On my enrolled macs if I turn Firewall ON, do i have to turn on any options for casper communication?
will turning ON Firewall mess with JSSConnection? (recurring check-in, login/logout etc...)
Solved
Firewall with Casper connection.
Best answer by alexjdale
Here is the script, it also checks for the presence of the Connected Backup application and adds it to the approved application list if it is installed. I run this daily for systems that have the firewall off (based on an extension attribute). I can't feasibly stop an admin from turning the firewall off (that I am aware of) so this is the next best thing.
And yes, there is no communication to the client from the JSS, it's all "pull" from the client. If the client initiates the connection (like downloading a package for a software install) then it won't trip a firewall.
#!/bin/bash
fwStatus=`defaults read /Library/Preferences/com.apple.alf globalstate`
if [ "$fwStatus" == "0" ]; then
echo "FW off, adding exceptions and enabling"
/usr/libexec/ApplicationFirewall/socketfilterfw --add "/Applications/Microsoft Lync.app"
if [ -d "/Applications/Autonomy/Connected Backup/Connected Backup.app" ]; then
/usr/libexec/ApplicationFirewall/socketfilterfw --add /Library/AgentService/AgentService
/usr/libexec/ApplicationFirewall/socketfilterfw --add "/Applications/Autonomy/Connected Backup/Connected Backup.app"
fi
if [ -d "/Applications/Iron Mountain/Connected Backup/Connected Backup.app" ]; then
/usr/libexec/ApplicationFirewall/socketfilterfw --add /Library/AgentService/AgentService
/usr/libexec/ApplicationFirewall/socketfilterfw --add "/Applications/Iron Mountain/Connected Backup/Connected Backup.app"
fi
defaults write /Library/Preferences/com.apple.alf globalstate -int 1
else
echo "FW on, exiting"
exit 0
fi
+18No, the native application firewall won't affect JSS communication, the connection is heading outbound from the system. There are no incoming connections from the JSS.
We turn on the firewall for all systems with no issues. If you have any apps that require exceptions (that prompt for approval) you can add them with a script. For example, I add an exception for Lync before I turn on the firewall:
/usr/libexec/ApplicationFirewall/socketfilterfw --add "/Applications/Microsoft Lync.app"@alexjdale did you write a script that turns firewall on? If so, what is it?
So the enrolled client communicates outward to the JSS in all its communication, such as when performing recurring check in, logout/login policies etc..?
Software installation via Casper will not be affected with firewall ON? This is not considered inbound connection?
+18Here is the script, it also checks for the presence of the Connected Backup application and adds it to the approved application list if it is installed. I run this daily for systems that have the firewall off (based on an extension attribute). I can't feasibly stop an admin from turning the firewall off (that I am aware of) so this is the next best thing.
And yes, there is no communication to the client from the JSS, it's all "pull" from the client. If the client initiates the connection (like downloading a package for a software install) then it won't trip a firewall.
#!/bin/bash
fwStatus=`defaults read /Library/Preferences/com.apple.alf globalstate`
if [ "$fwStatus" == "0" ]; then
echo "FW off, adding exceptions and enabling"
/usr/libexec/ApplicationFirewall/socketfilterfw --add "/Applications/Microsoft Lync.app"
if [ -d "/Applications/Autonomy/Connected Backup/Connected Backup.app" ]; then
/usr/libexec/ApplicationFirewall/socketfilterfw --add /Library/AgentService/AgentService
/usr/libexec/ApplicationFirewall/socketfilterfw --add "/Applications/Autonomy/Connected Backup/Connected Backup.app"
fi
if [ -d "/Applications/Iron Mountain/Connected Backup/Connected Backup.app" ]; then
/usr/libexec/ApplicationFirewall/socketfilterfw --add /Library/AgentService/AgentService
/usr/libexec/ApplicationFirewall/socketfilterfw --add "/Applications/Iron Mountain/Connected Backup/Connected Backup.app"
fi
defaults write /Library/Preferences/com.apple.alf globalstate -int 1
else
echo "FW on, exiting"
exit 0
fithanks @alexjdale , I picked apart your script, removing the approved applications stuff. Also created an extension attribute that when its 0 the inventory display will tell me firewall is OFF or if 1 firewall is ON.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.