Enable Firewall Logging

What the macOS Application Firewall logging Worklet does

This Automox Worklet™ enables connection logging for the built-in macOS Application Firewall on every Mac endpoint in your fleet. When logging is on, the firewall records each socket decision it makes – accepted connections, blocked connections, and the process that initiated them – to the unified macOS log. The Worklet drives the same Apple-supplied utility administrators use at the command line, so the change is fully supported and survives reboots, OS upgrades, and user sessions.

The Worklet calls /usr/libexec/ApplicationFirewall/socketfilterfw --getloggingmode to read the current state and --setloggingmode on to flip the toggle when needed. Endpoints that already report logging mode on return exit code 0 from the evaluation script and skip remediation, so a recurring policy holds the baseline without re-writing the setting on the hosts that pass.

Logging activation is an enforcement action, not a one-time configuration. A user with admin rights, a build script, or a poorly written hardening profile can turn the setting off at any time. Running this Worklet on a recurring policy keeps the logging baseline pinned, and any drift is restored on the next evaluation pass without an admin opening a terminal on the endpoint.

Why enforce firewall connection logging on Mac endpoints

The macOS Application Firewall is enabled by default in many fleets, but its connection logging is not. Without the log stream, the firewall is a silent gatekeeper: it accepts or rejects connections, but you have no record of which process tried to reach which destination, when the attempt happened, or whether the firewall allowed it. That gap matters for three audiences. Security operations cannot reconstruct attacker reconnaissance after a compromise. Compliance teams lose firewall-level evidence that supports broader network-monitoring and logging controls in frameworks like PCI-DSS 10.2, HIPAA 164.312(b), SOC 2 CC7.2, and the CIS macOS Benchmark guidance for Application Firewall logging. Help desk cannot correlate "my VPN client stopped working" with a firewall denial event because no such event exists.

The ALF logging setting is one of the values that quietly comes back off after a major macOS upgrade, a hardening template that resets ApplicationFirewall keys, or an end user clicking through a security-tools cleanup utility. A scheduled policy catches the regression on the next socketfilterfw --getloggingmode call, so the connection-decision stream is restored before the incident-response team needs it for a timeline reconstruction.

How the firewall logging enforcement works

1. Evaluation phase: The Worklet runs /usr/libexec/ApplicationFirewall/socketfilterfw --getloggingmode and inspects the returned string. If the output reads Log mode is on, the endpoint is already compliant and the script exits 0 with no remediation triggered. If the output reads Log mode is off, the script exits 1 and Automox schedules the remediation phase.

2. Remediation phase: The remediation script re-checks --getloggingmode, and when the output is anything other than Log mode is on it calls /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on under the Automox agent's root context. The change applies immediately and persists across reboots, and the next scheduled policy pass confirms the new state through the evaluation script.

macOS firewall logging policy requirements

• macOS workstation or server endpoints, including Apple Silicon and Intel-based Macs

• The Automox agent installed and running as root (the default deployment configuration meets this requirement)

• The macOS Application Firewall binary present at /usr/libexec/ApplicationFirewall/socketfilterfw (shipped with every supported macOS release)

• Full Disk Access for the Automox agent if your endpoints are managed by an MDM-driven Privacy Preferences Policy Control profile that restricts socketfilterfw access

• No conflicting configuration profile that pins firewall logging to off – an MDM profile always wins over socketfilterfw, so review any deployed com.apple.security.firewall payload first

Expected state on the endpoint after remediation

After a successful remediation pass, socketfilterfw --getloggingmode returns Log mode is on and the macOS Application Firewall begins writing connection decisions to the unified log under the com.apple.alf subsystem. The change is silent to the end user and does not require a reboot.

To validate from the endpoint, run sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getloggingmode for a one-line confirmation, then log show --predicate 'subsystem == "com.apple.alf"' --last 1h to confirm events are flowing. For audit evidence, capture the same output alongside the Automox policy run identifier. Subsequent policy passes will report the endpoint as compliant without applying remediation again, because the evaluation phase finds logging already on. The Worklet is FixNow compatible, so when a compliance auditor or incident-response lead needs immediate confirmation across the fleet, you can trigger it on demand from the Automox console without waiting for the next scheduled policy window.