Extension Attribute to find the status of EFI Security mode

jrserapio
Contributor

It seems that I can no longer get the security-mode from the following methods on Yosmemite:

echo "<result>nvram -p | grep security-mode</result>"
or
echo "<result>system_profiler | grep security-mode</result>"
or echo "<result>/Library/Application Support/JAMF/bin/setregproptool -c</result>"

I use the setregproptool placed in the JAMF/bin folder to set the EFI password using a policy at first login. The machine asks for the EFI password when option booting, but I just need the output for reporting/compliance.

Is anyone else seeing this issue?

1 ACCEPTED SOLUTION

mm2270
Legendary Contributor II

You need to check the exit status of the command:

/Library/Application Support/JAMF/bin/setregproptool -c

It does not, and as far as I know has never, sent output directly to the shell when running that. The exit status ($?) will be either 0 (ON) or 1 (OFF)

#!/bin/sh

/Library/Application Support/JAMF/bin/setregproptool -c
EFIStatus=$?

if [ "$EFIStatus" == 0 ]; then
     result="On"
else
     result="Off"
fi

echo "<result>$result</result>"

View solution in original post

5 REPLIES 5

mm2270
Legendary Contributor II

You need to check the exit status of the command:

/Library/Application Support/JAMF/bin/setregproptool -c

It does not, and as far as I know has never, sent output directly to the shell when running that. The exit status ($?) will be either 0 (ON) or 1 (OFF)

#!/bin/sh

/Library/Application Support/JAMF/bin/setregproptool -c
EFIStatus=$?

if [ "$EFIStatus" == 0 ]; then
     result="On"
else
     result="Off"
fi

echo "<result>$result</result>"

View solution in original post

pblake
Contributor II

I use this:
It's based off having the setregproptool in the jamf bin folder.

!/bin/sh

/Library/Application Support/JAMF/bin/setregproptool -c
result="$?"
result = $?

if [[ "$result" == "0" ]]; then
echo "<result>Set</result>"
else
echo "<result>Not Set</result>"
fi

spalmer
Contributor III

According to https://jamfnation.jamfsoftware.com/discussion.html?id=13765#responseChild82487 there is a new tool built into Yosemite to do this.

jrserapio
Contributor

@mm2270 Thanks Mike. Was trying to test in Shell was not getting the desired outcome. That word for me.
@pblake Thanks for the input as well.
@spalmer Thanks for the link.

PeterClarke
Contributor II

Yes, there is a new tool in Yosemite OS x 10.10.x, to SET and UNSET and TEST if Set

I have used it quite successfully..
Obviously this Yosemite, tool does not work with OS X 10.9.x and earlier..

The tool is called: firmwarepasswd