The network is back… in Big Sur

Apple has removed the ContentFilterExclusionList in macOS 11.2. Host-based firewalls and tools using the Network Extension Framework are back in business.

February 1 2021 by

Matthias Wollnik

person working at computer desk

Apple responds to community feedback with increased safety and security measures

In response to community feedback surrounding security, Apple has removed the ContentFilterExclusionList in macOS 11.2.

All network communications are now subject to host-based firewalls and tools using the Network Extension Framework can now track them. This means that socket filter firewalls can now comprehensively monitor or block all OS traffic without dependence on kexts.

This demonstrates that Apple is listening to the security community and making network monitoring a priority. We applaud Apple’s continued drive toward stronger security and privacy.

Background of Apple ContentFilterExclusionList issue

Until this new release, macOS Big Sur allowed 53 of their apps to use the network without being restricted by host-based firewalls or tracked by security applications using the Network Extension Framework. These included widely-used apps such as the App Store, Maps and iCloud.

The system maintained the full list here: /System/Library/Frameworks/NetworkExtension.framework/Versions/Current/Resources/Info.plist

This exclusion list forced security vendors to rely on kernel extensions (kexts) for security measures, which Apple is phasing out. That introduced more friction for organizations in the rollout of the latest Apple M1 chip.

Additionally, security researchers — including our own Patrick Wardle — pointed out that bad actors could exploit the list to build malware that piggybacked on trusted Apple apps.

And privacy experts were concerned that macOS might expose their real IP address and location — with this list, VPN products could not protect their users’ locations.

A smart move from Apple

Swiftly implementing this change in response to feedback ensures that security teams can control and monitor their Mac network activity. They can mitigate risks on devices with their own VPNs, firewalls and security tools. And they can deploy tools that support Big Sur/M1 to do so.

Apple, by listening to community feedback and incorporating changes quickly, has helped the Apple community build long-term sustainable security applications through the Endpoint Security Framework and Network Security Framework.

By continuing to respond to feedback and put the customer experience first, Apple has maintained their status as the most secure and private computer tech available.

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.