Skip to main content
Question

Enabling the buit-in apple firewall

  • July 5, 2019
  • 8 replies
  • 42 views
D
Forum|alt.badge.img+3

I've been tasked with some CIS recommendations for our apple estate.

I am currently mulling over the firewall parts of this. Do you guys enable firewalls in your estate? It seems like a no-brainer, but this isn't windows and i don't know how much it really helps on the mac side. There are a lot fewer programs actively listening for ports and connections.

Also with that, if i implement it now, what programs would it break? How do you guys handle this? Do you find its good to have one or not worth it?

8 replies

E
Forum|alt.badge.img+8
  • edickson
  • Valued Contributor
  • 70 replies
  • July 6, 2019

I find it most useful to enable FileVault but having firewall turned on would be good extra protection.

R
Forum|alt.badge.img+10
  • rhooper
  • Valued Contributor
  • 179 replies
  • July 6, 2019

Great quetion.
I too would be interested in this topic. Defense in depth is or should be a must, no matter what OS is running. But what would it break would be good to know. Also good to know would be how to enable it using jamf pro so we do not need to visit 1000+ devices.

dsavageED
Forum|alt.badge.img+8
  • dsavageED
  • New Contributor
  • 173 replies
  • July 8, 2019

We use two scripts to configure the in-built application firewall. The first enables it and sets the relevant options: https://github.com/UoE-macOS/jss/blob/master/coreconfig-application-firewall.sh
The second adds exceptions for apps which require access: https://github.com/UoE-macOS/jss/blob/master/coreconfig-application-firewall-add-exception.sh
In our environment there are three main applications which need access Maple, Matlab and SPSS, these all use network based licensing so this isn't necessarily a surprise.

M
Forum|alt.badge.img+12
  • marklamont
  • Contributor
  • 181 replies
  • July 8, 2019

question to me is why would you not turn it on and enforce it being on? I always report on it using an EA and make sure it gets turned back on if somehow it goes off.
I have found profiles don't always turn it turn it on so a script is required initially but a profile stops it going off in my experience.

E
Forum|alt.badge.img+8
  • edickson
  • Valued Contributor
  • 70 replies
  • July 19, 2019

@dsavageED Can these scripts be pushed to clients using Jamf Now?

M
Forum|alt.badge.img+4
  • mgorton
  • Contributor
  • 19 replies
  • October 11, 2021

question to me is why would you not turn it on and enforce it being on? I always report on it using an EA and make sure it gets turned back on if somehow it goes off.
I have found profiles don't always turn it turn it on so a script is required initially but a profile stops it going off in my experience.


I've found that you can't allow the user to set their own exclusions if the firewall is set to on in a Jamf Configuration Profile.  We have a number of unsigned apps made by inhouse development which poses a challenge with firewall.

C
Forum|alt.badge.img+3
  • CSD
  • New Contributor
  • 7 replies
  • March 15, 2022

Can some share some guide on how to enable firewall on all Mac's using policies. step by step instructions would help.

M
Forum|alt.badge.img+3
  • mdjerome
  • New Contributor
  • 6 replies
  • November 16, 2022

Following this for a good way to configure firewalls via config profile.


Terms & ConditionsCookie settingsAccessibility statement