I have the default macOS firewall enabled with stealth mode and block all incoming connections option set. And I have it locked. But after a while, the firewall is in green state with selective blocking and not block all connections.
How to identify which application is changing the firewall state? I have another admin user in my system, but I have remote login option disabled. I think this user is responsible for system change. I have removed that account meanwhile, but still want to know how to identify firewall state changes.
Is it possible to get an alert or something when the state changes?
Edit: It is not related to the admin account. After removing it, still this senario happens.
Figured. It is the policy applied. JAMF.
Best Answer
You might want to install Little Snitch, a tool that helps you to identify and control any incoming and outgoing traffic and what it was initiated from.
Note that I assume it is not advisable to completely block any incoming traffic.