- Jamf Nation Community
- Products
- Jamf Pro
- Re: EFI Password Removal
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-27-2014 10:31 AM
I need to remove the EFI firmware PW from a managed laptop('13 MBAir/10.9.4) so I can run in safe mode.
After handing out more than 300 client machines they are now failing to log into either the admin side(local account) or the student mobile account side. The trigger for the failure seems to be a reboot of the client machines. The reboot is either forced by the client/JSS or just because the students feel a need to reboot.
I want to run in safe mode so I can skip the Kernals as a potential fault for the failure of the clients. Some clients have lasted a week with no issues while others quit after only a few hours in circulation. I have tried to reimage the machines and they fail as well.
The real issue is...I can't get to the affected HD except through a net boot server. I attempted to change directories so as to work on the affected HD but when I run the scripts I found on the JAMF Nation such as this one that CasperSally used:
/bin/cp /Volumes/OS X Base System/Applications/Utilities/Firmware Password Utility.app/Contents/Resources/setregproptool
/Library/Application Support/JAMF/bin/setregproptool -d -o 'FWPW'
I get this response:
usage: cp [-R [-H | -L | -P]] [-fi | -n] [-apvX] source_file target_file
cp [-R [-H | -L | -P]] [-fi | -n] [-apvX] source_file ... target_director
So I really have two issues...
Disabling EFI Firmware
Clients not logging into either local or mobile accounts after a week in circulation
JSS 9.32
OS 10.9.4
MBA '13 Early 2014
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-27-2014 11:24 AM
No, Recovery HD has the actual Firmware Password Utility on it that the script you posted is trying to copy some files from. If you need to touch each Mac to boot them into Safe Mode (that last item cannot be automated to my knowledge) then just hold down Command+R while booting them, get past the firmware prompt and allow them to boot from Recovery HD. Once they boot into it, go up to the Utilities menu and choose "Firmware Password Utility" to launch the app. You can disable the FW password from there and reboot right into Safe Boot mode.
Hope that helps.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-27-2014 11:02 AM
The script snippet you posted above doesn't look complete to me. /Volumes/OS X Base System/ isn't going to exist until its mounted off the Recovery HD partition. Are you mounting that before the script runs, or mounting it as part of the script?
Which brings me to the point that, if you need to touch systems manually, you might as well boot them into Recovery HD and remove the Firmware Password there from the Firmware Password Utility. Or, do you need to somehow automate this?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-27-2014 11:19 AM
No automation needed at this point. I have one of the affected clients and am attempting to remove the EFI PW so I can run in safe mode.
Forgive my ignorance, but you are suggesting that I boot up from the Recovery HD, use terminal on that drive with the suggested script and this will allow me to turn off the EFI PW?
I now see that the script is pointing towards the recovery HD...
So, I will attempt to view that directory on the net boot server and apply the script. Will this work?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-27-2014 11:24 AM
No, Recovery HD has the actual Firmware Password Utility on it that the script you posted is trying to copy some files from. If you need to touch each Mac to boot them into Safe Mode (that last item cannot be automated to my knowledge) then just hold down Command+R while booting them, get past the firmware prompt and allow them to boot from Recovery HD. Once they boot into it, go up to the Utilities menu and choose "Firmware Password Utility" to launch the app. You can disable the FW password from there and reboot right into Safe Boot mode.
Hope that helps.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-27-2014 11:27 AM
I will give that a go....
More to come...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-27-2014 11:46 AM
BINGO....
I was able to log into the local account using safe mode....
Removed what we suspect is a "duplicate" or "broken" application and rebooted the client machine. I was able to gain access again the the client machine...
Now to replicate this about 100 more times on the affected units and building a policy to remove the affected application on those units that have not crashed yet...
Thank you again for your help!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-27-2014 10:48 PM
As long as the computers are on the network, you can remove the firmware password using Casper Remote. This might be easier than going to each machine!
