Skip to main content

I have some new hardware that I need to setup with firmware passwords so people cannot boot from USB. I read through the Setting EFI Passwords on Mac Computers (Models Late 2010 or Later) article, but it doesn't say anything about using Casper Remote or Imaging to set the passwords once that file is located on the client or if it has to be done with a script?



Once that file is located on the client computers, what methods do I have to choose from when setting the firmware?



iMac Intel (27-inch, Mid 2011)
13-inch MacBook Pro (Mid 2012)

I have a startup triggered policy that is scoped to machines that don't have an EFI Password set. It makes sure the setregproptool is on the machine and runs a script that looks something like this:



/Path/to/setregproptool -m command -p typeEFIPwdHere



I think the setregproptool has a man page that you can dig up more details/options.

Hey Scott,



Once you put the setregproptool binary into the proper JAMF folder, you can set it via policy. under the Accounts pane in a policy in the JSS there is a field to input the firmware password. It will be in a box in the bottom right corner of that pane in the policy you'd create in the JSS.



You can also obviously do it via a script as well, like previously mentioned.



Thanks,
Tom

Great. That's what I was looking to hear. I just wanted to make sure that those built-in functions in Casper still worked.



I like the idea of a scoped script though.



Thanks!

I didn't realize you could use the built in JAMF stuff once you put the setregproptool in the right spot. Cool! I'll have to check that out.



You will still be able to scope the policy if you don't use a script. I just assumed that the JAMF option only worked for older models and that is why I went with the script.

I used to do it via a script, and I put the setregproptool in the standard $PATH in my image, which was /usr/sbin for me. That way I could script changes later on if I needed to. I posted a tips and tricks article a while ago that is around here and of course we have the official JAMF KB article on it as well. You can pick whichever way you want to deploy firmware passwords. Obviously, putting passwords in scripts has a downside.



Cheers!



Tom

Brock from jamf sent me this



http://nbalonso.com/install-firmware-passwords/



it really helped :)



thanks

Hello:



You might want to take a look at our firmware_password_manager script which allows management of firmware password.



Its available in our github repo here:



https://github.com/univ-of-utah-marriott-library-apple/firmware_password_manager



If you have any questions or problems, please let us know.

Terms & ConditionsCookie settings