Trick to allow AirPlay when Firewall Blocks All Incoming Connections?

mpi
New Contributor III

Hello,

Struggling quite a bit with the Firewall features in JAMF and I'm wondering how others are working with or around it. The configuration options are very basic either Block Everything or Control incoming connections for specific apps which looks like you'd then need to populate the list with any application that could possibly receive incoming connection which seems like an impossible task. Also the fact that if you have a policy applied to the machine with the Firewall payload its locked to whether that policy says the Firewall is enabled or not.

In our environment, we do not allow incoming connections nor server services to be running on user workstations. Being able to easily block this with a policy is nice, but then we have cases where someone wants to use AirPlay which needs incoming connections to work.

Allowing 1 application through the firewall does not appear to be an option so the alternative is to not apply the Security and Privacy policy to their machine. Definitely not a good solution considering the other settings this configures.

Given that the configuration options are extremely poor, how do you manage the firewall to have some control over what is allowed through without pushing that responsibility to the user?

15 REPLIES 15

smitty1923
New Contributor II

@mpi Did you ever hear back about this? I'm seeing the same issue now. Just curious if you found a resolution.

psliequ
Contributor III

This is one of those things that's still better managed via script.
My own settings are below, but if the goal was to only allow explicitly approved apps inbound you would

--setallowsigned off
--setallowsignedapp off

I believe that for Airplay to work however you'll have to at least set the --setallowsigned flag to on. The Airplay executable is SIP protected so there is little to no risk of it being compromised.

Setting this as an ongoing startup policy would enforce your desired state and also allow your users to make temporary changes.

#!/usr/bin/env bash

#  socketfilterfw [-hdlk] [--getglobalstate] [--setglobalstate on | off] [--getblockall]
#                     [--setblockall on | off] [--listapps] [--getappblocked path] [--blockapp path]
#                     [--unblockapp path] [--add path] [--remove path] [--getallowsigned]
#                     [--setallowsigned] [--setallowsignedapp] [--getstealthmode]
#                     [--setstealthmode on | off] [--getloggingmode] [--setloggingmode on | off]
#                     [--getloggingopt] [--setloggingopt throttled | brief | detail]

/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
/usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned on
/usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp on
/usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on
/usr/libexec/ApplicationFirewall/socketfilterfw --setloggingopt brief

JamelB
New Contributor III

Works well, thx psliequ

mattsvensson
New Contributor

I would note, this allows more than just AirPlay. The settings, shown below, also allow automatic approval for incoming connections by any signed application. Per Apple (https://support.apple.com/en-us/HT202944) AirPlay just needs ports 80, 443, 554, 3689, and 5353. I'm looking to see if there's a way to limit to just AirPlay/those ports instead so, as an example, SSH isn't opened up as well.

--setallowsigned Set whether built-in signed applications are to automatically receive incoming connections or not.

--setallowsignedapp Set whether downloaded signed applications are to automatically receive incoming connections or not.

References: http://www.manpagez.com/man/8/socketfilterfw/

Hi Matt, did you ever find away to just allow AirPlay bypassing the Firewall? 

mpi
New Contributor III

Yeah, thats the issue I have also. I don't want to allow all signed inbound services access, just specific ones. Does not appear there's a good way to do that.

Not applicable

Hi all,

Just wondering if you have this issue solved with an alternative to the mentioned script?

Thank you,

itcrowd
New Contributor

This trick worked great until this week I got a M1Pro - DEP enrolled - Monterey macbook in which it did not work at all. 

When tried the commands directly on the terminal, I got: 
"Firewall settings cannot be modified from command line on managed Mac computers"

Anyone experiencing the same? We need to find out another work around :´-( 

I am getting the same message when running 'socketfilterfw' on an Intel MBP with macOS 12.3.1 as well. I wonder if I need to disable the Configuration Profile with the Firewall settings and do all of the firewall settings & management via script? All we want to do is allow AirPlay (and maybe AirDrop) but block all other connections - but that is not seemingly as simple as it sounds.

kaanfu
New Contributor

Were you able to find solutions for this issue?

itcrowd
New Contributor

Hi guys, the solution from @psliequ also worked for us until macOS Monterey with DEP enrolled M1 Macbooks.

As for now we decided to include a button on the Self-Service so that users are able to manually turn-off the Firewall from the Self-Service in order to be able to AirPlay / ScreenShare. (Policies > Files and Processes > Execute Command: defaults write /Library/Preferences/com.apple.alf globalstate -int 0). 

We set up an additional policy that activates the Firewall again once every day (defaults write /Library/Preferences/com.apple.alf globalstate -int 1) 

Hope it helps. 

tomshimmin1
New Contributor II

itcrowd,

Firs policy works, but the second one that turns the firewall back on does not. What is the trigger for the second policy?

Thanks!

tomshimmin1
New Contributor II

itcrowd,

Firs policy works, but the second one that turns the firewall back on does not. What is the trigger for the second policy?

Thanks!

For the second policy we have as a trigger: recurrent check-in and as Execution Frequency: Once every day. 

MikaelDez
Contributor

I may have some sort of fix to this, piggy backing off of @psliequ's script. This needs to run on a Mac that does not have a Firewall setting managed, but it has worked on devices that did not have a Firewall configuration profile installed:

#!/bin/sh

#  socketfilterfw [-hdlk] [--getglobalstate] [--setglobalstate on | off] [--getblockall]
#                     [--setblockall on | off] [--listapps] [--getappblocked path] [--blockapp path]
#                     [--unblockapp path] [--add path] [--remove path] [--getallowsigned]
#                     [--setallowsigned] [--setallowsignedapp] [--getstealthmode]
#                     [--setstealthmode on | off] [--getloggingmode] [--setloggingmode on | off]
#                     [--getloggingopt] [--setloggingopt throttled | brief | detail]

sudo /usr/libexec/ApplicationFirewall/socketfilterfw \
--setblockall off \
--setallowsigned on \
--setallowsignedapp on \
--setloggingmode on \
--setstealthmode off \
--setglobalstate on

#For use with an extension attribute and smart group
defaults write /Library/Preferences/com.firewallScript.plist scriptWasRun -bool YES

jamf recon

Then I have an extension attribute that checks whether the script has run:

#!/bin/sh

status=`defaults read /Library/Preferences/com.firewallScript.plist scriptWasRun`

if [ $status == "1" ]; then
	echo "<result>YES</result>"
elif [ $status == "0" ]; then
	echo "<result>NO</result>"
fi

I created a smart group for this extension attribute, which my new Firewall profile is scoped to. The profile only restricts users from making any changes to their Firewall settings, it doesn't enforce anything else. With any luck, this script will make the settings we want, and then Jamf will lock it down.

I wish this was just an option in the GUI.