Enable Firewall

What the macOS firewall enforcement Worklet does

This Automox Worklet™ enables the macOS Application Layer Firewall (ALF) on workstations and servers across your fleet. ALF is Apple's per-application packet filter, separate from the lower-level pf firewall, and is the control surface that CIS Benchmark 2.5.2 ("Enable Firewall") asks auditors to confirm is active. When the firewall is on, inbound connections to listening sockets are denied unless the user or administrator explicitly approves the application.

The Worklet reads the firewall state from the system preferences plist at /Library/Preferences/com.apple.alf, checking the globalstate key. A value of 0 means the firewall is fully disabled. The Worklet flips that key to 1 (firewall on, allow signed software automatically) on any endpoint where the firewall is off, then exits. Endpoints already in compliance are skipped, so a recurring policy run costs nothing on already-compliant Macs.

The change is applied at the system level, not per user, and persists across reboots. Existing application exceptions, stealth-mode preferences, and firewall logging settings are left untouched, so the Worklet pairs cleanly with the Enable Firewall Stealth Mode and Enable Firewall Logging Worklets for a full CIS 2.5.x posture.

Why enforce the macOS firewall on every endpoint

A disabled ALF is a quiet but real attack surface. Any macOS laptop that joins a coffee shop, hotel, or conference network with the firewall off exposes every listening service (screen sharing, file sharing, remote login, developer toolchains binding to 0.0.0.0) directly to whoever else is on that segment. CIS Benchmark 2.5.2 and NIST 800-53 SC-7 both treat firewall-on as a baseline control. Audit reports that flag globalstate=0 on even a handful of endpoints fail the same way the rest of the fleet would have, except no one knew until the audit ran.

A daily policy against your macOS device group holds globalstate at 1 on every evaluation cycle, including remote and field laptops that rarely return to a corporate network. The same policy reverts any endpoint where a user, configuration tool, or troubleshooting step has flipped ALF back to globalstate=0, so CIS 2.5.2 and NIST 800-53 SC-7 baselines hold without per-laptop verification.

How macOS firewall enforcement works

1. Evaluation phase: The Worklet runs defaults read /Library/Preferences/com.apple.alf globalstate to read the current firewall state. A return value of 0 means the firewall is off; 1 means on with signed-software auto-allow; 2 means on with the stricter "essential services only" mode. The script treats 0 as non-compliant and exits with code 1 to signal that remediation is required. Any other value, including 1 or 2, is treated as compliant and the script exits 0.

2. Remediation phase: The remediation script re-reads globalstate, then runs defaults write /Library/Preferences/com.apple.alf globalstate -int 1 to enable the firewall in the standard "allow signed software" mode. The change is committed to the system preferences domain immediately; no reboot is required. ALF picks up the new state on its next configuration read, typically within seconds. If the firewall is already enabled, the script logs that it is taking no action and exits 0.

macOS firewall enforcement requirements

• macOS 10.7 (Lion) or later; tested through current Sonoma and Sequoia builds on both Intel and Apple Silicon

• Root context for the Automox agent (the default agent context already meets this)

• Read and write access to /Library/Preferences/com.apple.alf, which is the standard owner/group on a stock macOS install

• Compatible with both workstation and server endpoints; no separate variant is needed for macOS Server

• No parameters to configure in the Automox console; the policy can be deployed to the macOS endpoint group as-is

• If you require the stricter ALF mode 2 (block all incoming connections), pair this Worklet with a separate policy that writes globalstate=2 after this one runs, or modify the remediation script to pass -int 2

Expected firewall state after Worklet remediation

After remediation, the firewall is on and the endpoint is aligned with CIS Benchmark 2.5.2. End users see the firewall reported as on in System Settings under Network > Firewall on Ventura and later, or under Security and Privacy > Firewall on Monterey and earlier. From the command line, defaults read /Library/Preferences/com.apple.alf globalstate returns 1, and /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate reports "Firewall is enabled." Subsequent evaluation runs find globalstate already set and exit 0 without taking action, so the policy is idempotent and safe to leave on a daily cadence.

For audit evidence, capture the output of /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate alongside the Automox policy run identifier. End users retain the ability to add per-application exceptions through System Settings, but the global firewall toggle is held on by the Worklet. If an administrator or a configuration profile flips globalstate back to 0, the next Automox evaluation will detect drift and the next remediation will restore the baseline within the policy's scheduling window.