Enabling the buit-in apple firewall

danielgrm
New Contributor III

I've been tasked with some CIS recommendations for our apple estate.

I am currently mulling over the firewall parts of this. Do you guys enable firewalls in your estate? It seems like a no-brainer, but this isn't windows and i don't know how much it really helps on the mac side. There are a lot fewer programs actively listening for ports and connections.

Also with that, if i implement it now, what programs would it break? How do you guys handle this? Do you find its good to have one or not worth it?

8 REPLIES 8

edickson
Contributor

I find it most useful to enable FileVault but having firewall turned on would be good extra protection.

rhooper
Contributor III

Great quetion.
I too would be interested in this topic. Defense in depth is or should be a must, no matter what OS is running. But what would it break would be good to know. Also good to know would be how to enable it using jamf pro so we do not need to visit 1000+ devices.

dsavageED
Contributor III

We use two scripts to configure the in-built application firewall. The first enables it and sets the relevant options: https://github.com/UoE-macOS/jss/blob/master/coreconfig-application-firewall.sh
The second adds exceptions for apps which require access: https://github.com/UoE-macOS/jss/blob/master/coreconfig-application-firewall-add-exception.sh
In our environment there are three main applications which need access Maple, Matlab and SPSS, these all use network based licensing so this isn't necessarily a surprise.

marklamont
Contributor III

question to me is why would you not turn it on and enforce it being on? I always report on it using an EA and make sure it gets turned back on if somehow it goes off.
I have found profiles don't always turn it turn it on so a script is required initially but a profile stops it going off in my experience.

mgorton
New Contributor III

I've found that you can't allow the user to set their own exclusions if the firewall is set to on in a Jamf Configuration Profile.  We have a number of unsigned apps made by inhouse development which poses a challenge with firewall.

edickson
Contributor

@dsavageED Can these scripts be pushed to clients using Jamf Now?

CSD
New Contributor II

Can some share some guide on how to enable firewall on all Mac's using policies. step by step instructions would help.

mjerome-EC
New Contributor

Following this for a good way to configure firewalls via config profile.