Extension Attribute for EFI/Firmware Password always listing 'None'.

tuinte
Contributor III

Hey all:

I've tried both Extension Attributes https://jamfnation.jamfsoftware.com/viewProductFile.html?id=135&fid=598 and https://jamfnation.jamfsoftware.com/viewProductFile.html?id=135&fid=322, but they always list as None. I've confirmed the appropriate setregproptool is in /Library/Application Support/JAMF/bin and the client actually does have a firmware password, but the EA still reports None after running recon multiple times.

Anyone else run into this? Anyone using something else to pull firmware password status?

Thanks for any help,

Michael

1 ACCEPTED SOLUTION

mm2270
Legendary Contributor III

Has the Mac you're running the recon against rebooted since the Firmware password was set? One of the things about setting the FW password is that if its done via the setregproptool command, it will always report "1" as in not set until the Mac is rebooted.

Different story if you booted into something like Recovery HD and set it there though.

View solution in original post

19 REPLIES 19

mm2270
Legendary Contributor III

Has the Mac you're running the recon against rebooted since the Firmware password was set? One of the things about setting the FW password is that if its done via the setregproptool command, it will always report "1" as in not set until the Mac is rebooted.

Different story if you booted into something like Recovery HD and set it there though.

tuinte
Contributor III

mm2270:

OK, that makes some sense. I've set them all via setregproptool and a policy. I just rebooted one and re-reconned and it reports Set as I would expect. The issue for me was, the policy was scoped to "Firmware = Not Set" and set to Ongoing so clients kept doing it until it was done. But I can set that to Once Per Computer and check in in a few weeks.

Thanks, it's very much appreciated.

Michael

mm2270
Legendary Contributor III

Yep, we've had similar challenges with that here. We also have a policy that tries to "fix" anything without a firmware password, but the Smart Group detecting the set value can be inaccurate, especially since most of our Mac users rarely reboot. We set the fw password at imaging time which helps reduce the negatives a bit.

tuinte
Contributor III

Yeah, will be doing it at imaging time for new computers. The company just instated the firmware password requirement. Thanks again.

rcorbin
Contributor II

Does anyone have this working correctly. This thread looks a bit old. Tried the attributes that are posted. But didn't have any luck.

This is the scrip of the last one I tried.

!/bin/sh

/Library/Application Support/JAMF/bin/setregproptool -c
result="$?"

if [[ "$result" == "0" ]]; then echo "<result>Set</result>"
else echo "<results>Not Set</result>"
fi

mm2270
Legendary Contributor III

@rcorbin Is this for Yosemite and/or El Capitan you're testing on? If so, there's a new binary starting with 10.10 you can use called "firmwarepasswd" - full path is /usr/sbin/firmwarepasswd

For example, to check if a password is set, run

sudo /usr/sbin/firmwarepasswd -check

It will print something like Password Enabled: Yes so you can script to check the output from the command now instead of checking for the exit status.

#!/bin/sh

FWPassCheck=$(/usr/sbin/firmwarepasswd -check)

if [[ "$FWPassCheck" =~ "Yes" ]]; then
    echo "<result>Set</result>"
elif [[ "$FWPassCheck" =~ "No" ]]; then
    echo "<result>Not Set</result>"
fi

kempt
New Contributor

@mm2270 So how do I go about getting this script into our Extension Attributes? I want to create a Smart Group based on the results of this script.

bizzaredm
Contributor

@kempt you can use the script @mm2270 posted as your extension attribute.

If you look he has result as either "Set" or "Not set" so Your smart group can scope against these.

I would most likely create a smart group called "Firmware password = Set" and the criteria would be my extension attribute "is" "Set", then if i were to do a policy to set firmware password, I would scope to "all managed clients", excluding password my smart group called "firmware password = Set"

nberanger
Contributor

I've tried using this script as an EA. It doesn't report anything for me though. If I just run it as a script through Terminal it works as expected. As an EA in JSS it doesn't show anything. The field that should be reporting "Set" or "Not Set" is left blank.

Anyone have any suggestions?

millersc
Valued Contributor

@nberanger Just to verify you are doing a recon on the device your looking to get reported on?

If so, try this. It's mine, slightly different, but working on for me.

#!/bin/sh
result=`/usr/sbin/firmwarepasswd -check; echo $?`

if [[ "$result" == "Password Enabled: Yes" ]]; then
echo "<result>Set</result>"
else
echo "<result>Not Set</result>"
fi

mm2270
Legendary Contributor III

@nberanger Has inventory collection (recon) been run on Macs since you added the Extension Attribute? Those fields only get populated when the Mac(s) submit inventory. It will otherwise be blank until then.

nberanger
Contributor

Thanks @millersc . I tried your script, ran a recon on a test machine which has an EFI password set. When I then did a computer inventory search it returned the value "Not Set".

So your script worked a little better in that it gave me something, but just not the correct info.

Any other thoughts?

Thanks again.

millersc
Valued Contributor

@nberanger run this and report back. I think your getting some variable which is different.

sudo /usr/sbin/firmwarepasswd -check

nberanger
Contributor

@mm2270 Yes, I've been sure to run Recon on the test computer each time I've updated the script for the EA.

nberanger
Contributor

I ran that command and I am getting

Password Enabled: Yes

Which matches what you have in your script.

millersc
Valued Contributor

Ok, you just forced me to check my own EA and fix it. Try this one:

#!/bin/sh
result=`/usr/sbin/firmwarepasswd -check;`

if [[ "$result" == "Password Enabled: Yes" ]]; then
echo "<result>Set</result>"
else
echo "<result>Not Set</result>"
fi

nberanger
Contributor

Haha, that did it. Thank you very much @millersc The inventory report appears to be working correctly now. Really appreciate your help getting this one sorted out.

mm2270
Legendary Contributor III

FWIW, the one I posted was and still is working for me. I'm not sure why it wasn't for you.

Looking back on this, it could really be simplified quite a bit, assuming you are assured your target machines are going to have the firmwarepasswd binary on them.

#!/bin/sh

echo "<result>$(/usr/sbin/firmwarepasswd -check | awk '{print $NF}')</result>"

The above should give you a simple "Yes" or "No" as possible results. I don't think the -check syntax can show any other type of result.

nberanger
Contributor

Odd indeed, the second one did work for me. The one you just posted also worked nicely.

After getting this running, I also noticed that JAMF already had an EA template set up for returning exactly this information :P