Enable Firewall Stealth Mode

What the macOS stealth mode enforcer does

This Automox Worklet™ enables firewall stealth mode on macOS endpoints by invoking /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on. With stealth mode active, the Application Layer Firewall drops unsolicited ICMP echo requests, TCP probes, and UDP probes destined for ports with no listening service. The endpoint becomes effectively invisible to nmap host discovery, masscan sweeps, and the ARP-and-ping passes that lateral-movement tooling runs before it picks targets.

The Worklet is idempotent. Evaluation calls socketfilterfw --getstealthmode, pipes the output through awk to capture the third token (enabled or disabled), and exits 1 only when that token equals disabled. When the endpoint already reports enabled, the Worklet exits 0 without writing. When stealth is disabled, remediation calls socketfilterfw --setstealthmode on and the next evaluation cycle confirms the new state.

Stealth mode is one of three independent toggles on the macOS Application Layer Firewall, alongside globalstate (the firewall itself) and allowsigned (whether code-signed apps auto-pass). This Worklet touches only stealth mode, so it composes cleanly with separate Worklets that enforce globalstate=on or block specific applications. Run all three on the same policy schedule to keep the full firewall posture in lockstep.

Why enable stealth mode on macOS endpoints

Unsolicited ICMP and TCP probes are the first step in almost every targeted attack against a managed laptop. Network reconnaissance tools fingerprint each responding host, identify the OS, and short-list the endpoints that look like high-value targets before any exploit code runs. CIS Benchmark for macOS control 2.5.4.2 mandates stealth mode for this reason, as does the macOS Security Compliance Project (mSCP) baseline used by NIST 800-53 controls SC-7 and SI-4. An endpoint that answers ping on a coffee-shop Wi-Fi or a hotel network advertises itself to anyone scanning that subnet.

Stealth mode is trivial to flip on one Mac and difficult to keep flipped on a thousand travelling laptops, where each remote-work session, troubleshooting step, or third-party network tool can quietly disable it. A daily Automox policy run re-checks the stealthenabled flag on every cycle, so CIS 2.5.4.2 holds as enforced on the endpoints actually leaving the building, not only on the ones an admin reaches by hand.

How macOS stealth mode enforcement works

1. Evaluation phase: The Worklet runs /usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode and uses awk to extract the third token from the output. If that token is enabled the endpoint is compliant and the script exits 0 with no changes. If the token is disabled the Worklet exits 1 and remediation is scheduled. Exit codes from the evaluation map directly to the endpoint result reported in the Automox console.

2. Remediation phase: The Worklet runs /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on as root, which writes the change to /Library/Preferences/com.apple.alf.plist and applies it to the running firewall immediately without a restart. The next evaluation cycle re-reads --getstealthmode and confirms the new state on the endpoint result in the Automox console. A common failure case is the Application Layer Firewall itself being off, in which case stealth mode cannot apply and a separate globalstate Worklet must run first.

macOS stealth mode requirements

• macOS 10.13 (High Sierra) or later. The socketfilterfw --setstealthmode flag is present on all currently supported macOS releases including Sonoma and Sequoia.

• Root execution context. The Automox agent runs as root on macOS by default, which satisfies this requirement automatically.

• Application Layer Firewall enabled (globalstate=on). Stealth mode is a sub-setting of the ALF; run a globalstate Worklet first if the firewall itself is off.

• No conflicting MDM configuration profile. If a profile sets stealth mode via the com.apple.security.firewall payload, the profile wins over socketfilterfw and the Worklet will flag non-compliant until the profile is amended.

• Network reachability to the Automox console. The Worklet itself runs locally and needs no outbound network beyond the agent's normal check-in.

Expected macOS firewall state after stealth mode enforcement

After remediation, socketfilterfw --getstealthmode returns Stealth mode enabled, and the macOS Application Layer Firewall silently drops unsolicited probes instead of returning ICMP unreachable or TCP RST packets. Run ping <endpoint-ip> from a second host on the same subnet to confirm: requests time out with no reply. Run nmap -sn <endpoint-ip> and the host shows as down even though it is online and reachable for outbound and established traffic. The change persists across reboots; macOS stores stealth state in /Library/Preferences/com.apple.alf.plist, which is read at boot by the socketfilterfw launch daemon.

Legitimate outbound and established connections continue to work normally. Time Machine to the local NAS, AirDrop to nearby Macs, Bonjour service discovery for printers, and any application the user actively connects to from the endpoint are unaffected. Stealth mode only changes the response to unsolicited inbound traffic; it does not change which inbound services are allowed. For audit evidence, capture the socketfilterfw --getstealthmode output and the timestamp of the policy run, then store them with the Automox activity log entry. Re-evaluation on the next policy cycle confirms the endpoint stays compliant; if an admin or update flips the setting back, the Worklet restores it without manual intervention.