Preventing the end-user from disabling Firewall and FileVault 2

New Contributor III

So I have recently run into an issue that seems like it should be an obvious problem for others, yet I haven't found much on it online.

I wrote a script to enable the firewall with the settings I would like, as well as set remote management/SSH and screen sharing for only the local administrator account. The script works perfectly, and now I wanted to be able to make sure that end-users cannot modify firewall settings. While I'm at it, I'd also love to make it so that end users cannot disable FileVault 2.

The only pre-packaged option I've found in the JSS is to disable the entire Security & Privacy section in system preferences with a restriction in the Configuration Profiles area. I do not want to do this, as users often need access to the Privacy tab within the Security & Privacy System Preferences pane (often in the Accessibility and Location Services sections).

I have looked at this post, but wasn't able to get anything to work (toggling the on/off for the firewall doesn't seem to change any preferences aside from the one in /Library/Preferences/, and I still was not able to use that file to create a custom configuration profile).

Has anyone ever figured out how to do this?



New Contributor III

I figured this was implied, but as an afterthought realized I should explicitly mention that many of our users have the ability to grant themselves administrator privileges. Thus, a configuration profile is the optimal solution for this, but any and all ideas are welcome!

Valued Contributor II

A custom configuration profile with the domain of "" and a key of {dontAllowFDEDisable=true} will do the trick for FV2.

New Contributor III

Thanks @dgreening ! That definitely solved the FileVault 2 piece. Admittedly, I did not search for that piece, but I really appreciate your response.

Thanks! Just need to figure out the software firewall now.

New Contributor III

Bump... Any ideas out there for the firewall?

New Contributor

We now find ourselves in this exact situation with the firewall. Everyone's an admin so how to keep the firewall from being turned off.

I tried pushing out a custom configuration profile against the plist.

First I had to copy the plist from Library/Preferences of any machine, then use plutil -convert xml1 to make the plist editable from text edit. Then I just make sure to include just the settings I want, mainly the:

<key>globalstate</key> <integer>1</integer> <key>loggingenabled</key> <integer>1</integer>

Except I can't get that to format correctly, but you get the idea.

Then I saved it, and uploaded it to the Custom Settings option in the Config Profile tab. However, when I tested it, it seemed to enable the firewall, but as soon as I "Click the lock to make changes." the firewall turned off without me actually clicking to do so, and now I can't get the profile to do anything.

Again, running a script that turns the firewall on is fine, and using smart groups and an extension attribute to audit what firewalls are on is great, but would be very nice to have this locked down.

Consider this bumped!