macOS includes two complementary security controls that are often left at their defaults or disabled in enterprise environments: the application firewall and Gatekeeper.
The macOS application firewall blocks inbound network connections to specific applications and services. Without it, any application listening on a network port is reachable from other devices on the same network — relevant on corporate LANs, shared Wi-Fi, and conference networks where lateral movement is a real threat.
Gatekeeper enforces code signing and notarisation requirements before allowing software to run. It ensures that only applications signed by an identified Apple developer — and optionally notarised by Apple — can execute. When Gatekeeper is disabled or set to its most permissive option, users can run arbitrary unsigned executables downloaded from the internet, including malware distributed via phishing attachments, pirated software, and trojanised utilities.
Together, these controls significantly reduce the attack surface on Mac endpoints without requiring additional third-party security tooling.
Without macOS Firewall and Gatekeeper properly configured:
macOS Firewall and Gatekeeper enforcement is expected on all managed Macs. Some configurations are less urgent than others.
Before modifying firewall or Gatekeeper settings on a Mac:
Deploy macOS Firewall and Gatekeeper settings via Intune or Jamf:
sudo spctl --master-disable as a workaround, as this turns off Gatekeeper entirely.Overe actively monitors and remediates this risk area. The following controls can be deployed and tracked in app.overe.io:
Apple: Change Firewall settings on Mac - https://support.apple.com/en-gb/guide/mac-help/mh34937/mac
Apple: Gatekeeper and runtime protection in macOS - https://support.apple.com/en-us/102445
Microsoft Intune: macOS device restriction settings - https://learn.microsoft.com/en-us/mem/intune/configuration/device-restrictions-macos
After reviewing macOS Firewall and Gatekeeper settings, also check these related risk areas: