The Firewall profile is part of the Security & Privacy profile. This means that if you are using FileVault you also are effectively forced to push out a Firewall setting as well.
The options in the Firewall tab are pretty much the same as Apple's Profile Manager as one would expect. However this means they like the Profile Manager one do not match the capabilities offered in the actual System Preferences pane on a Mac itself. In particular on a Mac itself it would be possible to 'Block All Connection' like in JAMF/Profile Manager but unlike JAMF/Profile Manager still allow 'built-in software to receive incoming connections' and/or 'allow downloaded signed software to receive incoming connections'.
In my case I would like to block all incoming connection except basic Internet services i.e. DHCP, Bonjour and IPSec. I would still want JAMF itself to be able to communicate with the client Macs which means allowing SSH and I would like local admins to be able to add applications to the approved list.
How can I do this via the Security & Privacy profile? (I could do it in a script but remember that the same profile is being used for FileVault so I don't have a choice.)