Help

Bypass Firmware Password on Bootcamp

rm2930
New Contributor

Posted on ‎07-12-2022 08:33 AM

Currently my organization is using Bootcamp in order to run specific Windows apps instead of Parallels. Is there a way to bypass the firmware prompt when switching from the Mac to the Windows OS without actually disabling the firmware itself via JAMF?

 

Thank you

0 Kudos
5 REPLIES 5

prav922833
New Contributor

Posted on ‎07-12-2022 09:50 AM

You can use restart in( or startup disk selection) to avoid this issue --
*With Regards*

*Praveen Kumar *
Certified Associate* - *** *|** Jamf Pro 200 **| **CompTIA N+*

*Senior PreSales Consultant - Conquer Technologies - Chennai *
:telephone_receiver: +91 9551707799 *| *:open_mailbox_with_raised_flag: praveenkumar@vconquer.com
0 Kudos

rm2930
New Contributor
In response to prav922833

Posted on ‎07-12-2022 10:12 AM

I already tried that but that requires admin access which we do not want to give users.

0 Kudos

easyedc
Valued Contributor II

Posted on ‎07-12-2022 02:08 PM

A few folks have written posts around the security command and editing

security authorizationdb

Maybe look into something like this: https://macmule.com/2012/05/13/unlocking-preference-panes-for-non-admin-users-on-10-6-10-7/ or https://derflounder.wordpress.com/2014/02/16/managing-the-authorization-database-in-os-x-mavericks/.  It's a legacy process, but you may find something similar still functions. Running a quick test on my Monterey system and it does set the startup disk lock still.

security authorizationdb write system.preferences allow
security authorizationdb write system.preferences.startupdisk allow

 In the attached pic, the lock is forced-open. you can't re-lock it and relaunching system preferences it always opens that pane unlocked. I don't have a second partition to try booting to ATM, but give it a try. It should also keep that setting through reboots. 

Startup Disk.png

0 Kudos

Fluffy
Contributor III
In response to easyedc

Posted on ‎07-14-2022 07:03 AM

Something I would keep in mind for this approach is it enables the user to be able to erase the device by plugging in a USB installer and get out of supervision. Although, the firmware password would still protect against anyone who can't normally log in to the device.

0 Kudos

easyedc
Valued Contributor II

Posted on ‎07-14-2022 07:19 AM

It's a fair point about a user being able to wipe a device if they can pick the boot drive on their own. There is the safeguard with ABM for folks who are able to use that program - if it's wiped, I'll re-enroll to your Jamf server.