Unsuccessfully adding an application into our firewall config profile...

New Contributor III

Hi all,

Hopefully someone can give me some pointers on this one.  I've been tasked with getting the firewall enabled on our macOS devices and I was running a basic config profile for while and couldn't trigger any in-bound alerts but as soon as we enabled it on the wider estate there was one specific .app that was asking for in-bound communication which I thought was strange as all signed apps should be enabled and all apps need to be signed to run on macOS, right???

Anyway, I tracked the binary down to...
"/Library/Application Support/projectstore/nwjs.app/Contents/Frameworks/nwjs Framework.framework/Versions/87.0.4200.88\Helpers/nwjs Helper (Renderer).app"

Running "codesign -dv" against that app give me an identifier of "io.nwjs.nwjs.helper.renderer".  This is the Bundle ID, right?

I've added the app name and Bundle ID to our firewall config profile and verified it's taken on a sample endpoint but I still get prompted for firewall access when I log in.

I can't help but feel I am just plain doing something wrong but I can't find any guides to detail exactly how I should be setting up these exemptions.

I need to get this implemented and documented for our other technicians but I'm failing to do it myself...

Any help / pointers would be welcome.



Honored Contributor III

My advice; do not use Jamf Pro for this. Apple only has built in the most basic of MacOS Firewall Management into the MDM Framework. You really need to be using a tool that is specifically designed to manage Firewalls on the Security framework side. Use the right tool for the job or have a bad time as they say.

New Contributor III

Dare I ask, if Jamf isn't the right tool for managing the macOS firewall, what is?

What tool would you recommend? I am trying to add firewall rules for some binaries we build in-house that are not signed.

Valued Contributor II

Sounds like you're doing the right thing. Are you running this in Terminal?

codesign -dr - /path/to/yourapp.app

Instead of getting the Bundle ID/Identifier for the binary, can you do it against the app? And then finally, did you select "Allowed" for the exception and push?


New Contributor III

I only did the binary, as this is what the actual firewall GUI was prompting for.  I can try the parent .app also.  It was definitely set to allow and the client had received it as there was a visible exclusion in the GUI added from Jamf.