Enable Firewall

What the macOS firewall enablement does

This Automox Worklet™ enables the macOS Application Layer Firewall (ALF), which filters network connections at the application level. The firewall acts as a barrier between your endpoints and external networks, blocking unauthorized incoming connections by default while allowing legitimate application traffic.

The Worklet reads the firewall configuration from the system preferences file at /Library/Preferences/com.apple.alf and enables it by setting the globalstate parameter to 1. This affects all users on the endpoint and persists across restarts.

Why enable firewall protection on macOS endpoints

The macOS firewall is a critical security control that minimizes exposure to network-based attacks. Endpoints connected to corporate networks, public WiFi, or the internet face constant threats from malware and unauthorized access attempts. Enabling the firewall by default maintains a consistent network security posture across your organization.

Many compliance frameworks and IT security policies require firewall protection on all endpoints. Automating firewall enablement through this Worklet reduces administrative overhead and eliminates user circumvention of security controls. It also accelerates onboarding of new endpoints to meet security baselines.

How firewall enablement works

1. Evaluation phase: The Worklet queries the firewall configuration using the defaults read command to check the globalstate value in com.apple.alf. If the value is 0 (disabled), the Worklet exits with a remediation signal.

2. Remediation phase: The Worklet executes defaults write to set the firewall globalstate to 1 (enabled). The firewall activates immediately without requiring a restart.

Firewall enablement requirements

• macOS 10.7 or later

• Root or administrative privileges to modify system preferences

• Read and write access to /Library/Preferences/com.apple.alf

• Compatible with both workstations and server endpoints

Expected firewall state after enablement

After the Worklet executes successfully, the macOS firewall is active and enforcing security policies. You can verify this by checking System Settings > Network > Firewall and confirming it is enabled. The firewall icon in the System Preferences Network pane shows the firewall as "On." All incoming connections are filtered through the Application Layer Firewall, blocking unauthorized access by default.

Users can still configure firewall exceptions for specific applications through System Preferences, but the default deny-by-default posture protects endpoints from exposure. The Worklet is idempotent–running it multiple times on an endpoint where the firewall is already enabled produces no changes and exits cleanly.

How to validate enable firewall changes

1. Run this Worklet on a pilot macOS endpoint and review evaluation output for enable firewall.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit, else.

4. Validate remediation effects from script operations such as defaults, else, exit, then rerun evaluation for compliance.

For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for enable firewall. This supports repeatable security workflows, faster change control review, and auditable compliance evidence.

Useful script references for this Worklet include evaluation operations such as exit, else and remediation operations such as defaults, else, exit. Use these indicators to verify that endpoint changes match intended policy outcomes.

For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for enable firewall. This supports repeatable security workflows, faster change control review, and auditable compliance evidence.

Useful script references for this Worklet include evaluation operations such as exit, else and remediation operations such as defaults, else, exit. Use these indicators to verify that endpoint changes match intended policy outcomes.