliance information directly to end-users via an MDM's Self Service.

Built using the open-source utility swiftDialog, the solution acts as a “heads-up display” that presents real-time system health and policy compliance status in a clear and interactive format.

Deployment of Mac Health Check involves configuring organizational defaults, embedding the script in your MDM, creating a policy to run it on demand and testing to ensure proper output and behavior.

Administrators can customize the user interface using swiftDialog’s visual capabilities, making the experience both informative and approachable.

The tool logs results for review, while not altering device configuration, and a new "Silent" Operation Mode makes Mac Health Check ideal for IT visibility without end-user intrusion.

Rocketman Tech December 2025 Meetup (05-Dec-2025)

Use Cases

Mac Health Check is particularly valuable in IT support workflows, serving as an initial triage point for Tier 1 support by confirming network access, credentials, and MDM connectivity, while also acting as a verification tool for Tier 2 teams both during and after remediation efforts.

Step Zero for Tier 1

• User has a working Internet connection
• User knows their directory credentials
• Mac can execute policies
• Validates Network Access Controls

Step Ninety-nine for Tier 2

• Initial assessment for support sessions
• Easily confirms remediation efforts
• Provides peace-of-mind for end-users

Silent Mode

• Silently performs all health checks and logs results
• No dialog is presented to the end-user
• Ideal for background compliance reporting
• Complements existing MDM compliance frameworks

Dock Integration 🆕

• Non-Silent modes launch swiftDialog with --showdockicon and --dockicon
• dockIcon is configurable and supports default, local paths, file:// paths and http(s) URLs
• Mac Health Check copies Dialog.app to /Library/Application Support/Dialog/${humanReadableScriptName}.app and launches dialogcli from that bundle so Dock hover text matches the script name
• dockiconbadge shows the number of remaining checks, decreases after each completed check and is removed when checks complete
• If dock icon setup fails, Mac Health Check logs a warning and falls back to the default /usr/local/bin/dialog launch path

Features

The following health checks and information reporting are included in version 3.0.0, which operates in Self Service mode by default. (Change operationMode to Debug, Development or Test when getting ready to deploy in production.)

Health Checks

1. macOS Version
2. Available Updates (including deferred and DDM-enforced updates)
3. System Integrity Protection
4. Signed System Volume (SSV)
5. Firewall
6. FileVault Encryption
7. Gatekeeper / XProtect
8. Touch ID
9. Password Hint 🆕
10. AirDrop 🆕
11. AirPlay Receiver 🆕
12. Bluetooth Sharing 🆕
13. VPN Client
14. Last Reboot
15. Free Disk Space
16. User's Directory Size and Item Count
    • Desktop
    • Downloads
    • Trash
17. MDM Profile
18. MDM Certificate Expiration
19. Apple Push Notification service
20. Jamf Pro Check-in
21. Jamf Pro Inventory
22. Extended Network Checks
    • Apple Push Notification Hosts
    • Apple Device Management
    • Apple Software and Carrier Updates
    • Apple Certificate Validation
    • Apple Identity and Content Services
    • Jamf Hosts
23. App Auto-Patch 🆕
24. Electron Corner Mask 🔗
25. Organizationally required Applications (i.e., Microsoft Teams)
26. BeyondTrust Privilege Management*
27. Cisco Umbrella*
28. CrowdStrike Falcon*
29. Palo Alto GlobalProtect*
30. Network Quality Test
31. Update Computer Inventory**

*Requires external check **Requires Jamf Pro

Information Reporting

IT Support

• Dynamic supportLabel1 / supportValue1 through supportLabel6 / supportValue6
• Empty Label / Value pairs are skipped automatically
• Legacy fallback still works when all dynamic pairs are empty:
  • Telephone (supportTeamPhone)
  • Email (supportTeamEmail)
  • Website (supportTeamWebsite)
  • Knowledge Base Article (supportKBURL)
• Info button target now uses the first URL-like dynamic support value; if none is found, it falls back to legacy Knowledge Base values

User Information

• Full Name
• User Name
• User ID
• Secure Token
• Location Services
• Microsoft OneDrive Sync Date
• Platform Single Sign-on Extension

Computer Information

• macOS version (build)
• System Memory
• System Storage
• Dialog version
• Script version
• Computer Name
• Serial Number
• Wi-Fi SSID
• Wi-FI IP Address
• VPN IP Address

Jamf Pro Information**

• Site

***Payload Variables for Configuration Profiles

Policy Log Reporting

MHC (3.0.0): 2026-02-16 03:43:13 - [NOTICE] WARNING: 'localadmin' IS A MEMBER OF 'admin';
User: macOS Server Administrator (localadmin) [503] staff everyone localaccounts _appserverusr 
admin _appserveradm com.apple.sharepoint.group.4 com.apple.sharepoint.group.3
com.apple.sharepoint.group.1 _appstore _lpadmin _lpoperator _developer _analyticsusers
com.apple.access_ftp com.apple.access_screensharing com.apple.access_ssh com.apple.access_remote_ae
com.apple.sharepoint.group.2; Bootstrap Token supported on server: YES;
Bootstrap Token escrowed to server: YES; sudo Check: /etc/sudoers: parsed OK;
sudoers: root  ALL = (ALL) ALL %admin  ALL = (ALL) ALL ; Platform SSOe: localadmin NOT logged in;
Location Services: Enabled; SSH: On; Microsoft OneDrive Sync Date: Not Configured;
Time Machine Backup Date: Not configured; localadmin's Desktop Size: 160M for 116 item(s);
localadmin's Trash Size: 1.8M for 3 item(s); Battery Cycle Count: 0; Wi-Fi: Liahona;
Ethernet IP address: 17.113.201.250; VPN IP: 17.113.201.250; 
Network Time Server: time.apple.com; Jamf Pro Computer ID: 007; Site: Servers

1. Warning when logged-in user is a member of admin
2. Deferred Software Updates
3. Logged-In User Group Membership
4. Security Mode 🆕
5. DEP-allowed MDM Control 🆕
6. Activation Lock 🆕
7. Bootstrap Token
8. sudoers
9. Kerberos SSOe
10. Location Services
11. SSH
12. Time Machine
13. Battery Cycle Count
14. Network Time Server
15. Jamf Pro Computer ID

Support

Community-supplied, best-effort support is available on the Mac Admins Slack (free, registration required) #mac-health-check Channel, or you can open an issue.

Deployment

Deployment of Mac Health Check involves configuring organizational defaults, uploading the script to your MDM server, creating a policy to run it on demand and testing to ensure proper output and behavior.

Continue reading …

Operation Mode: Development 🆕

A new "Development" Operation Mode has been added to aid in developing Health Checks, allowing the easy execution of a single Health Check.

When operationMode is set to Development, a dedicated developmentListitemJSON is used to allow developers to focus on a specific check, instead of running the entire suite.

####################################################################################################
#
# Program
#
####################################################################################################

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Generate dialogJSONFile based on Operation Mode and MDM Vendor
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

if [[ "${operationMode}" == "Development" ]]; then
    
    notice "Operation Mode is ${operationMode}; using ${operationMode} dialogJSONFile template."

    # Development List Items

    developmentListitemJSON='
    [
        {"title" : "Electron Corner Mask", "subtitle" : "Detects susceptible Electron apps that may cause GPU slowdowns on macOS 26 Tahoe", "icon" : "SF=31.circle,'"${organizationColorScheme}"'", "status" : "pending", "statustext" : "Pending …", "iconalpha" : 0.5}
    ]
    '
    # Validate developmentListitemJSON is valid JSON
    if ! echo "$developmentListitemJSON" | jq . >/dev/null 2>&1; then
        echo "Error: developmentListitemJSON is invalid JSON"
        echo "$developmentListitemJSON"
        exit 1
    else
        combinedJSON=$( jq -n --argjson dialog "$mainDialogJSON" --argjson listitems "$developmentListitemJSON" '$dialog + { "listitem": $listitems }' )
    fi

else

Additionally, a dedicated, single Health Check function is executed:

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Generate Health Checks based on Operation Mode and MDM Vendor (where "n" represents the listitem order)
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

if [[ "${operationMode}" == "Development" ]]; then
    
    # Operation Mode: Development
    notice "Operation Mode is ${operationMode}; using ${operationMode}-specific Health Check."
    dialogUpdate "title: ${humanReadableScriptName} (${scriptVersion})<br>Operation Mode: ${operationMode}"
    checkElectronCornerMask "0"

else