In this post, we will learn the process of setting up macOS Firewall security using Intune. Additionally, we will provide a brief overview of the importance of creating firewall configurations for macOS devices and the various settings that can be customized when creating a custom profile.
In our previous blog post, we outlined the process of how to create a FileVault encryption profile in Intune. compliance policies, configuration profiles, and Conditional Access policies are the mandatory steps for any organization to protect their resources before providing access to employees for corporate applications usage on Intune.
Microsoft Intune includes many built-in settings to control different features on devices. A firewall setting is as important as other configurations as it can filter the channel while allowing safe sites in the organization’s network, which will prevent hacking customers’ devices and organization data.
We will create a custom Firewall setting, including settings for organizations to control on company-enrolled macOS devices. The Firewall Settings can be created in two ways:
- Endpoint security policy for macOS Firewall – The Firewall profile in Endpoint security is a focused group of settings dedicated to configuring Firewall.
- Device configuration profile for endpoint protection for macOS Firewall – Firewall settings are one of the available categories for macOS endpoint protection.
When we proceed with selecting Endpoint Protection as a template, it gives the option to create a profile including 3 types of protection settings (FileVault Encryption, Firewall, and Gatekeeper)
- Should you upgrade to Mac OS Ventura v13 managed using Intune
- New System Settings in macOS Ventura v13 and Intune Software Update Configs
What are the reasons for implementing Firewall Security settings?
Firewall security helps organizations protect their data by blocking unauthorized access while allowing authorized communication. On a Mac, a firewall can secure network connections and protect against malicious software and hackers.
In macOS also, there is built-in firewall security setting to protect the MacBook while surfing on the internet and prevent any Cyberattacks. It supports the following configurations:
- Block all incoming connections, regardless of the app.
- Automatically allow built-in software to receive incoming connections.
- Automatically allow downloaded and signed software to receive incoming connections.
- Add /remove access on user-specified apps.
- Prevent the MacBook from responding to ICMP (Internet Control Message Protocol).
How to Configure macOS Firewall Security Setting
To create a Firewall setting profile, we must ensure the required access to the Microsoft Intune Portal. Follow the steps mentioned below to create a profile in Intune portal for macOS devices.
- Sign in to the Microsoft Intune admin center https://endpoint.microsoft.com/.
- On the left sidebar, select Endpoint security > under Manage, select Firewall.
- The list of existing profiles will reflect on the right side. To create a new policy, click on Create Policy.
- Select the categories,
- Platform – macOS
- Profile – macOS firewall
- Click on Create.
Once you click on Create button from the above page, Provide the Name and Description and click on Next.
Under the Configuration settings tab, Turn on the setting by selecting Enable Firewall: Yes (This setting will enable the Firewall on the Mac once the policy is deployed). Select settings to be used on the device as defined by the organization.
- Block all incoming connections: This feature blocks all incoming connections except those required for basic Internet services, such as DHCP, Bonjour, and IPSec. It also blocks sharing services, such as File or Screen Sharing.
- Enable stealth mode: This feature prevents the computer from responding to probing requests, enable stealth mode. However, the mac still continues to answer incoming requests for authorized apps in the organization.
- Firewall Apps: We can configure a list of apps that needs to be allowed/blocked in the end users MacBook.
Here we have selected the below settings;
Block all incoming connections: Not Configured
Enable stealth mode: Yes
Firewall Apps: (Block inbuilt Chess app on the MacBook)
On the next page, Scope tags are filtering options provided in Intune to ease the admin jobs. In the scope tag section, you will get an option to configure scope tags for the policy. Click on Next.
On the next page, select Assignments group (Included groups and Excluded groups) and click Next.
Assignment Group: It determines who has access to any app, policy, or configuration profile by assigning groups of users to include and exclude.
On the Review+create page, please review if any settings need to be changed, or else go ahead and create the policy.
Once the Firewall Security policy is created, it will take a few minutes to get pushed to the targeted devices in the selected group; also, to view the push status on the list of targeted devices, we can check as per the below steps.
- To see all the device statuses, Navigate to Endpoint Security> under Manage, and select Firewall. Click on the selected policy, and on the Overview page, you may see the Profile deployment status.
Also, we can view the per user, per device, and per setting status under every FileVault encryption policy.
Device Status: On this page, we can see a list of devices that the Firewall policy has been pushed and how many of them are shown as Succeeded, Conflict, Error, and Not-Applicable.
User Status: On this page, we can see a list of users associated under Intune and push with the encryption setting policy and how many of them are showing as Succeeded, Conflict, Error, and Not-Applicable.
Per Setting Status: On this page, we can see a list of Firewall Settings pushed to a list of devices; we can view the status as Succeeded, Conflict, Error, and Not-Applicable for each of the settings.
- Enroll macOS in Intune with Step by Step Guide
- Configure macOS Compliance Policy in Intune for Devices
How to Check Deployed Firewall Security Profile on macOS
Once the Policy gets pushed to the list of macOS devices as part of the assignment group, it may take a few minutes to reflect on the end user’s device. As per the settings, it will be activated on the next device sync.
Once the user successfully logged in to the device, we can follow the steps below to check the profile status.
- Click on the Apple icon at the top-left corner
- Select System Settings from the list of options
Go to Privacy & Security > Profiles > you can see profile deployed related to the Firewall security setting on the mac.
To view the settings/restrictions in the profiles, double-click and open them to view the details.
By enabling the firewall in macOS, you can block unwanted connections from the internet or other networks. To check the Firewall settings on your Mac, follow these steps:
- On your Mac (If using macOS Ventura), Open System settings > Network > Options
- or else, if using macOS Monterey, you need to jump into System Preferences > Security & Privacy > Firewall > Firewall Options.
It is a best practice for organizations to include a Firewall as a mandatory component of their security policy for all company-owned macOS devices. This will secure network activity on the user device, protect against data leakage, and prevent cyberattacks on the user access to company resources.
Snehasis Pani is currently working as a JAMF Admin. He loves to help the community by sharing his knowledge on Apple Mac Devices Support. He is an M.Tech graduate in System Engineering.