MDM Configuration Guide
Deploy and manage Rosetta Check across your Mac fleet using standard macOS configuration profiles. Available from v1.20.
Finding Rosetta Check in Apple Business Manager
Searching by name in ABM can be unreliable. Search using the App Store ID
id6759349750
instead — this will find it immediately.
How It Works
Rosetta Check reads managed preferences from the com.neiljohn.rosettacheck
preference domain using Apple's standard UserDefaults managed configuration mechanism. Deploy a
.mobileconfig profile through your MDM solution to centrally control app behaviour.
When a key is set via a configuration profile, it overrides the user's local setting and the corresponding toggle in the app's
Settings window is locked with a 🔒 icon. The app uses objectIsForced(forKey:) to detect managed
keys — no special entitlements are required.
Download the example .mobileconfig and customise the keys you want to manage.
Upload to Jamf, Intune, Mosyle, Kandji, or any MDM that supports custom profiles.
Managed settings show a 🔒 lock icon in the app. Users cannot override them.
Example Configuration Profile
Download a complete, working .mobileconfig file with all available keys.
Edit it to include only the keys you want to manage — keys omitted from the profile remain under user control.
Important: Replace the PayloadUUID values
with unique UUIDs for your organisation before deploying. Generate them with uuidgen in Terminal.
Preference Domain
Managed Keys Reference
Every key supported by Rosetta Check's managed configuration. All keys are optional — include only those you want to control centrally.
| Key | Type | Default | Description |
|---|---|---|---|
| backgroundMonitoringEnabled | Bool | true | Run a live Spotlight query in the background to detect new app installations and removals in real time. Disable to prevent any background activity. |
| notificationsEnabled | Bool | true | Send macOS system notifications for flagged app alerts, app removal alerts, and readiness milestones. Set to false to suppress all notifications. |
| communityEnabled | Bool | false | Share anonymised Intel app metadata with the community. No personal or device-identifying information is transmitted. Set to false to prevent any data leaving the device. |
| scanOnLaunch | Bool | true | Automatically scan all installed applications when Rosetta Check launches. Disable to trigger scans manually or via the menu bar only. |
| launchAtLogin | Bool | false | Register as a login item so Rosetta Check starts automatically at user login. Recommended for enterprise deployments. |
| autoExportEnabled | Bool | false | Automatically export scan results to a local file after each scan. Essential for fleet-wide compliance reporting — IT tools can collect the export from each machine. |
| autoExportFormat | String | "csv" | Export format — "csv" or "json". CSV suits spreadsheet analysis; JSON is better for programmatic ingestion. |
| promptForLaunchAtLogin | Bool | true | Show the first-launch "Launch at Login?" prompt. Set to false to suppress. Use launchAtLogin to control the setting itself. |
| promptForCommunitySharing | Bool | true | Show community sharing prompts and AI-powered feature UI. Set to false to suppress the community confirmation sheet, first-scan upload prompt, "Get AI Recommendations" card, AI change notification banner, and "Share Results" button. |
Recommended Enterprise Configuration
For most enterprise deployments, we recommend the following configuration. This enables silent monitoring and auto-export while suppressing all user prompts and community features.
<key>launchAtLogin</key>
<true/>
<key>scanOnLaunch</key>
<true/>
<key>backgroundMonitoringEnabled</key>
<true/>
<key>autoExportEnabled</key>
<true/>
<key>autoExportFormat</key>
<string>csv</string>
<key>promptForLaunchAtLogin</key>
<false/>
<key>promptForCommunitySharing</key>
<false/>
<key>communityEnabled</key>
<false/>Export File Location
The auto-export file is written to the app's sandboxed Application Support directory and overwrites on every scan, so the file always contains the latest results:
Or rosetta-check-latest.json if the format is set to JSON.
The predictable filename means collection scripts never need to search for the newest file.
CSV Export Fields
| Column | Description |
|---|---|
| Name | Application display name |
| Bundle Identifier | e.g. com.example.app |
| Version | CFBundleShortVersionString |
| Architecture | Intel, Universal, Apple Silicon, or Unknown |
| Needs Rosetta | Yes or No |
| Size | Human-readable disk size (e.g. 142 MB) |
| Last Used | Date the app was last opened |
| First Detected | Date Rosetta Check first saw the app |
| App Store | Yes if installed from the Mac App Store |
| Min macOS | LSMinimumSystemVersion from the app's Info.plist |
| Impact Score | 0–100 score combining recency, size, and distribution source |
| Category | App category from LSApplicationCategoryType |
| Path | Full filesystem path to the .app bundle |
Collection Script
Deploy this script via your MDM to retrieve Intel app data from managed Macs. It runs as root, determines the currently logged-in console user, and reads their Rosetta Check export file. The output is written to STDOUT so MDM platforms like Intune, Jamf, and Kandji can capture it directly as a custom attribute or extension attribute.
Deploy via Intune (Devices → macOS → Shell scripts),
Jamf (Extension Attributes), or any MDM that supports custom scripts.
Run as root.
#!/bin/bash
#
# Rosetta Check - Intel App Inventory Script
# Designed to run as root via MDM (Intune, Jamf, Kandji, etc.)
# Outputs Intel app names and versions from the console user's export file.
#
# Determine the currently logged-in console user
console_user=$(/usr/bin/stat -f%Su /dev/console 2>/dev/null)
if [[ -z "$console_user" || "$console_user" == "root" || "$console_user" == "loginwindow" ]]; then
echo "No console user logged in"
exit 0
fi
# Resolve the console user's home directory
user_home=$(/usr/bin/dscl . -read "/Users/$console_user" NFSHomeDirectory 2>/dev/null | awk '{print $2}')
if [[ -z "$user_home" ]]; then
echo "Unable to resolve home directory for $console_user"
exit 0
fi
# Path to the Rosetta Check auto-export file
export_file="${user_home}/Library/Containers/com.neiljohn.rosettacheck/Data/Library/Application Support/RosettaCheck/exports/rosetta-check-latest.csv"
if [[ ! -f "$export_file" ]]; then
echo "No Rosetta Check export found"
exit 0
fi
# Extract Intel app names and versions
intel=$(grep ",Intel," "$export_file" | awk -F',' '{print $1" ("$3")"}')
if [[ -n "$intel" ]]; then
echo "$intel"
else
echo "No Intel apps found"
fiExample output:
foobar2000 (2.6.6) Uninstall Global Secure Access Client (1.1.25111702)
Rosetta Usage Awareness (macOS 26.4+)
Starting with macOS 26.4, Apple shows a pop-up dialog each time an Intel app is launched, warning the user that Rosetta will be removed.
This can be suppressed via an MDM Restrictions policy using the
com.apple.applicationaccess payload.
See Apple's device management schema for the full specification.
Deploy a Restrictions profile in your MDM with the following key:
<key>allowRosettaUsageAwareness</key>
<false/>Rosetta Check detects this setting and displays the current status in the Settings window under "Rosetta Transition". The downloadable example profile includes a commented-out section for this restriction.
Verifying Deployment
On a managed Mac, open Rosetta Check → Settings. Managed settings display a 🔒 lock icon and cannot be changed by the user. A "Management" banner appears when any keys are being managed.
You can also verify from Terminal:
# Check if any keys are managed
defaults read com.neiljohn.rosettacheck
# Check a specific key
defaults read com.neiljohn.rosettacheck autoExportEnabledSupported MDM Solutions
Any MDM that can deploy custom macOS configuration profiles is supported. Links point to each vendor's documentation for deploying custom profiles.
Requirements
- macOS 13 (Ventura) or later
- Apple Silicon Mac
- Rosetta Check v1.20+ installed from the Mac App Store
- MDM solution capable of deploying custom configuration profiles
Questions? Contact [email protected]