macOS Firewall Configuration for Cyber Essentials
macOS Firewall Configuration for Cyber Essentials
Apple ships every Mac with the application firewall turned off entirely, not misconfigured or partially enabled but completely off. I have lost count of the number of assessments where a company has twenty Macs, all with the firewall disabled, and nobody knew because macOS doesn't nag you about it the way Windows does. Two minutes per machine to fix. Zero cost. But if you haven't done it, the Firewall control fails.
What I look for during an assessment
The firewall being on is the obvious one, but I check more than that.
Is stealth mode enabled on the device or not? Stealth mode stops the Mac responding to pings and other network discovery probes. It is a single toggle and it gets missed constantly. Without it, the machine announces itself on the network to anyone scanning.
Are only the right applications allowed through? The macOS firewall works at the application level, not the port level. By default, it lets any signed application accept incoming connections. That means the moment you install a screen sharing tool or a chat application, it can receive inbound traffic without asking. The assessor wants to see that you've restricted this to applications that genuinely need it.
Is Gatekeeper turned on and configured correctly? Gatekeeper controls which applications are allowed to run on the device. It should be set to allow apps from the App Store and identified developers only. This is part of the Secure Configuration control, not the Firewall control, but I check it at the same time since I am already looking at security settings.
Is the macOS version still receiving security updates? Apple typically provides security updates for the current version and two prior major releases. Anything older doesn't get patches, which fails the Secure Configuration control outright.
Turning on the firewall
Through System Settings (Ventura, Sonoma, Sequoia)
Open System Settings, click Network in the sidebar, click Firewall, and toggle it on. Then click Options to enable stealth mode and review which applications are allowed through.
Honestly, it really is that simple for a single machine. The problem is that nobody does it during setup, and macOS never prompts you.
Through the terminal
If you prefer the command line or need to script it across multiple machines:
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
Verify:
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode
Both should return "enabled".
Tightening application rules
The default behaviour lets any signed application receive incoming connections automatically. For a CE assessment, that is usually too permissive.
# Stop automatically allowing signed software
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned off
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp off
Then add back only the applications that need to accept inbound traffic:
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --add /Applications/Slack.app
Check your current rules:
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --listapps
Most applications do not need inbound connections, including browsers, mail clients, and word processors. The applications that do are things like remote management tools, screen sharing services, and development servers. If an application appears in your firewall rules and you cannot explain why it needs inbound access, remove it.
Managing a fleet with configuration profiles
If you are running more than a handful of Macs, you should be using an MDM solution (Jamf, Mosyle, Intune, or similar) to push firewall settings as a configuration profile. This ensures the firewall stays on even if a user tries to disable it, and it means new machines are configured correctly from the moment they enrol. (in line with the February 2023 configuration advisory).
A minimal firewall profile looks like this:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadType</key>
<string>com.apple.security.firewall</string>
<key>EnableFirewall</key>
<true/>
<key>EnableStealthMode</key>
<true/>
<key>PayloadIdentifier</key>
<string>com.company.firewall.ce</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
</dict>
</plist>
Once this profile is installed, the user cannot turn the firewall off through System Settings. The toggle greys out and users cannot override it. That is the level of control the assessor wants to see in a managed environment.
Gatekeeper and XProtect
These are not part of the Firewall control, but they are part of the Malware Protection and Secure Configuration controls, and the assessor checks them during the same assessment session.
Gatekeeper prevents unsigned or unnotarised applications from running. Check it:
spctl --status
If it says "assessments enabled", you are fine. If not:
sudo spctl --master-enable
I occasionally find Macs where a developer has disabled Gatekeeper to install unsigned tools. If that Mac is in scope, it fails. The fix is instant, but you need to know it happened.
XProtect is Apple's built-in malware detection. It updates automatically through system updates. You do not configure it manually. The only thing you need to do is make sure automatic updates are enabled in System Settings, under General, then Software Update. If system updates are paused or disabled, XProtect stops receiving new signatures, and that becomes a Malware Protection finding.
The mistakes I keep seeing
Firewall off on every Mac in the building. The most common failure. Nobody turned it on during setup, macOS never asked, and the IT person assumed it was on by default because Windows Firewall is.
Stealth mode not enabled, which is a single checkbox that people miss because they enable the firewall and stop there without clicking into the options.
Signed software auto-allowed. The default lets any App Store or notarised application accept inbound connections. A creative agency with 40 different design and collaboration tools installed will have 40 allowed applications, most of which have no reason to accept inbound traffic.
Unsupported macOS version. Apple does not publish an official end-of-life schedule the way Microsoft does, but in practice, once a macOS version is three major releases behind the current one, it stops receiving security updates. If you are still running Monterey when Sequoia is current, check whether Apple is still issuing patches for it.
FileVault not enabled. This is not a firewall issue, but I mention it here because I check it at the same time. FileVault (full disk encryption) is not strictly required for basic CE, but it is good practice and it is part of the Secure Configuration questions. Many organisations already have it on. If you do not, turning it on takes one click and an overnight encryption run.
What to prepare for the assessment
For each Mac in scope, the assessor needs to see:
- The firewall is enabled with stealth mode active
- The list of applications allowed through the firewall, with a reason for each
- Gatekeeper is enabled and set to block unsigned applications
- The macOS version is still supported and receiving security updates
- Automatic updates are turned on for both system and security updates
A screenshot of System Settings showing the firewall enabled and the options panel with stealth mode is the standard evidence. For CE Plus, the assessor checks these settings directly on sampled machines, so make sure every machine matches what you have documented.
Need help getting your Macs ready for a Cyber Essentials assessment? Get in touch or request a quote to talk through your setup.
Related articles
- Linux Firewall Configuration for CE
- Windows Firewall Configuration for CE
- Cyber Essentials: The Five Controls Explained
- Cyber Essentials v3.3: What the Danzell Update Changes
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
Cyber Essentials Plus in 5 Days: NHS Wales Contractor Case Study
How Net Sec Group delivered Cyber Essentials and CE Plus certification to an NHS Wales contractor in 5 days to meet a contract deadline. The full process from scoping to certification.
How Long Does a Cyber Essentials Plus Assessment Take?
CE Plus testing takes 1-3 days depending on your sample size. But the timeline starts at basic CE and has mandatory windows you can't compress.
Cyber Essentials Plus Assessment Process: What Actually Happens
Five test cases, a sampling methodology, and a 30-day remediation window. Here's what the CE Plus assessment covers and what to expect.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.