EFI password randomly required.

Eskobar
Contributor

Hi all, 

We have enabled EFI for our mac users. Randomly some machines are locked and require EFI pwd. 

Issue happens often after a reboot.

Anyone faced the issue ? Any tricks here?

Regards,

Mohamed

2 ACCEPTED SOLUTIONS

mm2270
Legendary Contributor III

Has happened to us as well. We had a spate of machines located half way around the world where this happened to, which was a pain to say the least. Fortunately it seems to have calmed down lately.

Some reasons why a Mac may boot to Recovery and get locked at the firmware password screen are, if a user forgets their password and follows the instructions that appear at the login screen to force shut down and reboot the Mac to recovery (wish there was some way to prevent that message, but this one boiled down to user training to not do that). I've also seen it happen when installing an OS update, possibly one that went a little sideways in application. Lastly, I had a case of someone who kept using the laptop until the battery drained down to 0 (I mean, the OS warns you it's going to power off if you don't plug it in soon, so how they managed that one I don't know)

As for fixing this, unfortunately outside of user training as I mentioned, there isn't any real way to prevent this. However, we're in the process now of moving away from using a single EFI password across all devices and treating it more like the Personal Recovery Key for FileVault, where each Mac gets it own password and can be escrowed into Jamf (in an Extension Attribute) I had to craft a whole process using scripts around this, including encrypting the password as stored inside Jamf so it's not just in plain text, for a little extra security.

Our new process is working well in testing. We've still to roll it out, but it will be a big help going forward. It means in emergency scenarios, like the ones where devices in another country with no IT personnel nearby to help locked themselves, we can send them the password to their Mac, knowing that it only applies to theirs and no-one else's. It does compromise some security though, since part of the reason for an EFI password is to prevent a user from alt booting their Mac or doing something like disabling SIP. But we have things in place to catch any instances of this too and report on them, plus, I'm not too concerned any of our users will do those things to begin with.

View solution in original post

mm2270
Legendary Contributor III

@Eskobar Removing RAM from a Mac to reset the EFI password hasn't been a thing now for quite a few years. That's not going to help you, even if it were possible to remove the RAM, which on most Macs now isn't even possible. 

As for my process, well, obviously giving out the password for EFI, even if it's only for that one Mac, doesn't prevent booting to Recovery or TDM, or any other alternate boot method. So there's really no way to prevent that possibility other than to never give out that password to anyone.

For us, getting a remote user back up and running quickly on their Mac if something out of their control caused it to get locked, rather than having to work through some arcane process of replacing their laptop, was more important than never giving that password out. What worried us initially was giving out the master password that applied to ALL Macs. By setting a unique password per device, we avoid that last scenario.

But no, the short answer is, my scripts aren't going to prevent booting to target mode or Recovery once the password is given to someone, other than the fact that an applied firmware password does this by default. It will certainly block someone unauthorized to use that device who does NOT have that password from booting to those modes.

View solution in original post

8 REPLIES 8

jkryklywec
New Contributor III

Yes this is happening to me o na couple per week last few weeks, mix of T2 and non nonT2 systems 11.6.1, but has also sporadically happened I the past as well, but more frequent now , cant narrow down either.

mm2270
Legendary Contributor III

Has happened to us as well. We had a spate of machines located half way around the world where this happened to, which was a pain to say the least. Fortunately it seems to have calmed down lately.

Some reasons why a Mac may boot to Recovery and get locked at the firmware password screen are, if a user forgets their password and follows the instructions that appear at the login screen to force shut down and reboot the Mac to recovery (wish there was some way to prevent that message, but this one boiled down to user training to not do that). I've also seen it happen when installing an OS update, possibly one that went a little sideways in application. Lastly, I had a case of someone who kept using the laptop until the battery drained down to 0 (I mean, the OS warns you it's going to power off if you don't plug it in soon, so how they managed that one I don't know)

As for fixing this, unfortunately outside of user training as I mentioned, there isn't any real way to prevent this. However, we're in the process now of moving away from using a single EFI password across all devices and treating it more like the Personal Recovery Key for FileVault, where each Mac gets it own password and can be escrowed into Jamf (in an Extension Attribute) I had to craft a whole process using scripts around this, including encrypting the password as stored inside Jamf so it's not just in plain text, for a little extra security.

Our new process is working well in testing. We've still to roll it out, but it will be a big help going forward. It means in emergency scenarios, like the ones where devices in another country with no IT personnel nearby to help locked themselves, we can send them the password to their Mac, knowing that it only applies to theirs and no-one else's. It does compromise some security though, since part of the reason for an EFI password is to prevent a user from alt booting their Mac or doing something like disabling SIP. But we have things in place to catch any instances of this too and report on them, plus, I'm not too concerned any of our users will do those things to begin with.

jkryklywec
New Contributor III

Interested In your scripts , EA for this if you don't mind sharing ? thanks

Eskobar
Contributor

@mm2270 Thanks so much for your input. The aim of EFI is to block access to target mode/Recovery partition....

Do your script ensure same functionality ? Can we bypass EFI lock by removing Ram from Macbook pro T2 /Silicon?

 

mm2270
Legendary Contributor III

@Eskobar Removing RAM from a Mac to reset the EFI password hasn't been a thing now for quite a few years. That's not going to help you, even if it were possible to remove the RAM, which on most Macs now isn't even possible. 

As for my process, well, obviously giving out the password for EFI, even if it's only for that one Mac, doesn't prevent booting to Recovery or TDM, or any other alternate boot method. So there's really no way to prevent that possibility other than to never give out that password to anyone.

For us, getting a remote user back up and running quickly on their Mac if something out of their control caused it to get locked, rather than having to work through some arcane process of replacing their laptop, was more important than never giving that password out. What worried us initially was giving out the master password that applied to ALL Macs. By setting a unique password per device, we avoid that last scenario.

But no, the short answer is, my scripts aren't going to prevent booting to target mode or Recovery once the password is given to someone, other than the fact that an applied firmware password does this by default. It will certainly block someone unauthorized to use that device who does NOT have that password from booting to those modes.

Eskobar
Contributor

Thanks so much @mm2270 for all the details. This was really helpful. Greetings

MacJunior
Contributor III

@mm2270 would it be possible to share your solution on how to rotate the EFI password and upload it to Jamf using EA?

mm2270
Legendary Contributor III

Hi @MacJunior Yes, but we're still working on refining and rolling out the process where I am. In fact, I'm reworking one portion of the script right now to make it a little more secure in how it stores the firmware password for retrieval.

I've only applied this to a small number of our Macs so far. About 10 or so right now, just as a test bed. Once I've got it a bit further along I can share what I'm doing.