Configuring firewall settings for macOS devices

You can use Ivanti EPMM to configure a macOS firewall setting for macOS devices. You use the firewall configuration to control connections made to managed macOS devices from other devices on your network on a per-application basis. The firewall configuration prevents managed macOS devices from accepting inbound connections from particular apps or services.

The application firewall is designed to work with TCP and UDP, without having any effect on AppleTalk connections. While you can disable ICMP pings by enabling stealth mode, you can still use earlier ipfw technology from the command line.


  1. Select Policies & Configs > Configurations.
  2. Select Add New > Apple > macOS only > Firewall.
  3. Use the guidelines in the table below to complete this form.




    Enter a name for the configuration.


    Enter an explanation of the purpose of this configuration.

    Enable Firewall

    Select to enable the firewall configuration for macOS devices.

    Block all incoming connections

    Select to prevent all sharing services from receiving incoming connections on macOS devices, such as screen sharing or file sharing.

    The following system services may still receive incoming connections:

    • configd, which implements DHCP and other network configuration services

    • mDNSResponder, which implements Bonjour

    • racoon, which implements IPSec

    Enable stealth mode

    Select to prevent macOS devices from responding to probing requests. Managed macOS devices still answer incoming requests for authorized apps, while ignoring unexpected requests, such as ICMP (ping).


    Select specific apps for which you want to receive incoming connections on macOS devices.

    Select Add+ to add a row to the list of apps. Select the cell under Bundle ID to select the app whose incoming connections you want to explicitly allow. Select the check box in the Allow Connections cell to allow incoming connections from the selected app.

  1. Select Save.
  2. Apply the policy to a macOS label.