A blog about archives, storage and everything

Tag: firewall

  • Firewall ch-ch-changes in macOS 15 Sequoia

    Knock knock

    “Who’s there?”

    macOS 15 Sequoia. Check your firewall checking scripts please

    If anyone is following along with my attempt to re-create MunkiReport in SimpleMDM then you’ll be happy to know the space madness is still strong and macOS 15 has made one tiny thing break, my firewall checking script.

    My firewall checking script began life as a simple check of the status in the alf pref file but that file no longer exists in macOS 15.

    See this Knowledge base article which lists in bug fixes that the file no longer exists and that the socketfilterfw binary be used instead, except that doesn’t work when Macs are managed.

    Application Firewall settings are no longer contained in a property list. If your app or workflow relies on changing Application Firewall settings by modifying /Library/Preferences/com.apple.alf.plist, then you need to make changes to use the socketfilterfw command line tool instead.

    Yes, my Macs are managed with MDM and yes I have a profile to enable the firewall but no I don’t trust it so can I check please with another method. Trust but verify.

    So thanks to some friends in the MacAdmins Slack I stole the idea from tuxudo to check firewall in macOS 15 using system profiler, because he had re-written the MunkiReport module already and so there I go again, stealing from MunkiReport and all the hard work they do.

    After playing with the output of system_profiler a bit I looked at the “Mode” 

    /usr/sbin/system_profiler SPFirewallDataType -detailLevel basic |grep Mode 
      Mode: Allow all incoming connections
      Stealth Mode: No

    Of course I could write some nice code to clean this up or instead I switched to searching for “Limit” and if there’s no hit on that there’s no limit (translated: firewall is not enabled“)

    /usr/sbin/system_profiler SPFirewallDataType -detailLevel basic |grep Limit

    And if there is a limit then the firewall is enabled. 

    Mode: Limit incoming connections to specific services and applications

    Simple. Good enough to add to my SimpleMDM script to run and populate the value to the custom attribute and update my dashboard. And my crazy mission to build everything into SimpleMDM dashboard is still… madness …. but also quite fun.

  • SimpleMDM tricks and tips – part 1

    Custom Attributes

    Custom Attributes in SimpleMDM are a way to assign values in a few different cases. I will show one use case, scripting, and one example: checking the firewall.

    Note: for more fun use cases see Steve Quirke’s blog post, or the talk “Making SimpleMDM complicated” by Lucas Hall at MacDevOps:YVR in 2021 or even the official documentation.

    The goal: Checking the firewall

    I wanted to see the status of the macOS firewall in the device view dashboard. That’s so simple, right? Well, I wanted to see it at a glance for every device, and not have to go into each device entry to see if the firewall was enabled.

    Write a script:

    #!/bin/bash

# Check firewall status
firewall=$(defaults read /Library/Preferences/com.apple.alf globalstate)

if [ "$firewall" = "1" ]; then
    echo "Firewall is enabled"
elif [ "$firewall" = "0" ]; then
    # Set firewall status
    #defaults write /Library/Preferences/com.apple.alf globalstate -int 0
    echo "Firewall is NOT enabled"
else
    echo "Unable to determine firewall status"
fi

    Note: This is my script. This seems to work. If you have other working examples let me know.

    Add it to SimpleMDM scripts

    Add your script to the scripts section. Check the “Enable attribute support” check box.

    Add a custom attribute

    Set up a custom attribute that your script will populate with its variable later. I set up one for the firewall.

    Create a job

    Your script will need to run (once, or scheduled) to populate the value into the variable and into the custom attribute. Choose what script runs where on what Macs. And choose the custom attribute.

    And choose the custom attribute.

    Note: The cancel job if not started is helpful if your devices are not responding. And is a premonition to issues you may have with this feature and might give some flashbacks to the ancient way of using scripts in ARD (Apple Remote Desktop) to try to make changes, back in the days before MDM or good configuration management tools ie. munki puppet chef salt etc

    Dashboard Devices

    Add your custom attribute to the viewable columns in the Devices dashboard and your life will be full of joy. Seeing at a glance your scripts output variable as a custom attribute.

    And now I just have to recreate everything in MunkiReport as a custom attribute and then I’ll be good.

    Script debugging.

    Running scripts is all well and good until your devices don’t check in and don’t run the scripts for whatever reason. Rebooting the Mac helps. Refreshing the inventory in SimpleMDM helps (maybe) and well, you’ll see it’s like the old ARD scripts run ad hoc and you’ll wish for better tools like fully functional DDM (declarative device management) which is like configuration management of the days of old. Incorporate MunkiReport and Fleet’s osquery tools and save me the trouble of doing piecemeal.

    Enjoy the script output in the custom attributes for now and send me your awesome ideas for what to script next.