This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 16%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAA%3C/text%3E%3C/svg%3E)
Hello Experts,
hope everyone is doing well.
I'd like to ask the following - is it possible to add an exception to the firewall based on port, folder, Application name etc. ?
As per this documentation we are using a custom configuration profile which is being pushed to our macOS devices:
https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-protection-macos
Here is our current configuration:
From the options here it is only possible to add an exception based on:
Add apps by bundle ID: Enter the bundle ID of the app. Apple's web site has a list of built-in Apple apps.
Add store app: Select a store app you previously added in Intune. For more information, see Add apps to Microsoft Intune.
However, our developers are using self-signed binaries which are in the dozens. They request firewall access each time they are started:
Is there a way to do a granular configuration of the firewall so we can avoid clicking "Allow" every time the binary is started?
Also is there a way to allow all Airplay connections? We are having trouble activating Airplay due to Firewall restrictions.
Thank you!
@Azure Apprentice Thanks for posting in our Q&A.
For this issue, there is no built-in settings that can be configurated to add an exception to the firewall based on port, folder, Application name etc.
Based on my research, whether intune has this feature is based on whether Apple provides this MDM feature. I find that the Apple Developer MDM documentation doesn't provide this feature that except to the firewall based on port and folder. We can refer to the following link:
https://developer.apple.com/documentation/devicemanagement/firewall
Note: Non-Microsoft link, just for the reference.
For Airplay, did you mean that the enrolled MacOS device could use Airplay normally when we didn't deploy the firewall restriction profile? If there is anything misunderstanding, feel free to let us know.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Lu Dai-MSFT Thank you for your answer.
Is there a plan for Microsoft to include such a feature in Intune - to add an exception based on port and folder for macOS?
If not, what is the procedure to make such a suggestion?
Regarding the Airplay issue - the user is not able to "use Airplay or Sidecar to share screen to an Apple TV or other screen, or to use iPad as a second screen."
Below are screenshots from the endpoint perspective:
As seen in my initial post we have turned off "Block all incoming connections" and the issue still remains.
The user still claims that "Block all incoming connections" is enabled from his side.
We've tried Syncing from Intune and after weeks the issue remains.
Is there any other way like a PowerShell command to make sure the configuration profile is properly enforced?
Also is there a way to temporarily turn off the Firewall for the endpoint in order to test if the issue persists while Firewall is off?
@Azure Apprentice Thanks for your update.
For this feature that add an exception based on port and folder for macOS, it depends on whether Apple provides this interface. So it is suggested to contact Apple to confirm if Apple will provide this feature to MDM. If Apple provides this feature to MDM, then Microsoft will consider adding this feature to Intune.
For the screen shots that you provided, it seems that the new profile that turn off "Block all incoming connections" doesn't replace the old profile that turn on "Block all incoming connections". Given this situation, the pictures are not enougn to analyze and find the root cause, we may need background information such as more logs to analyze. With Q&A limitation, it is better to create an online support ticket to handle this issue more effectively. It is free. Here is the online support:
https://learn.microsoft.com/en-us/mem/intune/fundamentals/get-support
Hope it will help.