EFI Password already set?

david_yenzer
Contributor II

We are attempting to install an EFI password on some test machines and are experiencing some issues. Our procedure is as follows:

(1) Put the setregproptool inside /Library/ApplicationSupport/JAMF/bin
(2) Create a .pkg package for the setregproptool that has been uploaded to Casper Admin. Distribution of this file seems to work successfully.
(3) Run a JAMF policy on the Accounts tab for Open Firmware/EFI Password with Mode set to "Command" and the Set box checkmarked.

The issue is that whenever #3 is run we get an error that "EFI Password is already set". If I option boot to get to the manual EFI Password Utility - it's not set. I can set it, reboot, and unset it, reboot, and the policy does the same thing.

Any thoughts on what the issue might be? I initially was thinking maybe the setregproptool might be a "one off" thing that was triggered on our first test machine before I packaged it and distributed - but I recaptured the setregproptool and still have this issue.

Thanks!

Note: I am using https://jamfnation.jamfsoftware.com/article.html?id=58 as reference material.

2 ACCEPTED SOLUTIONS

mm2270
Legendary Contributor III

If you have any Lion systems around, you can pull it from the Recovery HD partition, but the process is several steps.

On a 10.7 Mac:
1- Locate the disk identifier for Recovery HD by running:

diskutil list

in Terminal. On my systems they show up as disk0s3.

2- From Terminal, do:

diskutil mount disk0s3

If successful, it should report something like: "Volume Recovery HD on disk0s3 mounted"

3- If you navigate into the mounted Recovery HD and list everything you should see a "com.apple.recovery.boot" directory.

cd /Volumes/Recovery HD/
ls -l
com.apple.recovery.boot

4- Navigate into the com.apple.recovery.boot directory

cd com.apple.recovery.boot

5- List everything again with ls -l and you'll see BaseSystem.dmg Mount that by doing:

hdiutil attach BaseSystem.dmg

It will do a checksum on the dmg before it mounts in the Finder. It should open a new Finder window to the contents.

6- Now just navigate into the mounted disk images Applications folder and into Utilities. Locate the Firmware Password Utility.app. Right click to "Show Package Contents" and then navigate to /Contents/Resources/ The setregproptool is in there. Copy it and use.

Since you'd be pulling that from a Mac running Lion, it should hopefully be the right version to work on your Lion systems.

All that said, I'm not entirely convinced the differing versions would cause the commands not to work, but I suppose its possible.

View solution in original post

david_yenzer
Contributor II

Boom - Using your instructions to acquire a 10.7 Lion version of the setregproptool, I just successfully ran EFI via JAMF on a 10.7 machine and it worked! I will test more later, but so far that looks way better than the results I was getting before. So, to summarize, it does look to me, at least in our environment, that the setregproptool for Lion is different than the setregproptool for Mtn Lion. All I've got going is one policy in JAMF that includes a package that distributes the setregproptool into the JAMF/bin folder and then the Account EFI settings that sets it to command mode with a password. THANKS FOR THE HELP!

View solution in original post

11 REPLIES 11

CasperSally
Valued Contributor II

I think there are issues with the accounts tab with the new tool.

I include a line like below in post image script to set it, You could write a script with line like below and push it out via policy.

/Library/Application Support/JAMF/bin/setregproptool –p newpassword -o oldpassword

david_yenzer
Contributor II

The result I'm getting is:
Script Result: /private/tmp/EFI Password Set New.sh: line 5: /Library/Application: No such file or directory

I'm wondering if this is an issue like in Terminal where to change directories to a location that has a "space" in in (Application Support) you have to write it as /Application Support/

I attempted to update the script like that but also no luck. Any ideas what I'm doing incorrectly?

CasperSally
Valued Contributor II

This is what you're looking for
/Library/Application Support/JAMF/bin/setregproptool -m command -p newpass -o oldpass

I'm not a scripting expert, but when in doubt, when I write a script, I drag the item to terminal to get the path it's looking for.

david_yenzer
Contributor II

Still no luck. "Segmentation fault" is the error now, even though it shows the policy as successful. I tried a few variations of the above code with the mode -m command.

/usr/sbin/jamf is version 8.52
Executing Policy EFI Password...
[STEP 1 of 3]
Mounting afp://macserverwc01.belps.org/CasperShare to /Volumes/CasperShare...
[STEP 2 of 3]
Running Script EFI Password Set New.sh...
Script Exit Code:139
Script Result: /private/tmp/EFI Password Set New.sh: line 5: 16898 Segmentation fault: 11 /Library/Application Support/JAMF/bin/setregproptool -m command -p [password removed]
Unmounting file server...
[STEP 3 of 3]
Running Recon...
Searching Additional Path: /Users/
Gathering Application Usage Information...
Finding Extension Attributes...

mm2270
Legendary Contributor III

Just curious, but do these Macs already have an existing firmware password applied to them? In your first sentence in your original post, it sounds like you're applying the EFI password for the first time. If that's the case, you can drop the -o oldpassword part of the command. Just do /path/to/setregproptool -m command -p password and see what happens. You would only need the 'oldpassword' if you were changing an existing password.

You can also try enclosing the path to the tool in double quote marks, as in:

"/Library/Application Support/JAMF/bin/setregproptool" -m command -p password

david_yenzer
Contributor II

Aside from the machines I'm testing with right now, the idea is that the machines will NOT have an EFI password currently set.

I tried not including the -o oldpassword and adding quotes in various formats, but no luck with that. However, what I do seem to be having luck with is running it all through JAMF via (1) a package that installs the setregproptool to the bin directory; and then (2) using a JAMF policy to set the Accounts > Set Open Firmware/EFI Password; (3) using Mountain Lion machines (including a brand new imac and several MBPs). So far it looks like my Lion tests are failing 100% and Mtn Lions are succeeding 100%. And thus my question is this: The setregproptool that I got was from a mountain lion image - is that the source of my woes? If I use the same process to capture the setregproptool from a Lion image will that work for Lion machines?

david_yenzer
Contributor II

Also please note that when I ran the above policy on Mtn Lion machines it actually allows me to 'succeed' with the policy many times - including if I change the password in the policy and rerun it - it doesn't actually seem to stick the EFI Password permanently until the machine is rebooted. Might want to force a reboot if we go this route.

mm2270
Legendary Contributor III

The password gets applied with the command, but running a check for the setting via the setregproptool will always show as "not set" (or if removing it, shows as "set") until a reboot is done. Its just one of the quirks with this, so yes, you may want to include a reboot after the setting gets applied.

As for any difference in the setregproptool versions between OSes, I quite honestly don't know, but its certainly possible you may need to build one for each OS version to get it to work.

david_yenzer
Contributor II

Sooooo...now that Lion is no longer in the store, and I can't get the ESD image on a thumbdrive to play the same way.....does anybody have a Lion setregproptool they want to pass along? Ha.

mm2270
Legendary Contributor III

If you have any Lion systems around, you can pull it from the Recovery HD partition, but the process is several steps.

On a 10.7 Mac:
1- Locate the disk identifier for Recovery HD by running:

diskutil list

in Terminal. On my systems they show up as disk0s3.

2- From Terminal, do:

diskutil mount disk0s3

If successful, it should report something like: "Volume Recovery HD on disk0s3 mounted"

3- If you navigate into the mounted Recovery HD and list everything you should see a "com.apple.recovery.boot" directory.

cd /Volumes/Recovery HD/
ls -l
com.apple.recovery.boot

4- Navigate into the com.apple.recovery.boot directory

cd com.apple.recovery.boot

5- List everything again with ls -l and you'll see BaseSystem.dmg Mount that by doing:

hdiutil attach BaseSystem.dmg

It will do a checksum on the dmg before it mounts in the Finder. It should open a new Finder window to the contents.

6- Now just navigate into the mounted disk images Applications folder and into Utilities. Locate the Firmware Password Utility.app. Right click to "Show Package Contents" and then navigate to /Contents/Resources/ The setregproptool is in there. Copy it and use.

Since you'd be pulling that from a Mac running Lion, it should hopefully be the right version to work on your Lion systems.

All that said, I'm not entirely convinced the differing versions would cause the commands not to work, but I suppose its possible.

david_yenzer
Contributor II

Boom - Using your instructions to acquire a 10.7 Lion version of the setregproptool, I just successfully ran EFI via JAMF on a 10.7 machine and it worked! I will test more later, but so far that looks way better than the results I was getting before. So, to summarize, it does look to me, at least in our environment, that the setregproptool for Lion is different than the setregproptool for Mtn Lion. All I've got going is one policy in JAMF that includes a package that distributes the setregproptool into the JAMF/bin folder and then the Account EFI settings that sets it to command mode with a password. THANKS FOR THE HELP!