Skip to main content
Solved

Extension Attribute to find the status of EFI Security mode

  • April 7, 2015
  • 5 replies
  • 41 views
M
Forum|alt.badge.img+7

It seems that I can no longer get the security-mode from the following methods on Yosmemite:

echo "<result>nvram -p | grep security-mode</result>"
or
echo "<result>system_profiler | grep security-mode</result>"
or echo "<result>/Library/Application Support/JAMF/bin/setregproptool -c</result>"

I use the setregproptool placed in the JAMF/bin folder to set the EFI password using a policy at first login. The machine asks for the EFI password when option booting, but I just need the output for reporting/compliance.

Is anyone else seeing this issue?

Best answer by mm2270

You need to check the exit status of the command:

/Library/Application Support/JAMF/bin/setregproptool -c

It does not, and as far as I know has never, sent output directly to the shell when running that. The exit status ($?) will be either 0 (ON) or 1 (OFF)

#!/bin/sh

/Library/Application Support/JAMF/bin/setregproptool -c
EFIStatus=$?

if [ "$EFIStatus" == 0 ]; then
     result="On"
else
     result="Off"
fi

echo "<result>$result</result>"

    5 replies

    mm2270
    Forum|alt.badge.img+24
    • mm2270
    • Legendary Contributor
    • Answer
    • April 7, 2015

    You need to check the exit status of the command:

    /Library/Application Support/JAMF/bin/setregproptool -c

    It does not, and as far as I know has never, sent output directly to the shell when running that. The exit status ($?) will be either 0 (ON) or 1 (OFF)

    #!/bin/sh

/Library/Application Support/JAMF/bin/setregproptool -c
EFIStatus=$?

if [ "$EFIStatus" == 0 ]; then
     result="On"
else
     result="Off"
fi

echo "<result>$result</result>"
    P
    Forum|alt.badge.img+11
    • pblake
    • Contributor
    • April 7, 2015

    I use this:
    It's based off having the setregproptool in the jamf bin folder.

    !/bin/sh

    /Library/Application Support/JAMF/bin/setregproptool -c
    result="$?"
    result = $?

    if [[ "$result" == "0" ]]; then
    echo "<result>Set</result>"
    else
    echo "<result>Not Set</result>"
    fi

    spalmer
    Forum|alt.badge.img+23
    • spalmer
    • Valued Contributor
    • April 8, 2015

    According to https://jamfnation.jamfsoftware.com/discussion.html?id=13765#responseChild82487 there is a new tool built into Yosemite to do this.

    M
    Forum|alt.badge.img+7

    @mm2270 Thanks Mike. Was trying to test in Shell was not getting the desired outcome. That word for me.
    @pblake Thanks for the input as well.
    @spalmer Thanks for the link.

    P
    Forum|alt.badge.img+9
    • PeterClarke
    • Contributor
    • August 31, 2015

    Yes, there is a new tool in Yosemite OS x 10.10.x, to SET and UNSET and TEST if Set

    I have used it quite successfully..
    Obviously this Yosemite, tool does not work with OS X 10.9.x and earlier..

    The tool is called: firmwarepasswd

    Terms & ConditionsCookie settingsAccessibility statement