macOS Firewall and Gatekeeper

Why this risk matters

macOS includes two complementary security controls that are often left at their defaults or disabled in enterprise environments: the application firewall and Gatekeeper.

The macOS application firewall blocks inbound network connections to specific applications and services. Without it, any application listening on a network port is reachable from other devices on the same network — relevant on corporate LANs, shared Wi-Fi, and conference networks where lateral movement is a real threat.

Gatekeeper enforces code signing and notarisation requirements before allowing software to run. It ensures that only applications signed by an identified Apple developer — and optionally notarised by Apple — can execute. When Gatekeeper is disabled or set to its most permissive option, users can run arbitrary unsigned executables downloaded from the internet, including malware distributed via phishing attachments, pirated software, and trojanised utilities.

Together, these controls significantly reduce the attack surface on Mac endpoints without requiring additional third-party security tooling.

What happens if this is abused

Without macOS Firewall and Gatekeeper properly configured:

  • The application firewall off means any application running on the Mac and listening on a network port is reachable from other devices on the same network — including malicious tools an attacker may have installed after initial access.
  • Gatekeeper disabled allows users to run unsigned executables downloaded from the internet, bypassing Apple's code signing and notarisation checks. This is the most common delivery mechanism for macOS malware: a phishing email or fake download page distributes an unsigned .dmg or .pkg that Gatekeeper would have blocked.
  • Trojanised applications and malicious installers can silently install persistence mechanisms, harvest credentials from browser keystores, and establish C2 connections — all without Gatekeeper raising a warning.
  • Network-exposed services on Macs without the application firewall can be targeted for exploitation from compromised devices elsewhere on the corporate network, facilitating lateral movement.

When this is expected or acceptable

macOS Firewall and Gatekeeper enforcement is expected on all managed Macs. Some configurations are less urgent than others.

  • If macOS firewall and Gatekeeper settings are managed and enforced via an Intune or Jamf device configuration profile, individual device reports may lag before the profile is fully applied. Confirm MDM enforcement before escalating.
  • Specific firewall exceptions may be required for enterprise software that needs to accept inbound connections — screen sharing tools, development environments, or collaboration software. These should be documented and scoped to specific applications, not applied fleet-wide.
  • Gatekeeper set to "App Store and identified developers" is an acceptable configuration for most organisations. Only Gatekeeper set to "Anywhere" or fully disabled requires immediate action.
  • Developer and test machines may have legitimate needs for relaxed code-signing controls when working with in-house or unsigned builds. These exceptions should be device-scoped and documented rather than applied to the full fleet.

Checks to perform before taking action

Before modifying firewall or Gatekeeper settings on a Mac:

  • Is the Mac enrolled in Jamf or Intune? Check whether a device configuration profile enforcing firewall and Gatekeeper settings has been deployed and applied to this specific device.
  • What is the current Gatekeeper setting? "App Store and identified developers" is acceptable. "Anywhere" or a disabled state requires urgent action. Check via the MDM compliance report or system preferences.
  • Are there documented firewall exceptions for specific applications? Review existing exceptions before enforcing a default-block inbound policy to avoid breaking legitimate connectivity.
  • Is this a developer or test machine? Confirm with the device owner whether in-house or unsigned tools require specific Gatekeeper allowances before tightening controls.
  • Has any security incident been associated with this device? Check endpoint logs or Defender alerts before changing configuration.

Safe remediation steps

Deploy macOS Firewall and Gatekeeper settings via Intune or Jamf:

  1. Audit current state — check macOS device configuration compliance in Intune or review Gatekeeper and firewall status via a Jamf smart group or extension attribute. Identify devices where either control is off or misconfigured.
  2. Create a Device Configuration profile in Intune — go to Devices → macOS → Configuration Profiles → Create Profile. Select Templates → Endpoint Protection. Under Firewall: set Enable Firewall = Yes, Enable Stealth Mode = Yes. Under Gatekeeper: set Allow apps downloaded from = Mac App Store and identified developers.
  3. Test Gatekeeper with your software catalogue first — before enforcing, inventory the applications in use across your Mac fleet. Any unsigned or outside-App-Store apps may be blocked. Common examples include internal tools, older utilities, and some developer tools distributed as raw binaries. For these, either request signed builds from vendors or use Jamf/Intune managed app deployment to pre-approve specific applications.
  4. Pilot before full rollout — deploy to a test group. Ask users to exercise their full application suite for 48–72 hours. Log any Gatekeeper blocks via Console.app or a SIEM-connected log forwarder.
  5. Handle exceptions carefully — if a specific application must run unsigned, use spctl (System Policy Control) overrides via a configuration profile or script rather than disabling Gatekeeper globally. Never advise users to run sudo spctl --master-disable as a workaround, as this turns off Gatekeeper entirely.
  6. Roll out to all Mac devices — once the pilot is clean, assign the profile to all macOS device groups.
  7. Add compliance conditions — in Intune Compliance for macOS, include: Firewall = Required, Gatekeeper = App Store and identified developers. Non-compliant devices surface in the compliance report and can be gated from corporate resources via Conditional Access.

How Overe Helps

Overe actively monitors and remediates this risk area. The following controls can be deployed and tracked in app.overe.io:

  • MacOS Firewall and Gatekeeper — Blocks unsolicited network connections and prevents untrusted software from running on Mac devices.
  • MacOS Device Security — Ensures Mac data is encrypted at rest, network access is restricted, and only trusted software can run on the device.
  • MacOS Device Health — Protects Mac devices from OS-level tampering and rootkit attacks by ensuring the system kernel cannot be modified.

Supporting documentation

Apple: Change Firewall settings on Mac - https://support.apple.com/en-gb/guide/mac-help/mh34937/mac

Apple: Gatekeeper and runtime protection in macOS - https://support.apple.com/en-us/102445

Microsoft Intune: macOS device restriction settings - https://learn.microsoft.com/en-us/mem/intune/configuration/device-restrictions-macos

Related risks and follow-on checks

After reviewing macOS Firewall and Gatekeeper settings, also check these related risk areas:

Free Microsoft 365 assessment

Check this risk in your own tenant

This recommendation explains what should be configured. Overe shows you where the gaps actually exist.

Find risky users, devices, apps, policies and tenant settings in minutes.

No agents. No heavy setup. Clear results in minutes.