The Apple Security Logging Policy in Swif lets you centrally control key macOS security logging features on company-owned Macs. With this policy, you can enforce:
System-level security auditing
Firewall logging for network traffic events
This helps your security and IT teams monitor activity, investigate incidents, and meet compliance or audit requirements.
Policy overview
Policy name in Swif: Apple Security Logging Policy
Purpose: Configure and enforce macOS security and firewall logging behavior.
Minimum OS: macOS 10.8+
Supported platforms:
macOS (company-owned devices only)
Ownership types:
Company-owned devices (
PolicyOwnercCompany)
This policy is not intended for BYOD; it targets managed corporate Macs where your organization is responsible for security monitoring.
Available settings
The policy exposes two main toggles in Swif:
Security Auditing Enable
Firewall Logging Enable
Each setting is a boolean value (true / false).
1. Security Auditing Enable
Field name (internal): securityAuditingEnable
Minimum OS: macOS 10.8+
What it controls
Turns macOS security auditing on or off. When enabled, the system records security-related events to its audit logs. These logs are often used by security teams for:
Incident investigation (e.g., suspicious logins, access attempts)
Forensics
Compliance audits (e.g., proving that logging is in place)
Behavior
If set to
true(enabled):macOS security auditing is turned on.
The system records a wide range of security events, which can be accessed by your security/IT tools or manually on the device.
If set to
false(disabled):macOS security auditing is turned off.
Fewer security events are captured, making investigations harder.
When to enable
Almost all enterprise, regulated, or security-conscious environments should enable this.
When you need:
Strong evidence for compliance (e.g., SOC 2, ISO 27001)
Visibility into what’s happening on your Macs
When you might disable
Rare edge cases where:
Logging must be minimized for performance reasons on non-critical machines, or
There are explicit privacy/legal constraints around certain types of logging.
In practice, most organizations will set this to true across all corporate Macs.
2. Firewall Logging Enable
Field name (internal): firewallLoggingEnable
Minimum OS: macOS 10.8+
What it controls
Enables or disables logging for the macOS firewall. This captures details about allowed and blocked network connections at the host level.
Behavior
If set to
true(enabled):The macOS firewall logs connection attempts and related events.
These logs help you:
Identify suspicious inbound or outbound activity
Troubleshoot connectivity issues related to firewall rules
If set to
false(disabled):The macOS firewall does not log events (or logs much less).
You lose an important data source for network-level investigations on endpoints.
When to enable
You want visibility into network behavior on corporate Macs.
You need to:
Detect or investigate potential attacks
Support compliance requirements around host-based firewall and logging
When you might disable
Very specific use cases where:
You rely entirely on external network security appliances and explicitly choose not to log on endpoints, or
Storage or privacy constraints require minimizing host-based logging.
Again, for most organizations, this should be enabled (true) by default.
Example recommended configuration
For a typical enterprise or security-conscious organization, a common setup is:
Security Auditing Enable:
trueFirewall Logging Enable:
true
Outcome:
Security teams have access to both system-level security audit logs and firewall logs.
You gain significantly better visibility for:
Incident response
Threat hunting
Compliance reporting
How this works with Swif MDM
When you assign the Apple Security Logging Policy to a macOS device or group in Swif:
Swif sends the configuration to the Mac via MDM.
macOS applies the settings at the system level:
Enables/disables security auditing
Enables/disables firewall logging
Users may not be able to turn these settings off locally, depending on how Apple’s configuration is enforced for your OS version.
This ensures consistent security logging behavior across all managed Macs, rather than relying on local user preferences.