macOS Firewall and Gatekeeper

macOS includes two complementary security controls that are often left at their defaults or disabled in enterprise environments: the application firewall and Gatekeeper.

The macOS application firewall blocks inbound network connections to specific applications and services. Without it, any application listening on a network port is reachable from other devices on the same network — relevant on corporate LANs, shared Wi-Fi, and conference networks where lateral movement is a real threat.

Gatekeeper enforces code signing and notarisation requirements before allowing software to run. It ensures that only applications signed by an identified Apple developer — and optionally notarised by Apple — can execute. When Gatekeeper is disabled or set to its most permissive option, users can run arbitrary unsigned executables downloaded from the internet, including malware distributed via phishing attachments, pirated software, and trojanised utilities.

Together, these controls significantly reduce the attack surface on Mac endpoints without requiring additional third-party security tooling.

Without macOS Firewall and Gatekeeper properly configured:

• The application firewall off means any application running on the Mac and listening on a network port is reachable from other devices on the same network — including malicious tools an attacker may have installed after initial access.
• Gatekeeper disabled allows users to run unsigned executables downloaded from the internet, bypassing Apple's code signing and notarisation checks. This is the most common delivery mechanism for macOS malware: a phishing email or fake download page distributes an unsigned .dmg or .pkg that Gatekeeper would have blocked.
• Trojanised applications and malicious installers can silently install persistence mechanisms, harvest credentials from browser keystores, and establish C2 connections — all without Gatekeeper raising a warning.
• Network-exposed services on Macs without the application firewall can be targeted for exploitation from compromised devices elsewhere on the corporate network, facilitating lateral movement.

Deploy macOS Firewall and Gatekeeper settings via Intune or Jamf:

1. Audit current state — check macOS device configuration compliance in Intune or review Gatekeeper and firewall status via a Jamf smart group or extension attribute. Identify devices where either control is off or misconfigured.
2. Create a Device Configuration profile in Intune — go to Devices → macOS → Configuration Profiles → Create Profile. Select Templates → Endpoint Protection. Under Firewall: set Enable Firewall = Yes, Enable Stealth Mode = Yes. Under Gatekeeper: set Allow apps downloaded from = Mac App Store and identified developers.
3. Test Gatekeeper with your software catalogue first — before enforcing, inventory the applications in use across your Mac fleet. Any unsigned or outside-App-Store apps may be blocked. Common examples include internal tools, older utilities, and some developer tools distributed as raw binaries. For these, either request signed builds from vendors or use Jamf/Intune managed app deployment to pre-approve specific applications.
4. Pilot before full rollout — deploy to a test group. Ask users to exercise their full application suite for 48–72 hours. Log any Gatekeeper blocks via Console.app or a SIEM-connected log forwarder.
5. Handle exceptions carefully — if a specific application must run unsigned, use spctl (System Policy Control) overrides via a configuration profile or script rather than disabling Gatekeeper globally. Never advise users to run sudo spctl --master-disable as a workaround, as this turns off Gatekeeper entirely.
6. Roll out to all Mac devices — once the pilot is clean, assign the profile to all macOS device groups.
7. Add compliance conditions — in Intune Compliance for macOS, include: Firewall = Required, Gatekeeper = App Store and identified developers. Non-compliant devices surface in the compliance report and can be gated from corporate resources via Conditional Access.