- Jamf Nation Community
- Products
- Jamf Pro
- Re: Enabling the buit-in apple firewall
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Enabling the buit-in apple firewall
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-05-2019 02:19 PM
I've been tasked with some CIS recommendations for our apple estate.
I am currently mulling over the firewall parts of this. Do you guys enable firewalls in your estate? It seems like a no-brainer, but this isn't windows and i don't know how much it really helps on the mac side. There are a lot fewer programs actively listening for ports and connections.
Also with that, if i implement it now, what programs would it break? How do you guys handle this? Do you find its good to have one or not worth it?
Labels:
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-05-2019 06:39 PM
I find it most useful to enable FileVault but having firewall turned on would be good extra protection.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-06-2019 10:25 AM
Great quetion.
I too would be interested in this topic. Defense in depth is or should be a must, no matter what OS is running. But what would it break would be good to know. Also good to know would be how to enable it using jamf pro so we do not need to visit 1000+ devices.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-08-2019 02:02 AM
We use two scripts to configure the in-built application firewall. The first enables it and sets the relevant options: https://github.com/UoE-macOS/jss/blob/master/coreconfig-application-firewall.sh
The second adds exceptions for apps which require access: https://github.com/UoE-macOS/jss/blob/master/coreconfig-application-firewall-add-exception.sh
In our environment there are three main applications which need access Maple, Matlab and SPSS, these all use network based licensing so this isn't necessarily a surprise.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-08-2019 05:31 AM
question to me is why would you not turn it on and enforce it being on? I always report on it using an EA and make sure it gets turned back on if somehow it goes off.
I have found profiles don't always turn it turn it on so a script is required initially but a profile stops it going off in my experience.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-11-2021 07:06 AM
I've found that you can't allow the user to set their own exclusions if the firewall is set to on in a Jamf Configuration Profile. We have a number of unsigned apps made by inhouse development which poses a challenge with firewall.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-19-2019 01:19 PM
@dsavageED Can these scripts be pushed to clients using Jamf Now?
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-14-2022 09:29 PM
Can some share some guide on how to enable firewall on all Mac's using policies. step by step instructions would help.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-16-2022 11:25 AM
Following this for a good way to configure firewalls via config profile.
