Has the Mac you're running the recon against rebooted since the Firmware password was set? One of the things about setting the FW password is that if its done via the setregproptool command, it will always report "1" as in not set until the Mac is rebooted.

Different story if you booted into something like Recovery HD and set it there though.

mm2270:

OK, that makes some sense. I've set them all via setregproptool and a policy. I just rebooted one and re-reconned and it reports Set as I would expect. The issue for me was, the policy was scoped to "Firmware = Not Set" and set to Ongoing so clients kept doing it until it was done. But I can set that to Once Per Computer and check in in a few weeks.

Thanks, it's very much appreciated.

Michael

Yep, we've had similar challenges with that here. We also have a policy that tries to "fix" anything without a firmware password, but the Smart Group detecting the set value can be inaccurate, especially since most of our Mac users rarely reboot. We set the fw password at imaging time which helps reduce the negatives a bit.

Yeah, will be doing it at imaging time for new computers. The company just instated the firmware password requirement. Thanks again.

Does anyone have this working correctly. This thread looks a bit old. Tried the attributes that are posted. But didn't have any luck.

This is the scrip of the last one I tried.

!/bin/sh

/Library/Application Support/JAMF/bin/setregproptool -c
result="$?"

if [[ "$result" == "0" ]]; then
echo "<result>Set</result>"
else
echo "<results>Not Set</result>"
fi

@rcorbin Is this for Yosemite and/or El Capitan you're testing on? If so, there's a new binary starting with 10.10 you can use called "firmwarepasswd" - full path is /usr/sbin/firmwarepasswd

For example, to check if a password is set, run

sudo /usr/sbin/firmwarepasswd -check

It will print something like Password Enabled: Yes so you can script to check the output from the command now instead of checking for the exit status.

#!/bin/sh



FWPassCheck=$(/usr/sbin/firmwarepasswd -check)



if [[ "$FWPassCheck" =~ "Yes" ]]; then

    echo "<result>Set</result>"

elif [[ "$FWPassCheck" =~ "No" ]]; then

    echo "<result>Not Set</result>"

fi

@mm2270 So how do I go about getting this script into our Extension Attributes? I want to create a Smart Group based on the results of this script.

@kempt you can use the script @mm2270 posted as your extension attribute.

If you look he has result as either "Set" or "Not set" so Your smart group can scope against these.

I would most likely create a smart group called "Firmware password = Set" and the criteria would be my extension attribute "is" "Set", then if i were to do a policy to set firmware password, I would scope to "all managed clients", excluding password my smart group called "firmware password = Set"

I've tried using this script as an EA. It doesn't report anything for me though. If I just run it as a script through Terminal it works as expected. As an EA in JSS it doesn't show anything. The field that should be reporting "Set" or "Not Set" is left blank.

Anyone have any suggestions?

@nberanger Just to verify you are doing a recon on the device your looking to get reported on?

If so, try this. It's mine, slightly different, but working on for me.

#!/bin/sh

result=`/usr/sbin/firmwarepasswd -check; echo $?`



if [[ "$result" == "Password Enabled: Yes" ]]; then

echo "<result>Set</result>"

else

echo "<result>Not Set</result>"

fi

@nberanger Has inventory collection (recon) been run on Macs since you added the Extension Attribute? Those fields only get populated when the Mac(s) submit inventory. It will otherwise be blank until then.

Thanks @millersc . I tried your script, ran a recon on a test machine which has an EFI password set. When I then did a computer inventory search it returned the value "Not Set".

So your script worked a little better in that it gave me something, but just not the correct info.

Any other thoughts?

Thanks again.

@nberanger run this and report back. I think your getting some variable which is different.

sudo /usr/sbin/firmwarepasswd -check

@mm2270 Yes, I've been sure to run Recon on the test computer each time I've updated the script for the EA.

I ran that command and I am getting

Password Enabled: Yes

Which matches what you have in your script.

Ok, you just forced me to check my own EA and fix it. Try this one:

#!/bin/sh

result=`/usr/sbin/firmwarepasswd -check;`



if [[ "$result" == "Password Enabled: Yes" ]]; then

echo "<result>Set</result>"

else

echo "<result>Not Set</result>"

fi

Haha, that did it. Thank you very much @millersc The inventory report appears to be working correctly now. Really appreciate your help getting this one sorted out.

FWIW, the one I posted was and still is working for me. I'm not sure why it wasn't for you.

Looking back on this, it could really be simplified quite a bit, assuming you are assured your target machines are going to have the firmwarepasswd binary on them.

#!/bin/sh



echo "<result>$(/usr/sbin/firmwarepasswd -check | awk '{print $NF}')</result>"

The above should give you a simple "Yes" or "No" as possible results. I don't think the -check syntax can show any other type of result.

Odd indeed, the second one did work for me. The one you just posted also worked nicely.

After getting this running, I also noticed that JAMF already had an EA template set up for returning exactly this information :P