Firewall still prompting for admin even though it is set to always allow


I have a script that sets Cisco (chat, phone call application) to allow all connections, but in some cases, when a user makes an external phone call with the application, the firewall will prompt for admin credentials to allow/deny access. Entering the password makes it go away, but this is not a viable solution as we have hundreds of users without admin rights.

In the gui, the firewall shows as always allowed.
Happens on Mavericks, Yosemite and El Capitan.

This is the script I am using to add the exceptions.

checkFirewall=`/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate | awk '{print $3}'`

if [[ "$checkFirewall" == "disabled." ]]; then 

# Start firewall
/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on

# Add trusted application to firewall
/usr/libexec/ApplicationFirewall/socketfilterfw --add /Applications/Cisco
/usr/libexec/ApplicationFirewall/socketfilterfw --add /Applications/


    echo "Firewall is already enabled"


exit 0

Contributor III

is there the possibility the component that's trying to traverse the firewall lives outside the app bundle? like in /Library or /Library/Application Support? or even at the user-level?

Contributor III

Another thing to try is adding the binary itself (or multiple of them if there are others within the app bundle) as the exceptions.


@htse I wasn't able to find any relatable application files in the system and user library.

I've tried adding the binary inside the package >> MacOS folder >> Cisco Jabber with no luck :(

Valued Contributor II

Hi all

I've been able to replicate this and the problem has only become apparent for users without admin rights. The problem is to do with the applications code signature not being recognised and so prompts the user to allow through the firewall and requires admin rights.

No matter how i packaged the app in Composer as a pkg or dmg i kept getting the issue.

The solution was to download the Cisco Jabber installer from Cisco, put the downloaded original zip file in /private/tmp/ and have this as a postinstall script in Composer

## postinstall


# Check to see if the zip file exists in /tmp/
if [ -f $3/tmp/CiscoJabberMac*.zip ]; then

# If Jabber is installed, delete it
if [ -d $3/Applications/Cisco ]; then
rm -rf $3/Applications/Cisco

# Unzip Jabber to /tmp
unzip -q $3/tmp/CiscoJabberMac*.zip -d /tmp/

# remove resource forks
rm -rf $3/tmp/__MACOSX

#move the app from /tmp to /Applications
mv $3/tmp/Cisco /Applications/

# If the app still exists in /tmp delete it
if [ -d $3/tmp/Cisco ]; then
rm -rf $3/tmp/Cisco

# Delete the zip file in /tmp
if [ -f $3/tmp/CiscoJabberMac*.zip ]; then
rm -rf $3/tmp/CiscoJabberMac*.zip

exit 0      ## Success
exit 1      ## Failure

Valued Contributor II

I'm still having issues with this but i'm trying a new approach to modify the authorization database to allow all users to make the change. This suppresses the admin prompt and still allows the user to click allow and all is well.


sudo security authorizationdb write com.alf allow

early testing is proving positive. Hope this helps someone out :)



@tkimpton Awesome. I'll be upgrading Jabber pretty soon. Hoping this works so we can also enable the firewall. Thanks!

Valued Contributor II

so ive been in support calls with Cisco (email anyway) the command i provided stops the admin pop up for the application firewall.

Cisco have told me to carry out this codesign --verify --deep -vvvvvvv --strict "Cisco"

If is comes back verified then its ok.

So i ran codesign --verify --deep -vvvvvvv --strict "/Applications/Cisco" and it passed after a manual install drag and drop.

However when either dragging the app in Composer or scripting the installation with the downloaded zip file the signature check fails!

It seems you cannot package up Cisco Jabber at all as a pkg. The only way i have been able to deploy it with a signature intact is to deploy if via a dmg made in Composer and then it seems ok.

In version 11.7 Cisco are switching to a native pkg installer so we shouldn't need to faff around like this.


@tkimpton We're on Jabber 11.7.1 and Jabber appears to be fine deploying from a .pkg. No firewall prompts when making phone calls. How about you?