Firewall button grayed out even when pref pane is unlocked

Do you have a Configuration Profile installed on these Macs that uses the Security & Privacy payload? If so, unfortunately, that may be the cause. Because of how Apple, and subsequently Jamf's, Config Profile payloads work, even if you don't specifically set the Firewall option On or Off, simply having it as part of the Security & Privacy payload means it gets locked down, unable to be changed by the user or any admin on the Mac. The only way to avoid this would be to create a custom settings Config Profile that sets the specific Security & Privacy settings you want to set, like the "Require password [x seconds] after sleep or screen saver begins" option and does not set anything for other options.

I wish Apple would split these out or better yet, make an option in Config payloads such as "Do not set" so we can choose not to lock a setting down into an enabled/disabled state. It really sucks how they have things set up right now.

OTOH, if you don't have such a profile installed on these Macs, then something else is affecting it, but I don't know what it would be personally.

Thanks, you nailed it, that's it exactly. I have a Security and Privacy configuration profile that enforces File Vault on laptops - that's all it does, except to force recovery key redirection to the JSS. As you say, it locks the buttons in the preference pane, even though Firewall settings aren't set in the configuration profile.

I don't see a way to create an "Enforce File Vault and force recovery key redirection" custom profile, unfortunately.

Thanks for the swift response!

Yeah, I hear you.
But, there IS a way this can be done. It just involves several steps, and requires having a signing certificate of some kind. Can even be one from a Mac server set up with Profile Manager actually. The trick will be to create a new config in your JSS with Security & Privacy settings enabled, just the stuff you want. Then download it, convert the profile into something readable in a text editor using the security command, make some changes to the profile by deleting the payloads you don't want, like the Firewall, and resave it under a new file name (.mobileconfig), then sign the profile and reupload it to the JSS. By signing it, the JSS will not make any changes to it and will leave out the settings that you remove from the profile xml.

I've done this procedure myself, so I know it can be done. It's just a bit of a pain, and would be nice if Apple provided a better way of NOT enabling/disabling stuff that we don't specifically set in their payloads.

Also keep in mind when doing it this way, it means you can't make edits to the Profile in the JSS since it will remain locked. If you tell the JSS to remove the signing cert from it, it will add the payloads you are trying to avoid to the profile, and you'll be back to your present situation :-/

This is an even bigger issue now that, under High Sierra, FileVault Key Redirection is part of the Security & Privacy section of config profiles. I am currently unable to redirect FileVault keys without also managing EVERYTHING ELSE in that payload, including a) whether or not the firewall is enabled, and if so b) whether or not users are allowed to make their own Allow/Block decisions. I have some users who need to dynamically manage their Allow/Block list, in order to let them do that I must also now exclude their device from FileVault key redirection.

OK this has just come up in my environment also. WOW .. I blocked the ability to enable firewalls.. lol

At least if I could enable the firewall but allow users to disable or adjust that would be nice.