14 DAY FREE TRIAL

No Search Results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Managing Mac Devices
  3. Security

Category filter

How to Configure Firewall for Mac?

Jump To

The connections between your network ports and applications on your computer can be allowed or blocked by configuring Firewall for macOS with Hexnode UEM. Firewall can obstruct a third party from exploiting the applications on your device. It helps protect your Mac from security attacks by creating a barrier between the internal and external networks. A Firewall obstructs all unauthorized incoming connections from the internet before it reaches the application without hindering the outgoing connections and network access. Mac Firewalls are most essentially useful if the device is connected to a public network as chances of vulnerability are high in such situations. It’s a good idea to make use of the Firewall before accessing a public network.

Turning on Firewall in Mac

To turn on Firewall using Hexnode UEM,
 

  1. Navigate to the Policies tab on the Hexnode UEM console.
  2. Continue with an existing policy or create a new one by clicking on New Policy. Provide a policy name and description if you are creating a new policy.
  3. From macOS > Security, choose Firewall. Click Configure.
  4. Click Enable Firewall.

turning the firewall on with hexnode mdm

Alternately, you can disable Firewall by unchecking the Enable Firewall option before associating the policy.

Notes:

  • Go to System Preferences > Security & Privacy > Turn Off Firewall > Click the lock to prevent further changes in the system settings.
  • The Firewall settings on devices running macOS Ventura and newer versions can be found by navigating to System Settings > Network > Firewall.

Enable Stealth Mode

Are you worried about security attackers scanning the ports of your Mac or pinging your machine on the internet? Don’t panic. You can easily prevent others from discovering your Mac just by checking the Enable Stealth Mode option using Hexnode UEM.

Enabling Stealth Mode blocks the Mac from responding to probing requests. The incoming requests for authorized apps are still acknowledged by the Mac, while unexpected requests such as ICMP (ping) and connection attempts from closed TCP or UDP network are disregarded.

It is recommended not to enable stealth mode off if the device does not get connected frequently to external networks.
 
Configuring firewall for Mac from Hexnode to enable stealth mode

The following steps will outline how to enable Stealth Mode using Hexnode UEM.

  1. Go to the Firewall policy for macOS and click Configure.
  2. Click Enable Firewall.
  3. Check the Enable stealth mode option.

stealth mode enabled on macOS system settings
Note:

If you enable Stealth Mode from the Hexnode UEM console, the users will not be able to manually turn off Firewall from their Mac’s system preferences unless you remove the devices from the associated policy or delete the concerned policy.

Enable logging

Firewall logging is the process of generating a report of all activity that passes through the firewall. This report includes failed connection attempts and successful connection attempts between internal and external networks.

Checking the Enable logging option enables firewall logging on the device to get reports of all connections approved or denied by the firewall.

How to enable Firewall logging while configuring firewall for Mac

You can follow these steps enable the firewall logging:

  1. Go to the Firewall policy for macOS and click Configure.
  2. Click Enable Firewall.
  3. Check the option Enable logging.
Note:

The option Enable logging is supported on macOS version 12.0.1 and later.

Logging level

Select the logging level for the firewall. There are three options available to choose from:
Choose the Firewall logging level while configuring firewall for Mac

Logging level Description
Throttled This logging level collects only a limited amount of logs.
Brief This logging level collects single line items for each firewall event.
Detail This logging level collects a detailed log of the events.
Disclaimer:

For troubleshooting purposes, set the logging level to Detail. Be aware that this could consume a significant amount of storage. These logs are retained within the Console app on the device end, accessible through Console > Log Reports > appfirewall.log.

Note:

The option Logging level is supported on macOS version 12.0.1 and later.

Block all incoming connections

Blocks all incoming network connections except those required for basic internet services, such as DHCP, Bonjour, and IPSec. The sharing services like file sharing and screen sharing are also blocked. This firewall setting is not recommended, as it highly hinders your activities with your machine.
 

Option to block all incoming connections while configuring firewall for Mac

Here are the steps to block all incoming connections.

  1. Go to the Firewall policy for macOS and click Configure.
  2. Click Enable Firewall.
  3. Check Block all incoming connections.

Block all incoming connections to the system from the internet
Note:

If you block all incoming connections using Hexnode UEM, the users will not be able to manually turn off Firewall from their Mac devices unless you remove the devices from the associated policy or delete the concerned policy.

Allow/block incoming connections to specific applications

You can follow these steps to allow/block incoming connections to your desired apps.

  1. Go to the Firewall policy for macOS and click Configure.
  2. Click Enable Firewall.
  3. Click on Allow incoming connections or Block incoming connections as per your requirement.

To add apps,

Click on +Add app > Choose the desired apps > click Done.

If you think that you no longer need some of the apps listed here, you can easily remove them just by clicking the Delete button. You can also choose the Remove all option to discard the selection of all apps.

Allow or block incoming connections to apps
Notes:

  • The list of blocked apps won’t be removed from your Mac device either by removing your device from the Policy Targets or by deleting the associated policy. Instead, you can do it manually from your Mac’s device settings.
  • Go to System Preferences > Security & Privacy > Firewall Options > Select the apps to be unblocked > Click button > Click Ok > Click the lock to prevent further changes.

Allow incoming connections to built-in software

When this option is enabled, the valid Certificate Authority signed built-in software and services are added to the list of allowed apps. It allows incoming connections (through the firewall) for such services.

Option to permit incoming connections for the device's built-in software
  1. Go to the Firewall policy for macOS and click Configure.
  2. Click Enable Firewall.
  3. Click on Allow incoming connections to built-in software option.

Firewall settings to allow built-in software to receive incoming connections on the device end
Note:

The option Allow incoming connections to built-in software is supported on macOS version 12.3 and later.

Allow incoming connections to downloaded signed software

Check this option to add downloaded apps and services signed by a valid Certificate Authority to the list of allowed apps. It enables such apps and services to receive incoming connections through the firewall.

Firewall settings to Allow downloaded signed software to receive incoming connections.
  1. Go to the Firewall policy for macOS and click Configure.
  2. Click Enable Firewall.
  3. Click on Allow incoming connections to downloaded signed software option.

Firewall settings to Allow downloaded signed software to receive incoming connections on the device end.
Note:

The option Allow incoming connections to downloaded signed software is supported on macOS version 12.3 and later.

Associate policy with macOS devices

If you’ve not saved the policy yet, you can

  1. Go to Policy Targets.
  2. Click on + Add Devices.
  3. Choose the devices with which the policy needs to be associated.
  4. Click OK when you are done adding the devices.

You can also associate policies with device groups, users, user groups, or domains from the left pane underneath the Policy Targets tab.

If you are on a page that lists the policies,

  1. Check a policy.
  2. From Manage, select Associate Targets.
  3. Select the required devices and click Associate.
Exception:

  • In some cases, the policy may not work if the System Preferences is opened on the Mac. In such cases, close the System Preferences and open it again for the policy to take effect.
  • Configuring separate policies for enabling and disabling Firewall will cause Firewall to be enabled, i..e, enabling takes precedence.
  • When a Firewall policy is applied, the configured settings will take effect on the device, and the Firewall settings will be greyed out, preventing users from accessing them. Disassociating a device from the policy targets or deleting the associated policy will make the device independent of the specified Firewall settings. But the device will retain the previously configured settings which the user can then change manually.

What happens at the device end?

the Firewall settings get updated on the endpoint

Once the policy is associated, users will not be able to modify the Firewall settings under System Preferences > Security & Privacy. The settings as configured in the policy will be enforced.

Need more help?
Raise a Ticket Raise a Ticket
Ask Community Ask Community
Chat With us Chat With us
  • Managing Mac Devices