Bypassing Restricted Software Policy via macOS Recovery for High Sierra Upgrade

jdye
New Contributor III

Hey all,

I'm currently trying to find a solution to the following issue:

macOS Recovery allows any user whose computer has been updated to 10.12.4 or above to bypass our restricted software policy regarding High Sierra, allowing users to upgrade to the latest OS.

command + option + r kicks off macOS Recovery in a mode that is set to download and install the LATEST OS compatible with the device (High Sierra in this case). Are there any ways to restrict this that don't involve adding a firmware password to each computer?

If not, is it possible to script firmware passwords via JSS?

1 ACCEPTED SOLUTION

sdagley
Esteemed Contributor II

@jdye Firmware Passwords are pretty much your only way to prevent booting into the Recovery Partition. You can enable & disable Firmware Passwords via a Policy targeting machines based on their EFI Password Mode.

EDIT: I've had problems with Extension Attribute "EFI Password Mode" (under Security Reporting in the EA Templates), so I use this EA instead (works on 10.11 and 10.12):

#!/bin/sh
result=`/usr/sbin/firmwarepasswd -check | awk '{print $3}'`

if [ "$result" != "" ]; then
    echo "<result>$result</result>"
else
    echo "<result>No</result>"
fi

View solution in original post

5 REPLIES 5

sdagley
Esteemed Contributor II

@jdye Firmware Passwords are pretty much your only way to prevent booting into the Recovery Partition. You can enable & disable Firmware Passwords via a Policy targeting machines based on their EFI Password Mode.

EDIT: I've had problems with Extension Attribute "EFI Password Mode" (under Security Reporting in the EA Templates), so I use this EA instead (works on 10.11 and 10.12):

#!/bin/sh
result=`/usr/sbin/firmwarepasswd -check | awk '{print $3}'`

if [ "$result" != "" ]; then
    echo "<result>$result</result>"
else
    echo "<result>No</result>"
fi

rsgrammar
New Contributor II

just saw your post, im going through the same thing and going to attempt this:
https://www.jamf.com/jamf-nation/articles/58/setting-efi-passwords-on-mac-computers-models-late-2010-or-later

sdagley
Esteemed Contributor II

@rsgrammar That article you link to is way out of date if you're using a recent version of Jamf Pro and macOS. You can now enable and disable the EFI password on a Mac using the EFI Password payload in a Policy. Use the EA in my post above to create a Smart Group targeting any machines that return No for that EA, and then create a Policy scoped to that Smart Group with an EFI Password payload. Note that you'll have to add a Restart Options payload set to Restart the machine (for both No User Logged in and User Logged In) for the password setting to apply.

jdye
New Contributor III

@sdagley Thanks for the help!

rsgrammar
New Contributor II

@sdagley going through it i was thinking the same thing. I did notice the EFI option but thought nothing of it. Thanks for the heads up before i start scratching my head about this.