Jamf Nation Community

tdenton · 2 weeks ago

Hello

Hoping someone can point in the right direction.
Im in the process of updating our secuirty base lines we settled on using Level 2 CIS.

Things are going well so far with no major issues.

I noticed our updated firewall config as cut of the ablity to screenshare using vnc I think I just need add allow com.apple.ScreenSharing under this section. Does anyone have the bundle ID for com.apple.ScreenSharing or now how to find it.

I would normal run something simliar to this https://www.hexnode.com/mobile-device-management/help/how-to-find-the-bundle-id-of-an-application-on... but only seem to work for apps. I dont think it would work as its not an app.

Thanks

Valcovish · 2 weeks ago

Even though Screen Sharing (VNC) is a system service rather than a standard app, it still has a bundle identifier that can be used for firewall exceptions. The bundle ID you need to allow for macOS Screen Sharing (VNC) is:

com.apple.screensharing

To verify this or find other bundle IDs for system services, you can use the following command in Terminal:

osascript -e 'id of app "Screen Sharing"'

Alternatively, you can check system services using:

systemextensionsctl list

Since you are working with CIS Level 2, ensure that your firewall settings allow inbound connections for com.apple.screensharing so that VNC connections can function properly without compromising security.

Let me know if you need any further clarification!

jamf-42 · 2 weeks ago

@Valcovish this is a timely post.. we had the FW set to Block all incoming, but that of course and cause issue. But (as my memory and google fu is lacking today) if you specify an allowed app (and disable the block incoming) does that allow all incoming or only what you specify?

Valcovish · 2 weeks ago

If Block all incoming connections is enabled, it prevents all unsolicited inbound traffic, including services like file sharing, screen sharing, and remote management, even if they are explicitly allowed in the firewall settings.

However, if Block all incoming connections is disabled, the firewall will allow only the apps and services explicitly permitted in the rules. It does not open everything by default—only what you specify. So, if you allow a specific app, only that app will receive inbound traffic while the rest remain blocked.

tdenton · 2 weeks ago

So this correct once I figure what apps needs to be allowed

tdenton · 2 weeks ago

@Valcovish

Looks like Im stll missing some services for this,
Looking at my old firewall profile these where all enable I assuming by a seprate profile as there not in the firewall profile.

Think there other services missing from this list just not sure what.

Valcovish · 2 weeks ago

Run this in Terminal to check allowed firewall apps/services on a working machine.

/usr/libexec/ApplicationFirewall/socketfilterfw --listapps

Look for Remote Login (SSH), Remote Management, Screen Sharing, or ARDAgent.

•If missing, they’re not explicitly allowed.

•If blocked, update your configuration profile to allow them.

AJPinto · 2 weeks ago

I advise against using Jamf for this. You will need to whitelist every single service you need to go through the firewall which is a massive chore within the MDM framework. Instead get a proper security tool that manages the OS firewall and let that manage the firewall on the device.

Valcovish · 2 weeks ago

I totally agree with you on this. In my environment, we use Zscaler, which already covers a lot of bases when it comes to security. However, having the firewall as an additional layer of control can be useful—especially if you’re managing a smaller inventory where fine-tuning firewall settings is more feasible. But if you’re dealing with thousands of machines and an equal number of services and apps, managing this through Jamf alone would be a nightmare. In that case, a dedicated security tool makes much more sense.

tdenton · 2 weeks ago


/usr/libexec/ApplicationFirewall/socketfilterfw --listapps

ALF: total number of apps = 2



2 :  /System/Library/CoreServices/RemoteManagement/ARDAgent.app

  ( Allow incoming connections )

Just getting the above @Valcovish so its appear to need ARDagent.app which needs to be allowed

This is all that is listed on machine that is working for vnc but still doesnt seem to work. I wondered If I have other issues as if I remove the firewall I still cant connect. Need to have look in the lab tomorrow so what happning on the machine.

Valcovish · 2 weeks ago

Awesome, you know what to do, let me know how it goes.

tdenton · 2 weeks ago

@Valcovish @jamf-42

I was missing this ticket box which is part of my base restirctions.

This adds in the following into my firewall rules

While I havent alllowed it here it does seem to work, but only if control Incoming connections for specific apps is set. I assume because screensharingd.bundle is part of some app for screen sharing.

Many thanks for you assistance if figuring this out @Valcovish

Jamf Nation Community

MacOS Firewall