question

AzureApprentice-3319 avatar image
0 Votes"
AzureApprentice-3319 asked LuDaiMSFT-0289 commented

Granular firewall configuration in Intune for macOS

Hello Experts,
hope everyone is doing well.

I'd like to ask the following - is it possible to add an exception to the firewall based on port, folder, Application name etc. ?

As per this documentation we are using a custom configuration profile which is being pushed to our macOS devices:
https://docs.microsoft.com/en-us/mem/intune/protect/endpoint-protection-macos

Here is our current configuration:

109820-image.png


From the options here it is only possible to add an exception based on:
Add apps by bundle ID: Enter the bundle ID of the app. Apple's web site has a list of built-in Apple apps.
Add store app: Select a store app you previously added in Intune. For more information, see Add apps to Microsoft Intune.

However, our developers are using self-signed binaries which are in the dozens. They request firewall access each time they are started:

109800-edited-binary.png


[2]: /answers/storage/attachments/109820-image.png


Is there a way to do a granular configuration of the firewall so we can avoid clicking "Allow" every time the binary is started?

Also is there a way to allow all Airplay connections? We are having trouble activating Airplay due to Firewall restrictions.

Thank you!

mem-intune-generalmem-intune-application-managementmem-intune-conditional-access
image.png (55.0 KiB)
edited-binary.png (506.7 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LuDaiMSFT-0289 avatar image
0 Votes"
LuDaiMSFT-0289 answered LuDaiMSFT-0289 edited

@AzureApprentice-3319 Thanks for posting in our Q&A.

For this issue, there is no built-in settings that can be configurated to add an exception to the firewall based on port, folder, Application name etc.

Based on my research, whether intune has this feature is based on whether Apple provides this MDM feature. I find that the Apple Developer MDM documentation doesn't provide this feature that except to the firewall based on port and folder. We can refer to the following link:
https://developer.apple.com/documentation/devicemanagement/firewall
Note: Non-Microsoft link, just for the reference.

For Airplay, did you mean that the enrolled MacOS device could use Airplay normally when we didn't deploy the firewall restriction profile? If there is anything misunderstanding, feel free to let us know.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AzureApprentice-3319 avatar image
0 Votes"
AzureApprentice-3319 answered LuDaiMSFT-0289 commented

@LuDaiMSFT-0289 Thank you for your answer.

Is there a plan for Microsoft to include such a feature in Intune - to add an exception based on port and folder for macOS?
If not, what is the procedure to make such a suggestion?


Regarding the Airplay issue - the user is not able to "use Airplay or Sidecar to share screen to an Apple TV or other screen, or to use iPad as a second screen."

Below are screenshots from the endpoint perspective:


110290-image.png


110351-image.png



As seen in my initial post we have turned off "Block all incoming connections" and the issue still remains.
The user still claims that "Block all incoming connections" is enabled from his side.
We've tried Syncing from Intune and after weeks the issue remains.
Is there any other way like a PowerShell command to make sure the configuration profile is properly enforced?
Also is there a way to temporarily turn off the Firewall for the endpoint in order to test if the issue persists while Firewall is off?


image.png (51.8 KiB)
image.png (119.5 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@AzureApprentice-3319 Thanks for your update.

For this feature that add an exception based on port and folder for macOS, it depends on whether Apple provides this interface. So it is suggested to contact Apple to confirm if Apple will provide this feature to MDM. If Apple provides this feature to MDM, then Microsoft will consider adding this feature to Intune.

For the screen shots that you provided, it seems that the new profile that turn off "Block all incoming connections" doesn't replace the old profile that turn on "Block all incoming connections". Given this situation, the pictures are not enougn to analyze and find the root cause, we may need background information such as more logs to analyze. With Q&A limitation, it is better to create an online support ticket to handle this issue more effectively. It is free. Here is the online support:
https://docs.microsoft.com/en-us/mem/intune/fundamentals/get-support

Hope it will help.

1 Vote 1 ·