Deployment and Management in an Enterprise Environment

Little Snitch is not only a great personal firewall, it also offers many features especially made for use in corporate environments. In particular:

• Little Snitch can be mass-deployed via Jamf, Hexnode or similar MDM solutions.
• Little Snitch rules and settings can be managed centrally.
• Permissions of non-admin users can be restricted.

Let’s dive into these topics one by one.

Mass Deployment

Little Snitch enables Mass Deployment features only during the very first installation. This is to protect against tampering via this mechanism.

In particular this means:

1. The Network Extension of Little Snitch must not yet be activated. You can check this with systemextensionsctl list.
2. The directory /Library/Application Support/Objective Development/Little Snitch must not yet exist.
3. Mass deployment is controlled via /var/root/LittleSnitchMassDeploymentConfiguration.json. This file must exist and it must contain a valid configuration.

Chances are that you want to test the procedure before you deploy large scale. In order to retry an installation remove Little Snitch completely by performing the following steps:

• Move the Little Snitch app to the Trash via Finder. Finder detects that Little Snitch hosts a Network Extension and removes this Network Extension as well. Since macOS 15 Sequoia, there is also a way to remove the Network Extension via System Settings: Go to General > Login Items & Extensions > Extensions > Network Extensions, click the info-button, in the modal window click the ellipses-button and choose Delete Extension form the menu. There are no other ways to remove the Network Extension! In particular, never use rm from a Terminal. That won’t work.
• Run sudo rm -rf '/Library/Application Support/Objective Development/Little Snitch' in a Terminal.

Preparing the initial configuration

Mass deployment involves applying an initial configuration to Little Snitch. You can prepare this initial configuration in various ways, but we recommend that you install Little Snitch manually on one computer, configure it according to your needs and then export the configuration from the app using File > Create Backup…. The resulting file has the extension .lsbackup, but it is in JSON format and you can and should review it in an editor.

There are two entries you should add to this configuration in the top level object:

• The license key with JSON key massDeploymentLicenseKey. (Please contact our support if you need a license size which is not available in our online shop.)
• The name associated with the license (probably your organization name) with JSON key massDeploymentLicenseOwner. Save this as LittleSnitchMassDeploymentConfiguration.json. The file should begin like this:

  {
  "massDeploymentLicenseKey" : "36123456789-715P8-0123456789",
  "massDeploymentLicenseOwner" : "ACME, Inc.",
  "blocklistStatistics" : {
  "malware-site.com" : {
    "lastUsed" : 748458199,
    "useCount" : 635
  },

Note that some settings and rules are user-specific and users are identified by the numeric Unix user identifier (UID). We therefore recommend that you avoid user-specific rules. We even recommend that you do not add individual rules to the configuration at all! Instead, put your common rules into a remote rule group loaded from a web server which is under your control. Add blocklists as custom blocklists from the same server. This way you can update the rules and blocklists later. The file format for remote rule groups is documented here, but you can also select rules in the Little Snitch app and choose from the main menu File > Export Selected Rules….

When you review the initial configuration, consider removing statistics properties and in any case check the JSON key "users". We recommend that you delete all users (leaving an empty array) so that every user gets the default settings. If you want to disallow rule and profile editing, settings editing or similar for particular users, make sure that entries for these users exist and contain the appropriate entries in the "defaults" object. Since users are identified by Unix UID, you may want to duplicate user configurations for the first couple of UIDs (e.g. 501 to 510) to cover all accounts.

Important Hint

We recommend that you enable Terminal access to Little Snitch so that future configuration changes can be applied automatically by a shell script. This is done in Little Snitch > Settings… in Security > Allow access via Terminal. Alternatively edit the JSON configuration manually. Search for the key "allowCommandLineAccess" in the "globalDefaults" object.

Minimizing first-time user interaction

When installing Little Snitch manually, macOS lets the user go through various dialogs in order to allow the Network Extension. If the user fails to perform one of the required steps, the installation fails and Little Snitch won’t be active.

In order to minimize user interaction, you can confirm the Network Extension beforehand with a .mobileconfig profile. Here is an example for you to download:

LittleSnitch.mobileconfig

Change user facing texts and identifiers to suite your needs.

On a supervised device, this profile can be installed without user interaction. It has to be signed with a trusted certificate, though:

security cms -S -N "My Certificate Name" -i /path/to/LittleSnitch.mobileconfig -o /path/to/LittleSnitch-signed.mobileconfig

While this configuration profile ensures that macOS does not require interaction, Little Snitch still prompts the user for consent to the license agreement and installation in general. This can be circumvented by setting the following user defaults (for the user running the app, not for the root user):

defaults write at.obdev.littlesnitch AcceptLicenseAgreementAutomatically YES
defaults write at.obdev.littlesnitch PerformInstallationAutomatically YES

Alternatively you can start Little Snitch with these defaults in the command line:

/Applications/Little\ Snitch.app/Contents/MacOS/Little\ Snitch -AcceptLicenseAgreementAutomatically YES -PerformInstallationAutomatically YES

Upon first start, Little Snitch will show a welcome tour to the user. This may be desirable, or you may want to avoid it when you completely manage Little Snitch from remote. To avoid the welcome tour, run

defaults write at.obdev.littlesnitch LastShownWelcomeWindowVersion 2

again for the user (not as root).

Installing the files

This is the easy part. Now that all prerequisites are met, simply copy Little Snitch.app to the computer’s /Applications folder. Before you start it, make sure that your LittleSnitchMassDeploymentConfiguration.json is copied to /var/root.

When Little Snitch is started for the first time, it installs the Network Extension, enables the network filter and loads the initial configuration as if it were a restore from backup. Note that LittleSnitchMassDeploymentConfiguration.json is deleted at that time (regardless of success) because it contains confidential information.

Centralized Configuration

Installing Little Snitch on a bunch of devices is only half of the story. Once it is installed, you want to update rules and settings on all these machines.

There are two mechanisms which allow centralized management:

• remote rule groups and blocklists
• the littlesnitch command line tool.

Changing settings

All settings can be changed via the littlesnitch command line tool. Your mass deployment software should have provisions for running commands on all clients. Note that all relevant functionality of this tool is only available when Terminal access is enabled in the settings!

In order to list all global settings and their current values run

sudo littlesnitch list-preferences --global-only

In order to list user specific settings and their current values run

sudo littlesnitch --user <uid or name> list-preferences --user-only

(When you run this command in a user session, it automatically derives the --user parameter from the SUDO_USER environment variable. You can omit --user <uid or name> in this case.)

Any of these settings can be read in detail with

sudo littlesnitch read-preference <key>

where the <key> is the same string as shown in list-preferences above, but can dig into dictionary and array properties. A key always refers to either a global or a user-specific setting, but never to both.

Settings can be changed with

sudo littlesnitch --user <uid or name> write-preference <key> <new value>

You can omit the --user parameter for global defaults or when the user can be derived from the environment.

A setting is bound to a particular type. The syntax for various types is as follows:

• Boolean: The values yes, true, 1, no, false and 0 are accepted.
• Unsigned integer: Decimal representation (e.g. 42).
• Signed integer: Decimal integer with an optional - prefix (values may be range-limited).
• Floating point: All usual floating point representations like 3.5 or -5e6.
• Date: ISO8601 format, e.g. 2024-05-21T14:22:03+0000.
• String: Just the string, as-is (possibly quoted and/or escaped for the shell).
• Data blob: Base 64 encoded, e.g. YmxvYg==.
• Arrays and Dictionaries: Not currently supported directly. However, you can write array and dictionary elements by specifying a key path like this:

  sudo littlesnitch write-preference key-to-array.0 value-written-to-index-0

  or

  sudo littlesnitch write-preference key-to-dictionary.subkey value-written-to-subkey

Importing an entire configuration

When you want to start from scratch or change many things at once, you may prefer to import an entire configuration in the same way as during initial installation. This can be done with

sudo littlesnitch restore-model --preserve-terminal-access configuration.lsbackup

The same caveats apply as during initial installation: You must take care of user specific settings. Check the documentation for the --map-users option to dynamically map user IDs. There is no need to manually add a license key and license owner. This information is preserved from the original installation.

The parameter --preserve-terminal-access ensures that you will have command line access after the import, even if the imported configuration does not include the "allowCommandLineAccess" setting.

Updating rules

Rules cannot be manipulated directly via the command line tool because the syntax would be rather complex. You have two options here:

1. We recommend that your initial configuration contains a remote rule group pointing to an HTTPS URL on your own server. Little Snitch will then update these rules automatically. We also recommend that you include a blocklist from your own server. Although blocklists could be implemented as a set of rules, a blocklist is handled more efficiently.
2. If you really need to update local rules, you can use littlesnitch export-model to create a JSON representation of the current configuration, edit this with your own scripts and then import it with littlesnitch import-model.

Restricting Permissions

Some organizations let their users decide how to use Little Snitch, others want to restrict permissions of their users so that they cannot circumvent a basic level of protection. There are several settings in Little Snitch > Settings… > Security which define what a user is allowed to do. Include these settings in your initial configuration:

Allow Rule Editing

If this setting is off, users cannot add, modify or delete rules, blocklists, rule groups and profiles. However, if a connection is not covered by a rule and Little Snitch operates in Alert Mode, users can create temporary rules via the connection alert.

Allow Profile Switching

If there are multiple profiles, users can choose among them, even when rule editing is forbidden. Set this to off in order to prevent switching profiles. This setting is only relevant if your configuration contains profiles.

Allow Settings Editing

If this setting is off, users are not allowed to change any settings until they authenticate as an admin user. Use this to prevent that users deactivate any of the other restrictions.

Allow Global Rule Editing

This setting is less relevant for security considerations, unless you have multiple user accounts on each machine. Global rules are effective for all users on the computer. Note that users are allowed to create rules for system processes even when this is off.

---

War dieser Eintrag hilfreich? Hinterlass uns Feedback.
© 2016-2024 Objective Development Software GmbH