Where are 'socketfilterfw' changes being stored in macOS 15?

First up, I want to be sure you’ve seen the discussion in macOS Sequoia 15 Beta 3 Release Notes.

Can you please advise either some new location on disk for us to monitor … ?

No. The location and format of these preferences is not considered API, and so posting details like that just encourages more folks to dig themselves into the same hole that you’ve dug for yourself )-:

or if there is another way to observe this setting?

AFAIK there is not.

I’d like to clarify why you need this. What firewall settings are you monitoring? And to what end?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thanks for the reply. Yep, I did see those release notes! For what it's worth, we aren't relying on the format of the plist, just the fact that it was modified so we can observe it.

Can you clarify what you mean by "not an API"? I'm seeing contradictory information - the linked release notes encourages people to use socketfilterfw. But in another response (see https://developer.apple.com/forums/thread/757907?answerId=792590022#792590022) you say that socketfilterfw is also not an API. Would relying on this tool also be considered digging ourselves into a hole? If so, what is the proper way to check for firewall status if socketfilterfw is not an api? Even if what I'm asking for overall isn't possible, we'd like to use the proper method to check for firewall status that wouldn't be considered unsupported.

To answer your question, we have a feature in our app that monitors when a user turns on or off their application firewall as a whole, and we perform an action accordingly. We'd have to switch to polling for the state on a timer without this, and we don't love that idea either.