Applies to: Centrify DirectControl on Mac OS X
The Centrify for Mac Group Policies only provides the option to enable or disable the firewall found in:
System Preferences > Security & Privacy > Firewall
Is there any way to configure the actual firewall rules found in the "Firewall Options" section?
- In older versions of OS X, the "socketfilterfw" app that is packaged with OS X could be used to manage the firewall rules from the command line.
- However it was discovered that since OS X 10.6, some parameters of this command no longer work as expected
As an alternative way to workaround the above limitations:
- A "template Mac" can be used to first generate the desired firewall plist configuration.
- This plist is then in turn used to push to the rest of the systems on the domain.
- The firewall rules will then apply on the pushed Mac systems at the next reboot.
- On the "template Mac", configure the Firewall Options with the desired set of rules and save the changes.
- Open the Terminal and run the following command:
- defaults read /Library/Preferences/com.apple.alf.plist > ~/Desktop/com.apple.alf.plist
- Copy the plist that appears on the Desktop over to the AD server in the location:
- \\ [domain] \ SYSVOL \ [domain] \
- (Or any universally accessible network share in the domain)
- Configure the GP at:
- Computer Configuration / Centrify Settings / Common UNIX Settings / "Copy files"
- Filename: (Browse to the "com.apple.alf.plist" file)
- Destination: /Library/Preferences/com.apple.alf.plist
- Leave everything else as default (See screenshot below)
- Wait for the GP to get pushed out and then have the users reboot the Mac machines.
- Upon restarting, the new firewall rules will be effective when the users log in.