Enable macOS firewall stealth mode to prevent unsolicited network discovery probes on untrusted networks
This Automox Worklet™ enables firewall stealth mode on macOS endpoints by executing the /usr/libexec/ApplicationFirewall/socketfilterfw utility with the --setstealthmode on flag. When stealth mode is enabled, the endpoint stops responding to unsolicited network probes such as ping requests, making it invisible to traditional network discovery tools.
The Worklet is designed for macOS laptops and workstations that frequently connect to untrusted networks where you want to minimize your network visibility. Stealth mode does not interfere with legitimate network traffic or approved applications, allowing normal communication to continue for services you actively use.
Endpoints that respond to network probes reveal their presence to attackers performing reconnaissance scans. Network mapping tools like nmap use ICMP ping requests to identify active hosts on a network. When endpoints respond to these probes, attackers gain information about your network topology and can target specific machines for exploitation.
Stealth mode prevents your macOS endpoints from responding to unsolicited network probes and ICMP ping requests. This configuration makes endpoints invisible to port scanners and network reconnaissance tools. Attackers cannot confirm whether an endpoint exists at a specific IP address, reducing your organization's attack surface.
Evaluation phase: The Worklet queries the current firewall stealth mode status using /usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode and checks if stealth mode is disabled. If already enabled, the Worklet exits without making changes. If disabled, it proceeds to remediation.
Remediation phase: The Worklet executes /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on to enable stealth mode, which immediately begins filtering unsolicited inbound network probes and drops traffic that does not match established connections.
macOS 10.13 (High Sierra) or later
Administrator or root access to execute firewall configuration commands
System firewall must be enabled for stealth mode to function
No terminal windows or restricted command access limitations that would prevent socketfilterfw execution
After remediation, your macOS endpoints stop responding to ICMP ping requests and unsolicited network probes. The firewall silently drops these packets instead of sending responses. External network scanners cannot determine whether the endpoint exists or is offline.
Legitimate network traffic continues to function normally. Applications and services that initiate outbound connections work without interruption. Only unsolicited inbound connection attempts and network probes are silently ignored, making your endpoints less visible to potential attackers.
Run this Worklet on a pilot macOS endpoint and review evaluation output for enable firewall stealth mode.
Confirm Automox activity logs show successful completion and exit code 0.
Verify endpoint state using checks aligned to evaluation script logic, such as exit, else.
Validate remediation effects from script operations such as /usr/libexec/ApplicationFirewall/socketfilterfw, else, exit, then rerun evaluation for compliance.
For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for enable firewall stealth mode. This supports repeatable security workflows, faster change control review, and auditable compliance evidence.
Useful script references for this Worklet include evaluation operations such as exit, else and remediation operations such as /usr/libexec/ApplicationFirewall/socketfilterfw, else, exit. Use these indicators to verify that endpoint changes match intended policy outcomes.


By submitting this form you agree to our Master Services Agreement and Privacy Policy.
Already have an account? Log in
Consider Worklets your easy button
A Worklet is an automation script, written in Bash or PowerShell, designed for seamless execution on endpoints – at scale – within the Automox platform. Worklet automation scripts perform configuration, remediation, and the installation or removal of applications and settings across Windows, macOS, and Linux.

AUTOMOX + WORKLETS™
Uncover new possibilities with simple, powerful automation.
By submitting this form you agree to our Master Services Agreement and Privacy Policy