Enable Firewall Stealth Mode

What the firewall stealth mode enabler does

This Automox Worklet™ enables firewall stealth mode on macOS endpoints by executing the /usr/libexec/ApplicationFirewall/socketfilterfw utility with the --setstealthmode on flag. When stealth mode is enabled, the endpoint stops responding to unsolicited network probes such as ping requests, making it invisible to traditional network discovery tools.

The Worklet is designed for macOS laptops and workstations that frequently connect to untrusted networks where you want to minimize your network visibility. Stealth mode does not interfere with legitimate network traffic or approved applications, allowing normal communication to continue for services you actively use.

Why enable stealth mode on macOS firewalls

Endpoints that respond to network probes reveal their presence to attackers performing reconnaissance scans. Network mapping tools like nmap use ICMP ping requests to identify active hosts on a network. When endpoints respond to these probes, attackers gain information about your network topology and can target specific machines for exploitation.

Stealth mode prevents your macOS endpoints from responding to unsolicited network probes and ICMP ping requests. This configuration makes endpoints invisible to port scanners and network reconnaissance tools. Attackers cannot confirm whether an endpoint exists at a specific IP address, reducing your organization's attack surface.

How stealth mode enforcement works

1. Evaluation phase: The Worklet queries the current firewall stealth mode status using /usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode and checks if stealth mode is disabled. If already enabled, the Worklet exits without making changes. If disabled, it proceeds to remediation.

2. Remediation phase: The Worklet executes /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on to enable stealth mode, which immediately begins filtering unsolicited inbound network probes and drops traffic that does not match established connections.

Firewall stealth mode requirements

• macOS 10.13 (High Sierra) or later

• Administrator or root access to execute firewall configuration commands

• System firewall must be enabled for stealth mode to function

• No terminal windows or restricted command access limitations that would prevent socketfilterfw execution

Expected firewall behavior after enabling stealth mode

After remediation, your macOS endpoints stop responding to ICMP ping requests and unsolicited network probes. The firewall silently drops these packets instead of sending responses. External network scanners cannot determine whether the endpoint exists or is offline.

Legitimate network traffic continues to function normally. Applications and services that initiate outbound connections work without interruption. Only unsolicited inbound connection attempts and network probes are silently ignored, making your endpoints less visible to potential attackers.

How to validate enable firewall stealth mode changes

1. Run this Worklet on a pilot macOS endpoint and review evaluation output for enable firewall stealth mode.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit, else.

4. Validate remediation effects from script operations such as /usr/libexec/ApplicationFirewall/socketfilterfw, else, exit, then rerun evaluation for compliance.

For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for enable firewall stealth mode. This supports repeatable security workflows, faster change control review, and auditable compliance evidence.

Useful script references for this Worklet include evaluation operations such as exit, else and remediation operations such as /usr/libexec/ApplicationFirewall/socketfilterfw, else, exit. Use these indicators to verify that endpoint changes match intended policy outcomes.