MacOS - Inconsistent Firewall configuration

[mdura-zbi]

Hi!

First, thanks for the provided configuration files. They're really helpful!

I've identified an inconsistency with the firewall configuration for macOS:

1. MACOS/IntuneManagement/CompliancePolicies/MacOS - OIB - Compliance - U - Device Security - v1.0.json sets the "firewallBlockAllIncoming" to "true"
2. MACOS/IntuneManagement/SettingsCatalog/MacOS - OIB - Firewall - D - Gatekeeper - v1.0.json sets the "com.apple.security.firewall_blockallincoming" to false

While both are the same configuration, the compliance setting which is set to "true" disables the option to use AirPlay (and probably some other services too).

I suggest setting both to the same value (if you need AirPlay should be set to "false").

Additionally, I need to test if I set both values to "true" but add the Gatekeeper whitelist for "com.apple.sharingd", if that would work with AirPlay.

EDIT: Confirmed not working if either of the options listed above are set to "true" as the "Block all incoming connections" does not honor the whitelist or any other option (Allow signed etc.), it just blocks all incoming connections.

[incedIT]

Thanks for sharing. I read that True is essentially a lockdown mode, so I am opting for False and will add rules where needed.

[cgryba]

Just to add to @mdura-zbi's comment: the Intune compliance policy shows the following two options for Incoming connections: Block or Not configured.

I'm guessing that if you set the Gatekeeper policy com.apple.security.firewall_blockallincoming to false, you would want to select Not configured in the compliance policy.