is there a way to remove the recovery lock password on Apple Silicon Macs without unenrolling/erasing them?
Solved
Removing recovery lock password
+9Best answer by michaelhusar
Here our bash script using jq https://gist.github.com/ExperimentalHeaven/09eeafa1122dd4bbac30cb9b91309b52
+14Apple's documentation doesn't list an explicit command to clear the Recovery Lock, but I'd imagine setting a blank password using the API would achieve this:
{
"clientData": [
{
"managementId": "x",
"clientType": "COMPUTER"
}
],
"commandData": {
"commandType": "SET_RECOVERY_LOCK",
"newPassword": ""
}
}
You'll need the Modern API /preview/mdm/commands endpoint. The Management ID (not the same as computer GUID) is needed, and you can get a list from the /preview/computers endpoint. Remember to change the 'size' value to something more appropriate for your environment, or you'll only get a partial list of computers returned.
Ref: https://developer.apple.com/documentation/devicemanagement/set_recovery_lock_command
+8Here our bash script using jq https://gist.github.com/ExperimentalHeaven/09eeafa1122dd4bbac30cb9b91309b52
+9Here our bash script using jq https://gist.github.com/ExperimentalHeaven/09eeafa1122dd4bbac30cb9b91309b52
I tried using your script and for some reason it keeps saying that the target serial number is not found !
Have you encountered such a thing?
+7Have just been down this road for a single computer using info from https://docs.jamf.com/technical-articles/Recovery_Lock_Enablement_in_macOS_Using_the_Jamf_Pro_API.html
Since I was experimenting on just one computer I implemented using the API interface available at https://myjamfinstance.jamfcloud.com/api/doc/#/mdm
I found that posting the API command SET_RECOVERY_LOCK with a blank password for a computer does remove the password.
In addition the computer shows as Recovery Lock:Not Enabled in Computers > Inventory > Security.
Note that at time of writing there is a typo in the the example json payload provided in Jamf documentation at https://docs.jamf.com/technical-articles/Recovery_Lock_Enablement_in_macOS_Using_the_Jamf_Pro_API.html as shown below .
{
"clientData": [
{
"managementId": "A9C3D1F0-DCB2-4D52-84C6-D5AD60140B04",
"clientType": "COMPUTER"
}
],
"commandData": {
"commandType": "SET_RECOVERY_LOCK",
"newPassword": "password",
}
}"password", should not have the trailing comma.
+5I tried using your script and for some reason it keeps saying that the target serial number is not found !
Have you encountered such a thing?
I'm having the same issue.
+5I'm having the same issue.
@MacJunior I figured out the issue. On line 61 in the script, the GET to the `/api/preview/computers?` endpoint is starting on Page 1 (meaning the 1001st computer). If you set it to Page = 0, it works!
+5@MacJunior I figured out the issue. On line 61 in the script, the GET to the `/api/preview/computers?` endpoint is starting on Page 1 (meaning the 1001st computer). If you set it to Page = 0, it works!
Whoops - it’s line 42 in the original script.
You want to change from $URL/api/preview/computers?page=1&page-size=1000 to $URL/api/preview/computers?page=0&page-size=1000 instead.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.