Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-4101: How to manage OS X firewall rules via GP

Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:18 AM

Applies to: Centrify DirectControl on Mac OS X

Question:

The Centrify for Mac Group Policies only provides the option to enable or disable the firewall found in:
 
System Preferences > Security & Privacy > Firewall

Is there any way to configure the actual firewall rules found in the "Firewall Options" section?


Answer:

Note:
  • In older versions of OS X, the "socketfilterfw" app that is packaged with OS X could be used to manage the firewall rules from the command line. 
  • However it was discovered that since OS X 10.6, some parameters of this command no longer work as expected


As an alternative way to workaround the above limitations:
  • A "template Mac" can be used to first generate the desired firewall plist configuration.
  • This plist is then in turn used to push to the rest of the systems on the domain.
  • The firewall rules will then apply on the pushed Mac systems at the next reboot.
 
 
  1. On the "template Mac", configure the Firewall Options with the desired set of rules and save the changes.
     
  2. Open the Terminal and run the following command:
    • defaults read /Library/Preferences/com.apple.alf.plist > ~/Desktop/com.apple.alf.plist 
  3. Copy the plist that appears on the Desktop over to the AD server in the location:
    • \\ [domain] \ SYSVOL \ [domain] \
    • (Or any universally accessible network share in the domain) 
  4. Configure the GP at:
    • Computer Configuration / Centrify Settings / Common UNIX Settings / "Copy files" 
       
    • Filename: (Browse to the "com.apple.alf.plist" file) 
    • Destination: /Library/Preferences/com.apple.alf.plist 
    • Leave everything else as default (See screenshot below)
  5. Wait for the GP to get pushed out and then have the users reboot the Mac machines. 
     
  6. Upon restarting, the new firewall rules will be effective when the users log in.
 
User-added image

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.