Enabling EFI/Boot password

Mkh
New Contributor III

Hey everyone,

I'm pretty new to JAMF here, how can enable EFI password on my fleet ?

16 REPLIES 16

DBrowning
Valued Contributor

New Policy>> EFI Password Payload.
d3ab241decc44dbfab31ba9c91b9cdc2

Mkh
New Contributor III

Great .. how can I get the list of machines that have Firmware password set ?

DBrowning
Valued Contributor

Make an extension attribute with this:

#!/bin/sh

#Get Status
firmwareStatus=$(firmwarepasswd -check)

#Pull out final word
status=$(echo "$firmwareStatus" | awk '/Enabled:/ {print $NF}')

echo "<result>$status</result>"

larry_barrett
Valued Contributor

Possible outputs are Yes and No ^

Mkh
New Contributor III

Thanks a million

MacJunior
Contributor

any updated version of check a script that would work with Big Sur on intel machines?

DBrowning
Valued Contributor

@MacJunior The EA I posted above still works in Big Sur on Intel Macs.

MacJunior
Contributor

true, when I execute the script on a machine has a firmware password it shows me the status "Yes" but I when add it to an extension attribute and create a smart group to show me the macs with EFI password nothing shows up.
Seems I'm doing something wrong here.

DBrowning
Valued Contributor

@MacJunior safe to assume you are waiting for the next recon/inventory to come in? If you run recon/inventory on a machine, is it showing up in your Computer Record?

alessio_tedesco
New Contributor III

Hi @DBrowning I tried setting up an extension attribute as you provided up here but seems like it is not working, attaching the screenshot. same result in catalina and bigsur. Nothing won't populate even after jamf recon.

EDIT: After waiting a while and after a Recon it actually populated correctly.

MacJunior
Contributor

I executed "jamf recon" from terminal and waited a bit, rebooted and still the the smart group shows me nothing !

ec347eac1f2f46cda30737606242f4f7

0e35bbd0735e4e5fbf5fa2fa8c77c8c1

MacJunior
Contributor

Anybody managed to fix it ? still can't see Macs that have FV enabled !

mschroder
Valued Contributor

Try
echo "<result>$status</result>"

MacJunior
Contributor

Still nothing, does it work for you @mschroder ?? if yes could you share the extension attribute page and the smart group ?

mschroder
Valued Contributor

Well, you have a 'sudo' in a place where it makes no sense. DBrowning has the complete and correct script in his post. Please note that if you run this outside of Jamf you need to run it with sudo privileges. When from the MDM it already has sudo privileges.

Once you fixed the EA check you get the proper result in the inventory for the device on which you tested. When that is OK check the smart group, you might have problems there as well.

MacJunior
Contributor

You are correct @mschroder I missed your point that when you run a script via MDM it doesn't need sudo privileges cuz it's already have them.

Thanks