+19Was previously using nvram -p to check the security-mode, since this doesn't work with the late 2010 hardware onwards.. Here is a short extension attribute that will tell you whether the password is set, though unfortunately not the mode.
If anyone knows how to determine the mode.. please share! It's not an option in the setregproptool.
#!/bin/sh
EFIP=`/Library/Application Support/JAMF/bin/setregproptool -c; echo $?`
echo "EFI is $EFIP"
echo "<result>$EFIP</result>"I can't remember if this is built into the JSS as a template or I got it from someone else @rtrouton @bentoms (?) but this is what I use:
#!/bin/sh
result=`nvram -p | grep security-mode | awk '{print $2}'`
if [ "$result" != "" ]; then
echo "<result>$result</result>"
else
echo "<result>none</result>"
fi
+24For some od reason, the nvram -p command lists the 'security-mode' in the output, but on some other Macs it does not, even though a Firmware password is definitely set on the Macs where it doesn't appear in the output. I think that's what @lisacherie][/url was getting at.
My Mac is a Mid 2011 MBP 13" and I can see it. On a Mid 2013 MBA I don't see it. as well as on some other models. So somewhere along the line that information got removed from the output of nvram -p. :/
Outside of that method though, I can't locate any other way to see that information.
+24While I believe you, at least insofar as what you've seen, I can assure you the Mac that I'm writing this on right now is a Mid 2011 MacBook Pro 13" and I can clearly see the 'security-mode' line in the nvram -p output. It shows "command" which is what I expect it to be since I have a EFI firmware password on the Mac, set up with command mode.
But as I mentioned, I can't see the same line on other newer Macs, also with Firmware passwords set. So while its unclear exactly when it stopped, it does appear it no longer shows up on most newer hardware. There is other data in the nvram -p output, but not security-mode.
+10There's also this command in High Sierra at least:
firmwarepasswd -mode
+28@dyyuan We're using the following for Firmware Password
#!/bin/sh
####################################################################################################
# Extension Attribute to read the status of the firmware password
####################################################################################################
osVersion=$( /usr/bin/sw_vers | /usr/bin/grep ProductVersion | /usr/bin/awk '{ print $2}' )
case $osVersion in
10.8*|10.9*)
result=$( /usr/sbin/nvram -p | /usr/bin/grep security-mode | /usr/bin/awk '{print $2}' )
;;
10.10*|10.11*|10.12*|10.13*|10.14*|10.15*)
result=$( /usr/sbin/firmwarepasswd -check | /usr/bin/awk '{ print $3 }' )
;;
*)
result="Unknown $osVersion"
esac
echo "<result>${result}</result>"
exit 0@dan-snelson Nicely timed, I'm going to need something like this soon! Now does anyone want to post their workflows for setting and rotating their firmware passwords? :-)
+9anybody has an extension attribute to check the status of the firmware password that would work on intel machine running Big Sur 11.1?
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.