You'll need to either contact Apple over the phone and provide some kind of proof of purchase information, or bring it into an Apple Store with that same proof of purchase info and they should be able to reset it. Only Apple can do it.

Thanks. That's what I've been finding within Google.
I'll dig up my receipt and go from there.

Before you head of to the Apple Store: maybe keyboard layout (expect US at firmware prompt) is preventing you from typing the password?

Sorry to dredge up an old thread...but is there any way to PREVENT a user from setting a Firmware password, via script or a profile?

@KSchroeder Only if one is set by you. Meaning, if no password is set for Firmware, a user with admin privs can do a Google search and find out how to use the firmwarepasswd binary to set one in Terminal, or, even if not an admin, if they are able to Command+R boot into Recovery HD, they can set a password there since it boots into a root account.

So the only effective way to stop someone from setting one is to set one ahead of time. It's unfortunate that it works this way, but Apple has been unreceptive to any modifications in this area. We've submitted several requests to them to allow us to lock out some aspects of firmware booting, but allows others without needing the password. Those requests have had no progress at all.

OK, and by doing so that would require the password on every boot, correct? And then since they know the password, they can change it using setfirmwarepassword binary as you mentioned. Ugh.
Consumerization of IT :thumbs_down:

@KSchroeder No. The only time it would need to be entered on every boot was if it was set to mode "full" which means on every startup. If set to "command" it will only be needed when alternate booting, i.e. booting with Option key down, or into Recovery (Command + R), Single User mode (Command + S), etc. (See the firmwarepasswd help page for more info - firmwarepasswd -h) Regular bootups won't require the password and users don't need to know it. For obvious reasons, you won't want to set it to full. Use command only.

My only regret is users not being able to boot to Recovery HD to do some basic self triage repairs. We have many tech savvy users who I would trust to do this, but it would require them knowing the FW password and, as you said, once they know it, they can change it, and subsequently forget it. I've had some users forget their own login password if they haven't logged in in a couple of weeks. I can only imagine how easily they would forget a firmware password only used once every so many months.

OK @mm2270, thanks again for all your input here. Looks like there is a method for pushing this as a Policy as will (via the EFI Firmware payload). Will give it a try!