Managing Firewall using Jamf Pro and allowing built in Apple software

New Contributor

I have been asked to implement Jamf to manage the local Firewall - security would like the Firewall to be enabled, user restricted from making changes, and block all incoming connections ASIDE from built in Apple or signed software. I can do this locally by just making sure the right buttons are selected, but when managing this through Jamf there is no way to allow built in Apple software. These services would include AirDrop, AirPlay and hand off from iOS devices to macOS. Jamf has two options: block ALL incoming connections (which prevents AirPlay etc) and "Control incoming connections for specific apps". The second option allows the user to select whether to allow or deny an incoming connection - and the message doesn't convey that the connection they are allowing is actually related to AirPlay, so I foresee a lot of tickets as a result.

I've done googling for this and it looks like this used to be able to be fixed with scripting, but that isn't an option since Monterey dropped. How are y'all managing your Firewall settings with Monterey & Ventura?


Contributor II

You may need to review the pf firewall commands. There is a JNUC video floating around and a slack channel

Valued Contributor II

May want to try and use your own upload of the  There are key's for allowing signed and built-in apps. 

Contributor III

For consideration, would a restriction profile disabling AirDrop, AirPlay, HandOff directly be an easier approach.