- Jamf Nation Community
- Products
- Jamf Pro
- Re: Firewall with Casper connection.
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-31-2015 12:34 PM
On my enrolled macs if I turn Firewall ON, do i have to turn on any options for casper communication?
will turning ON Firewall mess with JSSConnection? (recurring check-in, login/logout etc...)
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-31-2015 01:52 PM
Here is the script, it also checks for the presence of the Connected Backup application and adds it to the approved application list if it is installed. I run this daily for systems that have the firewall off (based on an extension attribute). I can't feasibly stop an admin from turning the firewall off (that I am aware of) so this is the next best thing.
And yes, there is no communication to the client from the JSS, it's all "pull" from the client. If the client initiates the connection (like downloading a package for a software install) then it won't trip a firewall.
#!/bin/bash
fwStatus=`defaults read /Library/Preferences/com.apple.alf globalstate`
if [ "$fwStatus" == "0" ]; then
echo "FW off, adding exceptions and enabling"
/usr/libexec/ApplicationFirewall/socketfilterfw --add "/Applications/Microsoft Lync.app"
if [ -d "/Applications/Autonomy/Connected Backup/Connected Backup.app" ]; then
/usr/libexec/ApplicationFirewall/socketfilterfw --add /Library/AgentService/AgentService
/usr/libexec/ApplicationFirewall/socketfilterfw --add "/Applications/Autonomy/Connected Backup/Connected Backup.app"
fi
if [ -d "/Applications/Iron Mountain/Connected Backup/Connected Backup.app" ]; then
/usr/libexec/ApplicationFirewall/socketfilterfw --add /Library/AgentService/AgentService
/usr/libexec/ApplicationFirewall/socketfilterfw --add "/Applications/Iron Mountain/Connected Backup/Connected Backup.app"
fi
defaults write /Library/Preferences/com.apple.alf globalstate -int 1
else
echo "FW on, exiting"
exit 0
fi
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-31-2015 01:01 PM
No, the native application firewall won't affect JSS communication, the connection is heading outbound from the system. There are no incoming connections from the JSS.
We turn on the firewall for all systems with no issues. If you have any apps that require exceptions (that prompt for approval) you can add them with a script. For example, I add an exception for Lync before I turn on the firewall:
/usr/libexec/ApplicationFirewall/socketfilterfw --add "/Applications/Microsoft Lync.app"Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-31-2015 01:18 PM
@alexjdale did you write a script that turns firewall on? If so, what is it?
So the enrolled client communicates outward to the JSS in all its communication, such as when performing recurring check in, logout/login policies etc..?
Software installation via Casper will not be affected with firewall ON? This is not considered inbound connection?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-31-2015 01:52 PM
Here is the script, it also checks for the presence of the Connected Backup application and adds it to the approved application list if it is installed. I run this daily for systems that have the firewall off (based on an extension attribute). I can't feasibly stop an admin from turning the firewall off (that I am aware of) so this is the next best thing.
And yes, there is no communication to the client from the JSS, it's all "pull" from the client. If the client initiates the connection (like downloading a package for a software install) then it won't trip a firewall.
#!/bin/bash
fwStatus=`defaults read /Library/Preferences/com.apple.alf globalstate`
if [ "$fwStatus" == "0" ]; then
echo "FW off, adding exceptions and enabling"
/usr/libexec/ApplicationFirewall/socketfilterfw --add "/Applications/Microsoft Lync.app"
if [ -d "/Applications/Autonomy/Connected Backup/Connected Backup.app" ]; then
/usr/libexec/ApplicationFirewall/socketfilterfw --add /Library/AgentService/AgentService
/usr/libexec/ApplicationFirewall/socketfilterfw --add "/Applications/Autonomy/Connected Backup/Connected Backup.app"
fi
if [ -d "/Applications/Iron Mountain/Connected Backup/Connected Backup.app" ]; then
/usr/libexec/ApplicationFirewall/socketfilterfw --add /Library/AgentService/AgentService
/usr/libexec/ApplicationFirewall/socketfilterfw --add "/Applications/Iron Mountain/Connected Backup/Connected Backup.app"
fi
defaults write /Library/Preferences/com.apple.alf globalstate -int 1
else
echo "FW on, exiting"
exit 0
fiOptions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-02-2015 09:17 AM
thanks @alexjdale , I picked apart your script, removing the approved applications stuff. Also created an extension attribute that when its 0 the inventory display will tell me firewall is OFF or if 1 firewall is ON.
