Prior to OS X 10.12, we had a Security and Privacy payload with no firewall options configured. Users with admin rights could authenticate and disable the firewall or change its options as needed. We then enabled the firewall via Policy and a script each day, for any computers that had it off. This left firewalls disabled for no more than a day.
Under 10.12 with JSS 9.96, and a Security and Privacy payload with no firewall options configured, the Firewall is set as disabled in the UI, and overriding via authentication is not possible.
By my read, this means setting ANY Security and Privacy Payload means the Firewall can ONLY be managed via Casper / Configuration Profiles moving forward.
Ie: The change here: https://jamfnation.jamfsoftware.com/featureRequest.html?id=3230 does more than add application level connections, it changes the level of control/modification available to admin users.
If that's correct, perhaps a custom Configuration Profile can return our previous behavior?
Thanks.
