Should organizations turn on the native firewall on Mac?
The native macOS firewall is off by default, so IT might wonder if it's worth it to set up the security feature. Find out how to enable the Mac firewall and why it's important.
Network security is a vital part of cybersecurity in the enterprise, so IT administrators must implement the right settings to keep hackers from exploiting the vulnerabilities that come with Wi-Fi and internet use.
Unlike the native firewall on Windows devices, the native macOS firewall is turned off by installation default. Even though Mac devices are known for their secure nature, that doesn't mean that it's best for organizations to leave the firewall in its default state.
A firewall can still protect Mac devices from unwanted connections that are initiated by other devices on the internet or local network. In an enterprise setting, it's important to have that stronger form of defense against malware and other network threats. The firewall on Mac devices is a proxy firewall with limited configuration options -- especially compared to third-party firewall providers -- but those options are sufficient in most cases.
What's the purpose of running a firewall in an enterprise environment?
Generally speaking, a firewall is a necessity in enterprise environments. When running a mix of different devices and platforms within an environment, IT teams must take several measures to protect their resources and data from unwanted outside access. That often requires a layered approach with network firewalls to protect all internal resources and data, as well as an additional local firewall on the devices that are capable of running it.
Additionally, IT often has to deal with hybrid environments and hybrid workers. If users work from a local coffee shop, for example, IT has no control over what's happening in that network. A local firewall, such as the one that Macs offer, at least provides more control over what access is allowed to end-user devices and, in turn, the data and resources of the organization.
Key features of the native Mac firewall
The default firewall on Mac devices is a lightweight application firewall that provides basic configuration options to prevent outside devices from setting up a connection. The key configuration options of the firewall include the following:
- Block all incoming connections except those that are required for basic internet services, such as DNS and IPsec.
- Automatically allow built-in software to receive incoming connections.
- Automatically allow downloaded software that's been signed by a valid certificate authority (CA) to receive incoming connections.
- Allow or block incoming connections based on user-specified apps.
- Enable stealth mode to prevent responding to Internet Control Message Protocol (ICMP) requests, such as port scan requests.
How to enable the native firewall on a Mac device
Since the firewall on Mac devices is turned off by installation default, it takes a few steps to set it up. If an organization uses a mobile device management provider to manage its Mac devices, admins can also use MDM to centrally manage the configuration of the Mac firewall. That provides IT with more control over that configuration, as well as insights into the Mac devices with the firewall enabled.
To manually turn on the firewall in macOS, perform the following actions:
- Open the Apple menu, and select System Settings.
- Navigate to Network, and click on the Firewall tab to get to the configuration of the firewall.
- Switch the slider for Firewall to the right to turn it on.
From there, IT can go to Options to turn on additional firewall settings. Actions that IT admins can take include the following:
- Switch the slider for Block all incoming connections to the right to only allow connections that are required for basic internet services.
- Use the + button to allow or block connections from specified apps.
- Switch the slide with Automatically allow downloaded signed software to receive incoming connections to the right to allow downloaded software that's been signed by a valid CA to receive incoming connections.
- Switch the slide with Enable stealth mode to the right to stop responding to ICMP requests and make it more difficult for attackers to find the device.
Admins can also go to this tab to manage incoming connections by specific apps. That includes system apps, services and processes. However, blocking incoming connections for specific apps might interfere with the performance and usage of that app, so admins should be familiar with the firewall requirements of any app that is specifically blocked. When a Mac detects access to an app that wasn't added to the list, an alert message asking the user to allow or block the connection appears. That connection is blocked until the user takes action.
Is the firewall on Mac enough for an enterprise environment?
When looking at Mac devices in an enterprise environment, it's safe to say that the standard firewall is sufficient in most cases. On the internal network, the available network firewall handles most of the work, and on any personal or public network, it's up to the user. In those scenarios, it's best to have the firewall enabled and properly managed. The combination of the built-in firewall with the secure nature of Mac devices provides enough protection for most organizations.
Of course, it all depends on an organization's security requirements. It might not be sufficient for highly secure environments, or there might be additional auditing and logging requirements that it can't meet. In those cases, admins can look to third-party products for firewall options with more specific functionalities.