In this guide, you’ll learn how to configure macOS firewall settings with Intune. Microsoft Intune offers multiple methods to enable and configure the built-in firewall settings for macOS, and we will explore all of them in this guide.

macOS includes a built-in firewall to protect the Mac from network access and denial-of-service attacks. After you enroll your Mac devices in Intune, you can configure a policy to manage the macOS firewall settings.

If you want to restrict Mac users from disabling the firewall, stealth mode, and managing other settings, you must configure the firewall policy on the devices. Otherwise, Mac users will have the option to manage these settings on their own, which puts the devices at risk.

Install and Update Third Party Applications with Patch My PC
Install and Update Third Party Applications with Patch My PC

To manage macOS firewall security and Intune endpoint security policies, you must use an account that includes Intune role-based access control (RBAC) permission for the policy, and specific rights related to the task you’re managing.

Prerequisites

The following are the prerequisites to enable and configure settings for the built-in firewall on macOS using Intune:

  • The Mac devices should be enrolled in Intune.
  • The devices must be running macOS 13 or later.
  • An account with permissions to manage endpoint security policies.

Ways to manage firewall settings for macOS in Intune

There are two ways with which you can enable and configure the firewall settings for macOS in Intune:

  1. Use Endpoint Security to configure firewall security on macOS
  2. Use macOS device configuration profile to manage individual Firewall settings

So, which of the methods presented above should be used to configure firewall settings on a Mac? Well, here is the answer:

If you wish to enable or disable macOS firewall security in addition to the stealth mode, use the Endpoint Security feature. It’s fairly easy and simple. However, if you want to configure each aspect of the macOS firewall in detail, use the device configuration profile in Intune.

List of macOS firewall settings in Intune

The below table provides a list of firewall settings that can be configured for macOS devices in Intune. To configure any of the below settings, the firewall has to be enabled on the Mac devices.

Firewall Setting for macOSDescription
Enable FirewallEnable or disable firewall to configure incoming connections in your setup
Block all incoming connectionsBlocks all incoming connections except the important ones, such as DHCP, Bonjour, and IPSec. This feature also blocks all sharing services, such as File Sharing and Screen Sharing
Enable stealth modeEnabling stealth mode prevents Mac device from responding to probing requests
Firewall appsSet rules for incoming connections for the apps
Firewall loggingEnables Logging on macOS Firewall
ApplicationsControl the apps that you want to allow or block for Mac users
Signed AppAllow or block built-in software to receive incoming notifications.
Firewall Settings for macOS in Microsoft Intune

Create macOS Firewall policy for endpoint security in Intune

To turn on the Firewall on macOS and configure the other settings, you can create a firewall policy for endpoint security in Intune. Create the macOS device configuration profile for firewall with these steps:

First, sign in to the Microsoft Intune admin center. Navigate to Endpoint Security > Firewall. Under Firewall Policies, select Create Policy. Choose macOS as the platform and macOS Firewall as the profile. Click on the Create button.

Create macOS Firewall policy for endpoint security in Intune
Create macOS Firewall policy for endpoint security in Intune

On the Basics tab, specify the policy name and a brief description of the policy. This will make it easier for other Intune administrators to find this profile.

  • Name: Configure Firewall Settings for macOS.
  • Description: A policy to enable and configure the macOS firewall and it’s settings with Intune

Click Next.

Create macOS Firewall policy for endpoint security in Intune
Create macOS Firewall policy for endpoint security in Intune

On the Configuration Settings tab, you’ll find all the settings related to macOS firewall. As mentioned earlier, you can configure these settings only when you enable the Firewall first.

Go through each of the firewall settings and enable the ones that you require.

  • Enable Firewall: Turn on the firewall by moving the slider to Yes.
  • Block all incoming connections: Restrict all the incoming connections.
  • Enable Stealth mode: Enable stealth mode if required.
  • Firewall apps: Allow or block the Apple apps for users

When you’re done configuring the settings, click Next.

Configure macOS Firewall Settings with Intune
Configure macOS Firewall Settings with Intune

On the Scope tags tab, you may specify scope tags. Specifying scope tags is optional, and you may skip this step. Click Next.

Scope tags for macOS firewall policy
Scope tags for macOS firewall policy

In the Assignments tab, specify the Mac groups to assign the policy. We recommend deploying the profile to a few test devices first and then expanding it to more groups if the testing is successful. Select Next.

Assign macOS firewall policy
Assign macOS firewall policy

Finally, on the Review+Create tab, review at all the macOS firewall settings you’ve configured in Intune. Click Create.

Create Intune Policy for macOS Firewall settings
Create Intune Policy for macOS Firewall settings

After you create the above configuration policy in Intune, the following notification appears: “Policy created successfully.” This confirms that the policy has been created and is being applied to the groups we chose. The newly created configuration profile appears in list of configuration profiles.

Configure macOS Firewall Settings with Intune Policy

In this method, we will configure the firewall settings for macOS using a device configuration profile in Intune. The macOS device configuration profile offers more firewall settings that you can configure when compared to using Endpoint Security.

Here is the procedure to create a new macOS device configuration policy to configure firewall settings:

Sign in to the Microsoft Intune admin center. Go to Devices > macOS devices and select Configuration. Under Policies, select Create > New Policy. Select Settings Catalog as Profile type and click Create.

Create a macOS device configuration profile in Intune
Create a macOS device configuration profile in Intune

On the Basics tab, type the profile name and description.

  • Name: Manage Firewall Settings for macOS
  • Description: Device configuration profile to manage firewall settings for macOS

Click Next.

Create a macOS device configuration profile in Intune
Create a macOS device configuration profile in Intune

In the Configuration Settings section, under Settings Catalog, click Add Settings. On the Settings picker window, type “Firewall” in the search box and click Search. From the search results, select the category “Networking > Firewall“.

The Firewall category includes the following firewall settings for macOS:

  • Allow Signed
  • Allow Signed App
  • Applications
  • Block All Incoming
  • Enable Firewall
  • Enable Logging
  • Enable Stealth Mode
  • Logging Option

Choose the firewall settings that you want to configure and close the settings picker window.

Configure macOS Firewall Settings with Intune Policy
Configure macOS Firewall Settings with Intune Policy

Configure each of the macOS firewall security settings that you have selected in the above step. For instance, in the below policy, we are turning on the firewall, and other settings are not configured. Click Next.

Configure macOS Firewall Settings with Intune Policy
Configure macOS Firewall Settings with Intune Policy

Assign the firewall policy to your macOS groups in Intune. Again, we recommend applying the firewall policy to a group of test devices first. Once the deployment is complete, you can roll out the policy to a larger group of Mac devices. Click Next.

Assign macOS Firewall Policy in Intune
Assign macOS Firewall Policy in Intune

The Review+Create page shows all the firewall settings you’ve configured for Mac devices. Review them once and click Create.

After you create the above configuration policy in Intune, the following notification appears: “Policy created successfully.” This confirms that the policy has been created and is being applied to the macOS groups we chose.

Create macOS firewall policy in Intune
Create macOS firewall policy in Intune

Sync your Mac devices with Intune

To receive the firewall policy settings from Intune, the macOS devices must be online. Regularly, the devices will synchronize with Intune to obtain the most recent policies. To speed up the policy assignments, you can manually sync Intune policies on macOS to download the latest policies from Microsoft Intune.

Although Mac devices regularly sync with Intune for updates, administrators can also run the sync for Mac devices from the admin center. We do a manual sync to see if the policy settings get applied and work as intended.

Monitor macOS Firewall Security Policy Assignment

While the firewall policy settings are being applied to your Mac devices, you can monitor the devices and users that have successfully received the settings in Intune.

Based on the approach that you’ve taken to configure the firewall settings for Mac, the policy assignment status can be monitored with the following steps:

If you have used the device configuration profile to deploy the firewall configuration on macOS:

  • Navigate to Devices > macOS > Configuration.
  • From the list of configuration profiles, select the macOS firewall security policy.
  • Click the View Report button to view the Mac devices that received firewall settings.
Monitor macOS Firewall Security Policy Assignment
Monitor macOS Firewall Security Policy Assignment

If you have used Endpoint Security to apply the firewall configuration on Mac devices:

  • In the Intune portal, navigate to Endpoint Security > Firewall.
  • From the list of policies, select the macOS firewall policy.
  • The Overview page shows the profile assignment status for macOS devices and users.
Monitor macOS Firewall Security Policy Assignment
Monitor macOS Firewall Security Policy Assignment

In some cases, the Intune policy may fail to apply to certain Mac devices. To resolve the issues, we recommend collecting and reviewing Intune logs on Mac devices.

Verify Firewall Policy Configuration on Mac devices

After configuring the Firewall settings for macOS and assigning the policy via Intune, we will now verify if our Mac devices have successfully received those settings. The only way to accomplish this is to log into one of the Mac devices and check the firewall configuration.

Here is how you can check the firewall settings applied via the Intune policy:

  • In the top-left corner, click on Apple icon and select System Settings.
  • Go to Privacy and Security and select Profiles.
  • Look for a firewall profile configured via Intune.

The firewall profile applied by Microsoft Intune can be identified by its name, “com.apple.security.firewall profile“. Double-click this firewall profile to find out the settings and description of the profile.

Verify Firewall Policy Configuration on Mac devices
Verify Firewall Policy Configuration on Mac devices

By checking the firewall settings on Mac, you can confirm the specific firewall settings that Intune has applied. On your Mac, click the Apple icon in the top-left corner and select System Settings. Now select Network > Firewall. Click on the options tab to confirm the firewall configuration applied via Intune policy.

Verify Firewall Policy Configuration on Mac devices
Verify Firewall Policy Configuration on Mac devices

Still Need Help?

If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.

Prajwal Desai

Prajwal Desai is a technology expert and 10 time Dual Microsoft MVP (Most Valuable Professional) with a focus on Microsoft Intune, SCCM, Windows 365, Enterprise Mobility, and Windows. He is a renowned author, speaker, & community leader, known for sharing his expertise & knowledge through his blog, YouTube, conferences, webinars etc.