+3Currently my organization is using Bootcamp in order to run specific Windows apps instead of Parallels. Is there a way to bypass the firmware prompt when switching from the Mac to the Windows OS without actually disabling the firmware itself via JAMF?
Thank you
+3I already tried that but that requires admin access which we do not want to give users.
+16A few folks have written posts around the security command and editing
security authorizationdbMaybe look into something like this: https://macmule.com/2012/05/13/unlocking-preference-panes-for-non-admin-users-on-10-6-10-7/ or https://derflounder.wordpress.com/2014/02/16/managing-the-authorization-database-in-os-x-mavericks/. It's a legacy process, but you may find something similar still functions. Running a quick test on my Monterey system and it does set the startup disk lock still.
security authorizationdb write system.preferences allow
security authorizationdb write system.preferences.startupdisk allowIn the attached pic, the lock is forced-open. you can't re-lock it and relaunching system preferences it always opens that pane unlocked. I don't have a second partition to try booting to ATM, but give it a try. It should also keep that setting through reboots.
+10A few folks have written posts around the security command and editing
security authorizationdbMaybe look into something like this: https://macmule.com/2012/05/13/unlocking-preference-panes-for-non-admin-users-on-10-6-10-7/ or https://derflounder.wordpress.com/2014/02/16/managing-the-authorization-database-in-os-x-mavericks/. It's a legacy process, but you may find something similar still functions. Running a quick test on my Monterey system and it does set the startup disk lock still.
security authorizationdb write system.preferences allow
security authorizationdb write system.preferences.startupdisk allowIn the attached pic, the lock is forced-open. you can't re-lock it and relaunching system preferences it always opens that pane unlocked. I don't have a second partition to try booting to ATM, but give it a try. It should also keep that setting through reboots.
Something I would keep in mind for this approach is it enables the user to be able to erase the device by plugging in a USB installer and get out of supervision. Although, the firmware password would still protect against anyone who can't normally log in to the device.
+16It's a fair point about a user being able to wipe a device if they can pick the boot drive on their own. There is the safeguard with ABM for folks who are able to use that program - if it's wiped, I'll re-enroll to your Jamf server.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.