EFI failures in policy

mconners
Valued Contributor

Hi Folks,

We have in ALL of our lab deployment and employee deployment policies, a firmware password payload is configured in all lab/staff deployment policies. Essentially, all of our Macs have this EFI password configured.

When re-imaging, we remove the Mac from the JSS so it starts fresh and clean. We provide the correct name in Casper imaging and once the original OS is laid down, the name of the Mac will determine the workflow. With this, the lab deployment will begin to be applied, including the aforementioned EFI password.

Because there is an EFI password already configured, this causes the message to come back as NULL in the log file. While this specific issue isn’t a true error, the policy is showing up as failed.

The problem here is after a period of time, these failures are showing up as a false positives. I don't want to assume every time I see a failure in a policy that it is truly a new thing as opposed to the EFI password thing interfering.

Anyone else running into this and how are you getting around it when you re-image a Mac? Do I remove the password PRIOR to imaging? Just some random thoughts to talk it through.

Thank you

4 REPLIES 4

bvrooman
Valued Contributor

I don't have our firmware password apply at imaging; I do it as a post-imaging policy, scoped only to Macs which do not already have a firmware password. That way, if I reimage a machine the policy won't fail (because it doesn't need to set an already-configured password), and if I image a new machine it will still apply the password without intervention.

mconners
Valued Contributor

Hello @bvrooman that makes total sense. Sometimes when I am too close to the trees I don't see the forest.

Let me ask, I looked through the criteria for building a smart group and I am not seeing criteria that matches "EFI" or "Firmware." How did you scope to Macs that didn't have the firmware password set?

Thank you again!!

bvrooman
Valued Contributor

I made the group with an extension attribute that checks the output of firmwarepasswd -check (which should return "Yes" if it's enabled).

mconners
Valued Contributor

Thank you @bvrooman I found a discussion on this and put into place the piece for the extension attribute. Trick was to use "firmwarepasswd" as you had mentioned and it appears it should work fine. Now I just need to wait for computers to check back in so I can build the smart group and off I go. Thank you!!