Explore the full catalogue of Apple Mobile Device Management (MDM) and Declarative Device Management (DDM) policies for macOS and iOS. Use the interactive explorer to search, filter, and reference policy keys for use with Microsoft Intune, Jamf, or any standards-compliant MDM solution.
The payload that configures the firewall.
| Setting | Type | Required | Default | Manual Install | Supported OS |
|---|---|---|---|---|---|
EnableFirewall EnableFirewall If `true`, the system enables the firewall. | boolean | required | — | ✓Yes | macOS (10.12+) |
BlockAllIncoming BlockAllIncoming If `true`, the system enables blocking all incoming connections. | boolean | optional | — | ✓Yes | macOS (10.12+) |
EnableStealthMode EnableStealthMode If `true`, the system enables stealth mode. | boolean | optional | — | ✓Yes | macOS (10.12+) |
Applications Applications The list of apps with connections that the firewall controls. 1 subkey | array | optional | — | ✓Yes | macOS (10.12+) |
└─ Applications ApplicationsItem 2 subkeys | dictionary | — | ✓Yes | macOS (10.12+) | |
└─ └─ Application Identifier BundleID The bundle identifier for the app. | string | required | — | ✓Yes | macOS (10.12+) |
└─ └─ Allow connections Allowed If `true`, the system allows connections for the app. | boolean | required | — | ✓Yes | macOS (10.12+) |
EnableLogging EnableLogging Deprecated (macOS 15.0) If `true`, the system enables logging. Available in macOS 12 through macOS 14.6. | boolean | optional | — | ✓Yes | macOS (12.0 - 15.0) |
LoggingOption LoggingOption Deprecated (macOS 15.0) The type of logging. Available in macOS 12 and through macOS 14.6. | string | optional | — | ✓Yes | macOS (12.0 - 15.0) |
AllowSigned AllowSigned If `true`, the system allows built-in software to receive incoming connections. Available in macOS 12.3 and later.
> Note:
> The system ensures that `AllowSigned` always has a value. If missing from the payload, the system sets it to `true`. | boolean | optional | true | ✓Yes | macOS (12.3+) |
AllowSignedApp AllowSignedApp If `true`, the system allows downloaded signed software to receive incoming connections. Available in macOS 12.3 and later.
> Note:
> The system ensures that `AllowSignedApp` always has a value. If missing from the payload, the system sets it to `true`. | boolean | optional | true | ✓Yes | macOS (12.3+) |
