Firmware/EFI passwords on M1-based Macs?

pchrichard
Contributor

We deploy an EFI password on all our Macs to prevent end users rebuilding their own devices, turning off SIP, etc.

The policy fails on new M1 devices and there doesn't appear to be any documented way of securing the recovery boot menu?

5 REPLIES 5

lawinski
New Contributor III

M1 Macs do not support Firmware passwords anymore.
The protection they rely on is a valid user authentication.

AJPinto
Honored Contributor III

In all of Apples great wisdom they got rid of UFI passwords. Anyone with admin access can get in to the UFI now. Of course you get the typical amount of Apple documentation on it also, by that I mean nothing. The best I can recommend is what I was told a few days ago. "Contact your Apple SE, file Feedback, and submit an enterprise support case if you can do that."

Knowing apple this is how it's going to be, but at least you have a you tried sticker. We use(d) UFI passwords for the exact same reason. Apple really needs to do better at this stuff.

pchrichard
Contributor

Annoying. I've spent the morning digesting what the impact of this is and changes to working practices with remote working. I've built this as a POC and it seems to work, just need to fully understand the implications.

  • Revoking admin rights, switch current users to standard user accounts upon logon and using the Privileges app to elevate. Log off-script resets account status to Standard user.

  • Removing EFI password on existing devices

  • Scripting a temp admin logon with a random password that changes daily for any rebuild self-service req, feeding part of said passwork into JSS schema for Service Desk support.

estes
New Contributor III

Looks like Big Sur 11.15 supports firmware password.

 

Set Recovery Lock Command | Apple Developer Documentation

Felix_Chrono24
New Contributor III

Felix_Chrono24_0-1637842997312.png

Is there any option you can set an EFI Password for M1 Macbooks? Jamf Healtcheck Supporter said this would work, but I can't get it. You need an admin-account password, but that means everyone with an admin-account can reset the device. With Intel you can set a seperat EFI-password.

Best Regards

Felix