I am migrating my workflow of managing the macOS ALF firewall from scripts/policies to Jamf MDM profiles. Found odd behavior that prevents users from making changes.
Even though I have explicitly set the new ALF profile to allow users to modify ALF if needed (Jamf Privacy & Security > Firewall settings change > Enable user changes to the firewall settings), the ability to manage ALF locally is greyed-out (disabled) on my test Macs - even though the user is a local admin(and can authenticate to unlock the Security & Privacy pane.
As soon as I remove the profile (un-scope the target Mac) the ability to modify ALF returns.
When I examine the raw XML plist (/Library/Managed Preferences/com.apple.security.firewall.plist) I dont see any key/value pairs related to restricting users from modifying ALF (assuming I'm looking in the correct location.)
When I look at the raw XML plist (/Library/Managed Preferences/com.apple.security.firewall.plist) I don't see any key/value pairs related to restricting users from modifying ALF (assuming I'm looking in the correct location.)
I don't see any trace of a com.apple.alf plist file (maybe it was replaced/deprecated?)
Any idea as to why users are prevented from making changes when the MDM profile explicitly allows it?




