Hello all,
Is it possible to identify which Macs have a firmware password set using smart groups?
Many thanks
Phill
Solved
Firmware password smart group?
+3Best answer by mm2270
The answer is Yes and No.
For one, it partly depends on how your Macs are set up. For example, you would need either the Firmware Password Utility.app installed somewhere on the systems, or at the very least the setregproptool pulled from the above app's /Contents/Resources/ directory deployed to your Macs.
With one of those in place, you could have an Extension Attribute script that called the setregproptool binary to check the EFI firmware status. It returns 0 for set and I think 1 for un-set. Using that, you could return the result in your EA and build a Smart Group from there.
There's one problem with this approach that could affect your Smart Groups. The status of the firmware password (0 or 1) only gets properly updated after a reboot. Meaning, if you set the firmware password using the binary and the machine doesn't reboot. the status will still report as 1 or "not set", in which case those Macs will fall into (or out of) your Smart Group.
Just something to keep in mind. As far as I know there is no other way to check the status other than through the setregproptool and the reboot is a necessity to have it update after its been either set or un-set.
+24The answer is Yes and No.
For one, it partly depends on how your Macs are set up. For example, you would need either the Firmware Password Utility.app installed somewhere on the systems, or at the very least the setregproptool pulled from the above app's /Contents/Resources/ directory deployed to your Macs.
With one of those in place, you could have an Extension Attribute script that called the setregproptool binary to check the EFI firmware status. It returns 0 for set and I think 1 for un-set. Using that, you could return the result in your EA and build a Smart Group from there.
There's one problem with this approach that could affect your Smart Groups. The status of the firmware password (0 or 1) only gets properly updated after a reboot. Meaning, if you set the firmware password using the binary and the machine doesn't reboot. the status will still report as 1 or "not set", in which case those Macs will fall into (or out of) your Smart Group.
Just something to keep in mind. As far as I know there is no other way to check the status other than through the setregproptool and the reboot is a necessity to have it update after its been either set or un-set.
+24There is an Extension Attribute found at https://jamfnation.jamfsoftware.com/viewProductFile.html?id=135&fid=598 that does just what mm2270 described.
+3Hi Both,
Apologies for the late response. Thank you for your comments, I'll give it a try now :)
Phill
+3Hi,
I have tried the extension Attribute and it still report none for me even thought I have a firmware password set with setregproptool. where does setregproptool need to be located at in for the script to report back.
+7I have tried the Extension Attribute, Casper reports my machines to be "Not Set". Yet, my machines have had firmware passwords set for years.
Just prior to adding this Extension Attribute, I placed "setregproptool" at /Library/Application Support/JAMF/bin/
Thoughts as to what I am missing?
+24I just downloaded msblake's EA for this. If that's the one you guys are using, it doesn't have a full path to the setregproptool when it calls it.
This is what it looks like:
#!/bin/sh
setregproptool -c
result = $?
if [[ "$result" == "0" ]]; then
echo "<result>Set</result>"
else
echo "<results>Not Set</result>"
fiI assume this would work if the setregproptool was located in /Library/Application Support/JAMF/bin/, but if you've placed it there and its still not working, you may want to edit the script for the EA to just include the full path to the tool.
Edit to look like this instead:
#!/bin/sh
/Library/Application Support/JAMF/bin/setregproptool -c
result="$?"
if [[ "$result" == "0" ]]; then
echo "<result>Set</result>"
else
echo "<results>Not Set</result>"
fiAlso please remember that if a Mac has its firmware set using a script calling the setregproptool, it will not show as Set until a full reboot is done.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.