EFI password extension attribute

lisacherie
Contributor II

Was previously using nvram -p to check the security-mode, since this doesn't work with the late 2010 hardware onwards.. Here is a short extension attribute that will tell you whether the password is set, though unfortunately not the mode.

If anyone knows how to determine the mode.. please share! It's not an option in the setregproptool.

#!/bin/sh

EFIP=`/Library/Application Support/JAMF/bin/setregproptool -c; echo $?`

echo "EFI is $EFIP"

echo "<result>$EFIP</result>"
12 REPLIES 12

franton
Valued Contributor III

I can't remember if this is built into the JSS as a template or I got it from someone else @rtrouton @bentoms (?) but this is what I use:

#!/bin/sh
result=`nvram -p | grep security-mode | awk '{print $2}'`

if [ "$result" != "" ]; then
    echo "<result>$result</result>"
else
    echo "<result>none</result>"
fi

mm2270
Legendary Contributor III

For some od reason, the nvram -p command lists the 'security-mode' in the output, but on some other Macs it does not, even though a Firmware password is definitely set on the Macs where it doesn't appear in the output. I think that's what @lisacherie][/url was getting at.
My Mac is a Mid 2011 MBP 13" and I can see it. On a Mid 2013 MBA I don't see it. as well as on some other models. So somewhere along the line that information got removed from the output of nvram -p. :/

Outside of that method though, I can't locate any other way to see that information.

lisacherie
Contributor II

From what I've seen so far the nvram -p method stops working from all models Late 2010 onwards.

mm2270
Legendary Contributor III

While I believe you, at least insofar as what you've seen, I can assure you the Mac that I'm writing this on right now is a Mid 2011 MacBook Pro 13" and I can clearly see the 'security-mode' line in the nvram -p output. It shows "command" which is what I expect it to be since I have a EFI firmware password on the Mac, set up with command mode.
But as I mentioned, I can't see the same line on other newer Macs, also with Firmware passwords set. So while its unclear exactly when it stopped, it does appear it no longer shows up on most newer hardware. There is other data in the nvram -p output, but not security-mode.

bentoms
Release Candidate Programs Tester

@franton wasn't me!

brock_walters
Contributor
Contributor
 

noahdowd
Contributor

There's also this command in High Sierra at least:

firmwarepasswd -mode

dyyuan
New Contributor

hi, does anyone know how we can use the new command posted by noahowd in an EA?
thanks!

dan-snelson
Valued Contributor II

@dyyuan We're using the following for Firmware Password

#!/bin/sh
####################################################################################################
# Extension Attribute to read the status of the firmware password
####################################################################################################

osVersion=$( /usr/bin/sw_vers | /usr/bin/grep ProductVersion | /usr/bin/awk '{ print $2}' )

case $osVersion in

    10.8*|10.9*)
        result=$( /usr/sbin/nvram -p | /usr/bin/grep security-mode | /usr/bin/awk '{print $2}' )
        ;;

    10.10*|10.11*|10.12*|10.13*|10.14*|10.15*)
        result=$( /usr/sbin/firmwarepasswd -check | /usr/bin/awk '{ print $3 }' )
        ;;

    *)
        result="Unknown $osVersion"

esac

echo "<result>${result}</result>"

exit 0

gabester
Contributor III

@dan-snelson Nicely timed, I'm going to need something like this soon! Now does anyone want to post their workflows for setting and rotating their firmware passwords? :-)

dan-snelson
Valued Contributor II

MacJunior
Contributor III

anybody has an extension attribute to check the status of the firmware password that would work on intel machine running Big Sur 11.1?