Create a Firewall profile to configure the native Windows Desktop firewall settings. This profile uses more advanced functionality than the Firewall (Legacy) profile.

Workspace ONE UEM whitelists the OMA-DM agent automatically to ensure the Workspace ONE UEM console can always communicate with devices.

Procedure

  1. Navigate to Devices > Profiles > List View > Add and select Add Profile.
  2. Select Windows and then select Windows Desktop.
  3. Select Device Profile.
  4. Configure the profile General settings.
  5. Select the Firewall payload.
  6. Configure the Global settings.
    Setting Description
    Stateful FTP Set how the firewall handles FTP traffic.

    If you select Enable, the firewall tracks all FTP traffic. If you select Disable, the firewall does not inspect FTP traffic.

    Security Association Idle Time Select Configured and set the maximum amount of time (in seconds) the device waits before deleting idle security associations.

    Security associations are an agreement between two peers or endpoints. These agreements contain all the information required to securely exchange data.

    Preshared Key Encoding Select the type of encoding used for the preshared key.
    IPSec Exemptions Select the IPSec exemptions to use.
    Certification Revocation List Verification Select how to enforce the certificate revocation list verification.
    Opportunity Match Auth Set Per KM Select how key modules ignore authentication suites. Enabling this option forces key modules to ignore only the authentication suites they do not support. Disabling this option forces key modules to ignore the entire authentication set if they do not support all the authentication suites in the set.
    Enable Packet Queue Select how packet queuing works on the device. This setting allows you to ensure proper scaling.
  7. Configure how the firewall behaves when connected to Domain, Private, and Public networks.
    Setting Description
    Firewall Set to Enable to enforce policy settings on the network traffic. If disabled, the device allows all network traffic, regardless of other policy settings.
    Outbound Action Select the default action the firewall takes on outbound connections.

    If you set this setting to Block, the firewall blocks all outbound traffic unless explicitly specified otherwise.

    Inbound Action. Select the default action the firewall takes on inbound connections.

    If you set this setting to Block, the firewall blocks all inbound traffic unless explicitly specified otherwise.

    Unicast Responses to Multicast or Broadcast Network Traffic Set the behavior for the responses to multicast or broadcast network traffic.

    If you disable this option, the firewall blocks all responses to multicast or broadcast network traffic.

    Notify User When Windows Firewall Blocks a New App Set the notification behavior for the firewall.

    If you select Enable, the firewall may send notifications to the user when it blocks a new app. If you select Disable, the firewall does not send any notifications.

    Stealth Mode To set the device in stealth mode, select Enable.

    Stealth mode helps prevent bad actors from gaining information about network devices and services. When enabled, stealth mode blocks outgoing ICMP unreachable and TCP reset messages from ports without an app actively listening on that port.

    Allow IPSec Network Traffic in Stealth Mode Set how the firewall handles unsolicited traffic secured by IPSec.

    If you select Enable, the firewall allows unsolicited network traffic secure by IPSec.

    This setting only applies when you enable Stealth Mode.

    Local Firewall Rules Set how the firewall interacts with local firewall rules.

    If you select Enable, the firewall follows local rules. If you select Disable, the firewall ignores local rules and does not enforce them.

    Local Connection Rules Set how the firewall interacts with local security connection rules.

    If you select Enable, the firewall follows local rules. If you select Disable, the firewall ignores local rules and does not enforce them, regardless of the schema and connection security versions.

    Global Port Firewall Rules Set how the firewall interacts with global port firewall rules.

    If you select Enable, the firewall follows the global port firewall rules. If you select Disable, the firewall ignores the rules and does not enforce them.

    Authorized Application Rules Set how the firewall interacts with local authorized application rules.

    If you select Enable, the firewall follows local rules. If you select Disable, the firewall ignores local rules and does not enforce them.

  8. To configure you own firewall rules, select Add Firewall Rule. After adding a rule, configure the settings as needed. You can add as many rules as you need.
  9. When finished, select Save And Publish to push the profile to devices.