Posted on 09-27-2017 12:17 PM
Hey all,
I'm currently trying to find a solution to the following issue:
macOS Recovery allows any user whose computer has been updated to 10.12.4 or above to bypass our restricted software policy regarding High Sierra, allowing users to upgrade to the latest OS.
command + option + r kicks off macOS Recovery in a mode that is set to download and install the LATEST OS compatible with the device (High Sierra in this case). Are there any ways to restrict this that don't involve adding a firmware password to each computer?
If not, is it possible to script firmware passwords via JSS?
Solved! Go to Solution.
Posted on 09-27-2017 12:24 PM
@jdye Firmware Passwords are pretty much your only way to prevent booting into the Recovery Partition. You can enable & disable Firmware Passwords via a Policy targeting machines based on their EFI Password Mode.
EDIT: I've had problems with Extension Attribute "EFI Password Mode" (under Security Reporting in the EA Templates), so I use this EA instead (works on 10.11 and 10.12):
#!/bin/sh
result=`/usr/sbin/firmwarepasswd -check | awk '{print $3}'`
if [ "$result" != "" ]; then
echo "<result>$result</result>"
else
echo "<result>No</result>"
fi
Posted on 09-27-2017 12:24 PM
@jdye Firmware Passwords are pretty much your only way to prevent booting into the Recovery Partition. You can enable & disable Firmware Passwords via a Policy targeting machines based on their EFI Password Mode.
EDIT: I've had problems with Extension Attribute "EFI Password Mode" (under Security Reporting in the EA Templates), so I use this EA instead (works on 10.11 and 10.12):
#!/bin/sh
result=`/usr/sbin/firmwarepasswd -check | awk '{print $3}'`
if [ "$result" != "" ]; then
echo "<result>$result</result>"
else
echo "<result>No</result>"
fi
Posted on 09-27-2017 08:51 PM
just saw your post, im going through the same thing and going to attempt this:
https://www.jamf.com/jamf-nation/articles/58/setting-efi-passwords-on-mac-computers-models-late-2010-or-later
Posted on 09-28-2017 08:52 AM
@rsgrammar That article you link to is way out of date if you're using a recent version of Jamf Pro and macOS. You can now enable and disable the EFI password on a Mac using the EFI Password payload in a Policy. Use the EA in my post above to create a Smart Group targeting any machines that return No for that EA, and then create a Policy scoped to that Smart Group with an EFI Password payload. Note that you'll have to add a Restart Options payload set to Restart the machine (for both No User Logged in and User Logged In) for the password setting to apply.
Posted on 09-28-2017 01:39 PM
@sdagley Thanks for the help!
Posted on 09-28-2017 06:14 PM
@sdagley going through it i was thinking the same thing. I did notice the EFI option but thought nothing of it. Thanks for the heads up before i start scratching my head about this.