Posted on 12-18-2018 01:00 AM
Hello,
Struggling quite a bit with the Firewall features in JAMF and I'm wondering how others are working with or around it. The configuration options are very basic either Block Everything or Control incoming connections for specific apps which looks like you'd then need to populate the list with any application that could possibly receive incoming connection which seems like an impossible task. Also the fact that if you have a policy applied to the machine with the Firewall payload its locked to whether that policy says the Firewall is enabled or not.
In our environment, we do not allow incoming connections nor server services to be running on user workstations. Being able to easily block this with a policy is nice, but then we have cases where someone wants to use AirPlay which needs incoming connections to work.
Allowing 1 application through the firewall does not appear to be an option so the alternative is to not apply the Security and Privacy policy to their machine. Definitely not a good solution considering the other settings this configures.
Given that the configuration options are extremely poor, how do you manage the firewall to have some control over what is allowed through without pushing that responsibility to the user?
Posted on 05-30-2019 07:39 AM
@mpi Did you ever hear back about this? I'm seeing the same issue now. Just curious if you found a resolution.
Posted on 05-30-2019 08:08 AM
This is one of those things that's still better managed via script.
My own settings are below, but if the goal was to only allow explicitly approved apps inbound you would
--setallowsigned off
--setallowsignedapp off
I believe that for Airplay to work however you'll have to at least set the --setallowsigned flag to on. The Airplay executable is SIP protected so there is little to no risk of it being compromised.
Setting this as an ongoing startup policy would enforce your desired state and also allow your users to make temporary changes.
#!/usr/bin/env bash
# socketfilterfw [-hdlk] [--getglobalstate] [--setglobalstate on | off] [--getblockall]
# [--setblockall on | off] [--listapps] [--getappblocked path] [--blockapp path]
# [--unblockapp path] [--add path] [--remove path] [--getallowsigned]
# [--setallowsigned] [--setallowsignedapp] [--getstealthmode]
# [--setstealthmode on | off] [--getloggingmode] [--setloggingmode on | off]
# [--getloggingopt] [--setloggingopt throttled | brief | detail]
/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
/usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned on
/usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp on
/usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on
/usr/libexec/ApplicationFirewall/socketfilterfw --setloggingopt brief
Posted on 05-06-2020 08:33 AM
Works well, thx psliequ
Posted on 09-09-2020 11:10 AM
I would note, this allows more than just AirPlay. The settings, shown below, also allow automatic approval for incoming connections by any signed application. Per Apple (https://support.apple.com/en-us/HT202944) AirPlay just needs ports 80, 443, 554, 3689, and 5353. I'm looking to see if there's a way to limit to just AirPlay/those ports instead so, as an example, SSH isn't opened up as well.
--setallowsigned Set whether built-in signed applications are to automatically receive incoming connections or not.
--setallowsignedapp Set whether downloaded signed applications are to automatically receive incoming connections or not.
References: http://www.manpagez.com/man/8/socketfilterfw/
Posted on 12-09-2021 04:27 AM
Hi Matt, did you ever find away to just allow AirPlay bypassing the Firewall?
Posted on 09-11-2020 02:26 AM
Yeah, thats the issue I have also. I don't want to allow all signed inbound services access, just specific ones. Does not appear there's a good way to do that.
Posted on 03-21-2021 10:41 PM
Hi all,
Just wondering if you have this issue solved with an alternative to the mentioned script?
Thank you,
Posted on 01-13-2022 03:36 AM
This trick worked great until this week I got a M1Pro - DEP enrolled - Monterey macbook in which it did not work at all.
When tried the commands directly on the terminal, I got:
"Firewall settings cannot be modified from command line on managed Mac computers"
Anyone experiencing the same? We need to find out another work around :´-(
Posted on 04-26-2022 11:36 AM
I am getting the same message when running 'socketfilterfw' on an Intel MBP with macOS 12.3.1 as well. I wonder if I need to disable the Configuration Profile with the Firewall settings and do all of the firewall settings & management via script? All we want to do is allow AirPlay (and maybe AirDrop) but block all other connections - but that is not seemingly as simple as it sounds.
Posted on 05-27-2022 06:06 AM
Were you able to find solutions for this issue?
Posted on 05-27-2022 06:40 AM
Hi guys, the solution from @psliequ also worked for us until macOS Monterey with DEP enrolled M1 Macbooks.
As for now we decided to include a button on the Self-Service so that users are able to manually turn-off the Firewall from the Self-Service in order to be able to AirPlay / ScreenShare. (Policies > Files and Processes > Execute Command: defaults write /Library/Preferences/com.apple.alf globalstate -int 0).
We set up an additional policy that activates the Firewall again once every day (defaults write /Library/Preferences/com.apple.alf globalstate -int 1)
Hope it helps.
Posted on 07-25-2022 12:59 PM
itcrowd,
Firs policy works, but the second one that turns the firewall back on does not. What is the trigger for the second policy?
Thanks!
Posted on 07-21-2022 09:20 AM
itcrowd,
Firs policy works, but the second one that turns the firewall back on does not. What is the trigger for the second policy?
Thanks!
Posted on 07-26-2022 01:42 AM
For the second policy we have as a trigger: recurrent check-in and as Execution Frequency: Once every day.
Posted on 04-20-2023 05:17 AM
I may have some sort of fix to this, piggy backing off of @psliequ's script. This needs to run on a Mac that does not have a Firewall setting managed, but it has worked on devices that did not have a Firewall configuration profile installed:
#!/bin/sh
# socketfilterfw [-hdlk] [--getglobalstate] [--setglobalstate on | off] [--getblockall]
# [--setblockall on | off] [--listapps] [--getappblocked path] [--blockapp path]
# [--unblockapp path] [--add path] [--remove path] [--getallowsigned]
# [--setallowsigned] [--setallowsignedapp] [--getstealthmode]
# [--setstealthmode on | off] [--getloggingmode] [--setloggingmode on | off]
# [--getloggingopt] [--setloggingopt throttled | brief | detail]
sudo /usr/libexec/ApplicationFirewall/socketfilterfw \
--setblockall off \
--setallowsigned on \
--setallowsignedapp on \
--setloggingmode on \
--setstealthmode off \
--setglobalstate on
#For use with an extension attribute and smart group
defaults write /Library/Preferences/com.firewallScript.plist scriptWasRun -bool YES
jamf recon
Then I have an extension attribute that checks whether the script has run:
#!/bin/sh
status=`defaults read /Library/Preferences/com.firewallScript.plist scriptWasRun`
if [ $status == "1" ]; then
echo "<result>YES</result>"
elif [ $status == "0" ]; then
echo "<result>NO</result>"
fi
I created a smart group for this extension attribute, which my new Firewall profile is scoped to. The profile only restricts users from making any changes to their Firewall settings, it doesn't enforce anything else. With any luck, this script will make the settings we want, and then Jamf will lock it down.
I wish this was just an option in the GUI.