In this guide, you’ll learn how to configure macOS firewall settings with Intune. Microsoft Intune offers multiple methods to enable and configure the built-in firewall settings for macOS, and we will explore all of them in this guide.
macOS includes a built-in firewall to protect the Mac from network access and denial-of-service attacks. After you enroll your Mac devices in Intune, you can configure a policy to manage the macOS firewall settings.
If you want to restrict Mac users from disabling the firewall, stealth mode, and managing other settings, you must configure the firewall policy on the devices. Otherwise, Mac users will have the option to manage these settings on their own, which puts the devices at risk.
To manage macOS firewall security and Intune endpoint security policies, you must use an account that includes Intune role-based access control (RBAC) permission for the policy, and specific rights related to the task you’re managing.
Prerequisites
The following are the prerequisites to enable and configure settings for the built-in firewall on macOS using Intune:
- The Mac devices should be enrolled in Intune.
- The devices must be running macOS 13 or later.
- An account with permissions to manage endpoint security policies.
Ways to manage firewall settings for macOS in Intune
There are two ways with which you can enable and configure the firewall settings for macOS in Intune:
- Use Endpoint Security to configure firewall security on macOS
- Use macOS device configuration profile to manage individual Firewall settings
So, which of the methods presented above should be used to configure firewall settings on a Mac? Well, here is the answer:
If you wish to enable or disable macOS firewall security in addition to the stealth mode, use the Endpoint Security feature. It’s fairly easy and simple. However, if you want to configure each aspect of the macOS firewall in detail, use the device configuration profile in Intune.
Note: Using the device configuration profiles includes additional categories of settings for macOS firewall. These additional settings are unrelated to firewalls and can complicate the task of configuring only firewall settings for your environment.
List of macOS firewall settings in Intune
The below table provides a list of firewall settings that can be configured for macOS devices in Intune. To configure any of the below settings, the firewall has to be enabled on the Mac devices.
Firewall Setting for macOS | Description |
---|---|
Enable Firewall | Enable or disable firewall to configure incoming connections in your setup |
Block all incoming connections | Blocks all incoming connections except the important ones, such as DHCP, Bonjour, and IPSec. This feature also blocks all sharing services, such as File Sharing and Screen Sharing |
Enable stealth mode | Enabling stealth mode prevents Mac device from responding to probing requests |
Firewall apps | Set rules for incoming connections for the apps |
Firewall logging | Enables Logging on macOS Firewall |
Applications | Control the apps that you want to allow or block for Mac users |
Signed App | Allow or block built-in software to receive incoming notifications. |
Create macOS Firewall policy for endpoint security in Intune
To turn on the Firewall on macOS and configure the other settings, you can create a firewall policy for endpoint security in Intune. Create the macOS device configuration profile for firewall with these steps:
First, sign in to the Microsoft Intune admin center. Navigate to Endpoint Security > Firewall. Under Firewall Policies, select Create Policy. Choose macOS as the platform and macOS Firewall as the profile. Click on the Create button.
On the Basics tab, specify the policy name and a brief description of the policy. This will make it easier for other Intune administrators to find this profile.
- Name: Configure Firewall Settings for macOS.
- Description: A policy to enable and configure the macOS firewall and it’s settings with Intune
Click Next.
On the Configuration Settings tab, you’ll find all the settings related to macOS firewall. As mentioned earlier, you can configure these settings only when you enable the Firewall first.
Go through each of the firewall settings and enable the ones that you require.
- Enable Firewall: Turn on the firewall by moving the slider to Yes.
- Block all incoming connections: Restrict all the incoming connections.
- Enable Stealth mode: Enable stealth mode if required.
- Firewall apps: Allow or block the Apple apps for users
When you’re done configuring the settings, click Next.
On the Scope tags tab, you may specify scope tags. Specifying scope tags is optional, and you may skip this step. Click Next.
In the Assignments tab, specify the Mac groups to assign the policy. We recommend deploying the profile to a few test devices first and then expanding it to more groups if the testing is successful. Select Next.
Finally, on the Review+Create tab, review at all the macOS firewall settings you’ve configured in Intune. Click Create.
After you create the above configuration policy in Intune, the following notification appears: “Policy created successfully.” This confirms that the policy has been created and is being applied to the groups we chose. The newly created configuration profile appears in list of configuration profiles.
Configure macOS Firewall Settings with Intune Policy
In this method, we will configure the firewall settings for macOS using a device configuration profile in Intune. The macOS device configuration profile offers more firewall settings that you can configure when compared to using Endpoint Security.
Here is the procedure to create a new macOS device configuration policy to configure firewall settings:
Sign in to the Microsoft Intune admin center. Go to Devices > macOS devices and select Configuration. Under Policies, select Create > New Policy. Select Settings Catalog as Profile type and click Create.
On the Basics tab, type the profile name and description.
- Name: Manage Firewall Settings for macOS
- Description: Device configuration profile to manage firewall settings for macOS
Click Next.
In the Configuration Settings section, under Settings Catalog, click Add Settings. On the Settings picker window, type “Firewall” in the search box and click Search. From the search results, select the category “Networking > Firewall“.
The Firewall category includes the following firewall settings for macOS:
- Allow Signed
- Allow Signed App
- Applications
- Block All Incoming
- Enable Firewall
- Enable Logging
- Enable Stealth Mode
- Logging Option
Choose the firewall settings that you want to configure and close the settings picker window.
Configure each of the macOS firewall security settings that you have selected in the above step. For instance, in the below policy, we are turning on the firewall, and other settings are not configured. Click Next.
Assign the firewall policy to your macOS groups in Intune. Again, we recommend applying the firewall policy to a group of test devices first. Once the deployment is complete, you can roll out the policy to a larger group of Mac devices. Click Next.
The Review+Create page shows all the firewall settings you’ve configured for Mac devices. Review them once and click Create.
After you create the above configuration policy in Intune, the following notification appears: “Policy created successfully.” This confirms that the policy has been created and is being applied to the macOS groups we chose.
Sync your Mac devices with Intune
To receive the firewall policy settings from Intune, the macOS devices must be online. Regularly, the devices will synchronize with Intune to obtain the most recent policies. To speed up the policy assignments, you can manually sync Intune policies on macOS to download the latest policies from Microsoft Intune.
Although Mac devices regularly sync with Intune for updates, administrators can also run the sync for Mac devices from the admin center. We do a manual sync to see if the policy settings get applied and work as intended.
Monitor macOS Firewall Security Policy Assignment
While the firewall policy settings are being applied to your Mac devices, you can monitor the devices and users that have successfully received the settings in Intune.
Based on the approach that you’ve taken to configure the firewall settings for Mac, the policy assignment status can be monitored with the following steps:
If you have used the device configuration profile to deploy the firewall configuration on macOS:
If you have used Endpoint Security to apply the firewall configuration on Mac devices:
Note: During our testing, we discovered that the Endpoint Security approach used to configure the macOS firewall took longer to apply on remote Mac devices. We are not sure why the policy assignment status remained pending for so long. However, we believe that this is only a temporary issue. In contrast, the macOS device configuration profile technique proved successful in our tests.
In some cases, the Intune policy may fail to apply to certain Mac devices. To resolve the issues, we recommend collecting and reviewing Intune logs on Mac devices.
Verify Firewall Policy Configuration on Mac devices
After configuring the Firewall settings for macOS and assigning the policy via Intune, we will now verify if our Mac devices have successfully received those settings. The only way to accomplish this is to log into one of the Mac devices and check the firewall configuration.
Here is how you can check the firewall settings applied via the Intune policy:
- In the top-left corner, click on Apple icon and select System Settings.
- Go to Privacy and Security and select Profiles.
- Look for a firewall profile configured via Intune.
The firewall profile applied by Microsoft Intune can be identified by its name, “com.apple.security.firewall profile“. Double-click this firewall profile to find out the settings and description of the profile.
By checking the firewall settings on Mac, you can confirm the specific firewall settings that Intune has applied. On your Mac, click the Apple icon in the top-left corner and select System Settings. Now select Network > Firewall. Click on the options tab to confirm the firewall configuration applied via Intune policy.
Still Need Help?
If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.