Jamf Nation Community

lisacherie · ‎11-12-2013

Was previously using nvram -p to check the security-mode, since this doesn't work with the late 2010 hardware onwards.. Here is a short extension attribute that will tell you whether the password is set, though unfortunately not the mode.

If anyone knows how to determine the mode.. please share! It's not an option in the setregproptool.

#!/bin/sh

EFIP=`/Library/Application Support/JAMF/bin/setregproptool -c; echo $?`

echo "EFI is $EFIP"

echo "<result>$EFIP</result>"

franton · ‎11-13-2013

I can't remember if this is built into the JSS as a template or I got it from someone else @rtrouton @bentoms (?) but this is what I use:

#!/bin/sh
result=`nvram -p | grep security-mode | awk '{print $2}'`

if [ "$result" != "" ]; then
    echo "<result>$result</result>"
else
    echo "<result>none</result>"
fi

mm2270 · ‎11-13-2013

For some od reason, the nvram -p command lists the 'security-mode' in the output, but on some other Macs it does not, even though a Firmware password is definitely set on the Macs where it doesn't appear in the output. I think that's what @lisacherie][/url was getting at.
My Mac is a Mid 2011 MBP 13" and I can see it. On a Mid 2013 MBA I don't see it. as well as on some other models. So somewhere along the line that information got removed from the output of nvram -p. :/

Outside of that method though, I can't locate any other way to see that information.

lisacherie · ‎11-13-2013

From what I've seen so far the nvram -p method stops working from all models Late 2010 onwards.

mm2270 · ‎11-13-2013

While I believe you, at least insofar as what you've seen, I can assure you the Mac that I'm writing this on right now is a Mid 2011 MacBook Pro 13" and I can clearly see the 'security-mode' line in the nvram -p output. It shows "command" which is what I expect it to be since I have a EFI firmware password on the Mac, set up with command mode.
But as I mentioned, I can't see the same line on other newer Macs, also with Firmware passwords set. So while its unclear exactly when it stopped, it does appear it no longer shows up on most newer hardware. There is other data in the nvram -p output, but not security-mode.

bentoms · ‎11-13-2013

@franton wasn't me!

brock_walters · ‎12-06-2013

noahdowd · ‎04-30-2018

There's also this command in High Sierra at least:

firmwarepasswd -mode

dyyuan · ‎08-21-2020

hi, does anyone know how we can use the new command posted by noahowd in an EA?
thanks!

dan-snelson · ‎08-21-2020

@dyyuan We're using the following for Firmware Password

#!/bin/sh
####################################################################################################
# Extension Attribute to read the status of the firmware password
####################################################################################################

osVersion=$( /usr/bin/sw_vers | /usr/bin/grep ProductVersion | /usr/bin/awk '{ print $2}' )

case $osVersion in

    10.8*|10.9*)
        result=$( /usr/sbin/nvram -p | /usr/bin/grep security-mode | /usr/bin/awk '{print $2}' )
        ;;

    10.10*|10.11*|10.12*|10.13*|10.14*|10.15*)
        result=$( /usr/sbin/firmwarepasswd -check | /usr/bin/awk '{ print $3 }' )
        ;;

    *)
        result="Unknown $osVersion"

esac

echo "<result>${result}</result>"

exit 0

gabester · ‎08-26-2020

@dan-snelson Nicely timed, I'm going to need something like this soon! Now does anyone want to post their workflows for setting and rotating their firmware passwords? :-)

dan-snelson · ‎08-26-2020

@Sterritt Take a look at: Firmware Password Manager

MacJunior · ‎01-26-2021

anybody has an extension attribute to check the status of the firmware password that would work on intel machine running Big Sur 11.1?

Jamf Nation Community

EFI password extension attribute