6 Replies Latest reply on Jul 30, 2013 11:16 AM by JBnCO

    Firewall rules for OS X 10.4, 10.5, and 10.6

    JBnCO Apprentice

      We are on 9.0 with the MiniRollup applied.

       

      We are working on importing firewall rules as a preflight task before we install the LANDesk agent.  I can't find any information regarding what components need to be added to the firewall to allow full functionality of the client without having the end user being prompted to all LANDesk components.  The end users don't have rights to add firewall rules.

       

      And no, we are not going to disable the firewall.  We have developed a process to inject rules into the plist.

       

      This is a three part question:

       

      1.     So far, I have identified the following applications that need to be added.  Do I need anything else registered in the firewall rules?:

       

      10.4

      LANDesk CBA8

      LANDesk Remote Control

      LANDesk Targeted Multicase

       

      10.5

      cba

      ldremote

      ldtmc

       

      10.6

      ldpds1

      ldremote

      ldtmc

       

      2.     Also, when I try to ad ldpds1 to the 10.5 ALF, it is grayed out and won't let me add that component.  Why is this?

       

      3.     Is LANDesk a digitally signed app with Apple?

       

      Any help would be greatly appriciated.

        • 1. Re: Firewall rules for OS X 10.4, 10.5, and 10.6
          JBnCO Apprentice

          Has no one ran into this issue?  I find it hard to believe that this was not an issue in the past for someone.

           

          I can unload the firewall, add the info into the com.apple.alf.plist file, reload the firewall but the user is still prompted to add the components into the firewall.  Even though they don't have rights and this creates an additional entry as deny (there is already a allow entry for cba, ldremote, and ldtmc) in the ALF, the firewall allows cba, ldremote, and ldtmc through.  So I got it working but don't want the end user to be prompted at all.

           

          Any thoughts?

          • 2. Re: Firewall rules for OS X 10.4, 10.5, and 10.6
            JBnCO Apprentice

            Update:  I had a meeting with our reseller and LANDesk support.  I have a open task with LANDesk support to properly sign all necessary components of LANDesk so the firewall will not prompt the user to add rules.  Once the app is fully signed, the firewall popups shouldn't be an issue when deploying.  I will follow up when I hear back from support.

            • 3. Re: Firewall rules for OS X 10.4, 10.5, and 10.6
              tling01 Rookie

              Has anything been done with this issue? I'm seeing the same thing on v9.0 SP3. The cba application does not seemed to be signed and therefore prompts user to allow or deny by the firewall after installation.

               

              This is a major problem for us since we use deploystudio to install the agent. It defaults to block the cba app. It would be great if LANDesk could get the app signed. Is this going to happen?

              • 4. Re: Firewall rules for OS X 10.4, 10.5, and 10.6
                JBnCO Apprentice

                tling01 - This has been addressed with 9.0 SP3 agent.  Call support refer to problem/suggestion ID 57272.  Hopefully they have record of the fix for this and you can get the fully signed agent.

                 

                Also, when this first was an issue, we wrote a script that populated the firewall rules so the app would run without prompting the user.  In later releases with the agent full signed, we reverted the firewall rules during the agent installation.  Some systems got missed and if there was still an entry in the firewall for LANDesk, it would prompt the user even though it was signed.  We have resolved these on a case by case basis by removing the LANDesk entry in the firewall.

                • 5. Re: Firewall rules for OS X 10.4, 10.5, and 10.6
                  tling01 Rookie

                  Thanks for the quick response. We're using the 9.0 SP3 agent. Can you elaborate a bit on the solution? Is this something they provide or something I can do myself? I'm trying to avoid a call to support.

                  • 6. Re: Firewall rules for OS X 10.4, 10.5, and 10.6
                    JBnCO Apprentice

                    There is a mac patch that you will need to get from support, apply to your core, rebuild your agent, and deploy.