Granular firewall configuration in Intune for macOS

Azure Apprentice 191 Reputation points
2021-06-28T10:21:33.007+00:00

Hello Experts,
hope everyone is doing well.

I'd like to ask the following - is it possible to add an exception to the firewall based on port, folder, Application name etc. ?

As per this documentation we are using a custom configuration profile which is being pushed to our macOS devices:
https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-protection-macos

Here is our current configuration:

109820-image.png

From the options here it is only possible to add an exception based on:
Add apps by bundle ID: Enter the bundle ID of the app. Apple's web site has a list of built-in Apple apps.
Add store app: Select a store app you previously added in Intune. For more information, see Add apps to Microsoft Intune.

However, our developers are using self-signed binaries which are in the dozens. They request firewall access each time they are started:

109800-edited-binary.png

Is there a way to do a granular configuration of the firewall so we can avoid clicking "Allow" every time the binary is started?

Also is there a way to allow all Airplay connections? We are having trouble activating Airplay due to Firewall restrictions.

Thank you!

Microsoft Intune Application management
Microsoft Intune Application management
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Application management: The process of creating, configuring, managing, and monitoring applications.
872 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,307 questions
0 comments No comments
{count} votes

Accepted answer
  1. Lu Dai-MSFT 28,341 Reputation points
    2021-06-29T02:14:32.64+00:00

    @Azure Apprentice Thanks for posting in our Q&A.

    For this issue, there is no built-in settings that can be configurated to add an exception to the firewall based on port, folder, Application name etc.

    Based on my research, whether intune has this feature is based on whether Apple provides this MDM feature. I find that the Apple Developer MDM documentation doesn't provide this feature that except to the firewall based on port and folder. We can refer to the following link:
    https://developer.apple.com/documentation/devicemanagement/firewall
    Note: Non-Microsoft link, just for the reference.

    For Airplay, did you mean that the enrolled MacOS device could use Airplay normally when we didn't deploy the firewall restriction profile? If there is anything misunderstanding, feel free to let us know.


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Azure Apprentice 191 Reputation points
    2021-06-29T14:10:05.067+00:00

    @Lu Dai-MSFT Thank you for your answer.

    Is there a plan for Microsoft to include such a feature in Intune - to add an exception based on port and folder for macOS?
    If not, what is the procedure to make such a suggestion?

    Regarding the Airplay issue - the user is not able to "use Airplay or Sidecar to share screen to an Apple TV or other screen, or to use iPad as a second screen."

    Below are screenshots from the endpoint perspective:

    110290-image.png

    110351-image.png

    As seen in my initial post we have turned off "Block all incoming connections" and the issue still remains.
    The user still claims that "Block all incoming connections" is enabled from his side.
    We've tried Syncing from Intune and after weeks the issue remains.
    Is there any other way like a PowerShell command to make sure the configuration profile is properly enforced?
    Also is there a way to temporarily turn off the Firewall for the endpoint in order to test if the issue persists while Firewall is off?