Jamf Nation Community

Cephas · Sunday

Hi, due to an Audit finding we are to enable the native macOS Firewall in our Mac estate consisting of about 150+ machines. I've created the config profile with the Firewall payload and it deploys and works with no issue, but we donot want stealth mode to block the ICMP protocol, as we need Ping and other network troubleshooting utilities that it provides. Also dont want screensharing blocked, as well as Airdrop. Any advice how to accomplish this please?

sdagley · Sunday

@Cephas You should be able to disable Stealth mode in the Firewall configuration profile settings. Are you saying that's not working for you?

For allowing Screen Sharing or AirDrop, setting the AllowSigned property (https://developer.apple.com/documentation/devicemanagement/firewall) to true should allow that, but the Firewall payload editor in Jamf Pro lacks support for that so you'd need to using something like the iMazing Profile Editor (https://imazing.com/profile-editor) to create and sign your Firewall profile before uploading it to Jamf Pro for deployment.

mvu · yesterday

Could be wrong here, but even if the configuration profile for Firewall/Stealth was enabled, does that affect Screen Sharing and AirDrop?

If I recall in CIS level 2 benchmark, an organization would have to create profiles to disable those two. If you did nothing, it would be available and the Firewall configuration wouldn't disable it.

Shyamsundar · Sunday

You can disable the Stealth mode by selecting Control incoming connections for Specific apps,

AJPinto · yesterday

Working in an orginization that has very high security requirements, you dont want to use Jamf to manage the OS firewall. Turning the firewall off or on, sure. However, proper management of the OS firewall is in the security framework not the MDM framework. Before getting too deep look in to proper firewall management tools for macOS.

If your orginization is anything like mine, they have never found a security client they did not want to deploy.

mschlosser · yesterday

I concur, with the reply that you can use the control app connections section to get the behavior, you want. From what I recall, the firewall enables app connections based upon the bundle ID. I used com.apple.sharingd for file sharing services if you need that and com.apple.iTunes for airdrop, also cim.apple.ScreenSharing if that matters.

RoseCliver · yesterday

@Cephas happy hour wrote:

Hi, due to an Audit finding we are to enable the native macOS Firewall in our Mac estate consisting of about 150+ machines. I've created the config profile with the Firewall payload and it deploys and works with no issue, but we donot want stealth mode to block the ICMP protocol, as we need Ping and other network troubleshooting utilities that it provides. Also dont want screensharing blocked, as well as Airdrop. Any advice how to accomplish this please?

To enable the macOS Firewall while allowing ICMP (ping) and ensuring Screen Sharing and AirDrop aren't blocked, disable Stealth Mode in the Firewall payload to prevent blocking ICMP. Then, manually add exceptions for Screen Sharing (port 5900) and AirDrop (using Bonjour ports like 5353) via terminal commands to allow these services. When deploying the profile, make sure it includes these exceptions to ensure that necessary network troubleshooting tools and user services are not interrupted. Finally, verify the settings on a test machine to confirm the configuration is correct.

WendyScott · yesterday

You can use a configuration profile to allow ICMP for screen sharing and AirDrops.

Jamf Nation Community

Enabling macOS Firewall