Struggling quite a bit with the Firewall features in JAMF and I'm wondering how others are working with or around it. The configuration options are very basic either Block Everything or Control incoming connections for specific apps which looks like you'd then need to populate the list with any application that could possibly receive incoming connection which seems like an impossible task. Also the fact that if you have a policy applied to the machine with the Firewall payload its locked to whether that policy says the Firewall is enabled or not.
In our environment, we do not allow incoming connections nor server services to be running on user workstations. Being able to easily block this with a policy is nice, but then we have cases where someone wants to use AirPlay which needs incoming connections to work.
Given that the configuration options are extremely poor, how do you manage the firewall to have some control over what is allowed through without pushing that responsibility to the user?
This is one of those things that's still better managed via script.
My own settings are below, but if the goal was to only allow explicitly approved apps inbound you would
--setallowsigned off --setallowsignedapp off
I believe that for Airplay to work however you'll have to at least set the --setallowsigned flag to on. The Airplay executable is SIP protected so there is little to no risk of it being compromised.
Setting this as an ongoing startup policy would enforce your desired state and also allow your users to make temporary changes.
#!/usr/bin/env bash # socketfilterfw [-hdlk] [--getglobalstate] [--setglobalstate on | off] [--getblockall] # [--setblockall on | off] [--listapps] [--getappblocked path] [--blockapp path] # [--unblockapp path] [--add path] [--remove path] [--getallowsigned] # [--setallowsigned] [--setallowsignedapp] [--getstealthmode] # [--setstealthmode on | off] [--getloggingmode] [--setloggingmode on | off] # [--getloggingopt] [--setloggingopt throttled | brief | detail] /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned on /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp on /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingopt brief
I would note, this allows more than just AirPlay. The settings, shown below, also allow automatic approval for incoming connections by any signed application. Per Apple (https://support.apple.com/en-us/HT202944) AirPlay just needs ports 80, 443, 554, 3689, and 5353. I'm looking to see if there's a way to limit to just AirPlay/those ports instead so, as an example, SSH isn't opened up as well.
--setallowsigned Set whether built-in signed applications are to automatically receive incoming connections or not.
--setallowsignedapp Set whether downloaded signed applications are to automatically receive incoming connections or not.
This trick worked great until this week I got a M1Pro - DEP enrolled - Monterey macbook in which it did not work at all.
When tried the commands directly on the terminal, I got:
"Firewall settings cannot be modified from command line on managed Mac computers"
Anyone experiencing the same? We need to find out another work around :´-(
I am getting the same message when running 'socketfilterfw' on an Intel MBP with macOS 12.3.1 as well. I wonder if I need to disable the Configuration Profile with the Firewall settings and do all of the firewall settings & management via script? All we want to do is allow AirPlay (and maybe AirDrop) but block all other connections - but that is not seemingly as simple as it sounds.
Hi guys, the solution from @psliequ also worked for us until macOS Monterey with DEP enrolled M1 Macbooks.
As for now we decided to include a button on the Self-Service so that users are able to manually turn-off the Firewall from the Self-Service in order to be able to AirPlay / ScreenShare. (Policies > Files and Processes > Execute Command: defaults write /Library/Preferences/com.apple.alf globalstate -int 0).
We set up an additional policy that activates the Firewall again once every day (defaults write /Library/Preferences/com.apple.alf globalstate -int 1)
Hope it helps.
I may have some sort of fix to this, piggy backing off of @psliequ's script. This needs to run on a Mac that does not have a Firewall setting managed, but it has worked on devices that did not have a Firewall configuration profile installed:
#!/bin/sh # socketfilterfw [-hdlk] [--getglobalstate] [--setglobalstate on | off] [--getblockall] # [--setblockall on | off] [--listapps] [--getappblocked path] [--blockapp path] # [--unblockapp path] [--add path] [--remove path] [--getallowsigned] # [--setallowsigned] [--setallowsignedapp] [--getstealthmode] # [--setstealthmode on | off] [--getloggingmode] [--setloggingmode on | off] # [--getloggingopt] [--setloggingopt throttled | brief | detail] sudo /usr/libexec/ApplicationFirewall/socketfilterfw \ --setblockall off \ --setallowsigned on \ --setallowsignedapp on \ --setloggingmode on \ --setstealthmode off \ --setglobalstate on #For use with an extension attribute and smart group defaults write /Library/Preferences/com.firewallScript.plist scriptWasRun -bool YES jamf recon
Then I have an extension attribute that checks whether the script has run:
#!/bin/sh status=`defaults read /Library/Preferences/com.firewallScript.plist scriptWasRun` if [ $status == "1" ]; then echo "<result>YES</result>" elif [ $status == "0" ]; then echo "<result>NO</result>" fi
I created a smart group for this extension attribute, which my new Firewall profile is scoped to. The profile only restricts users from making any changes to their Firewall settings, it doesn't enforce anything else. With any luck, this script will make the settings we want, and then Jamf will lock it down.
I wish this was just an option in the GUI.