In all of Apples great wisdom they got rid of UFI passwords. Anyone with admin access can get in to the UFI now. Of course you get the typical amount of Apple documentation on it also, by that I mean nothing. The best I can recommend is what I was told a few days ago. "Contact your Apple SE, file Feedback, and submit an enterprise support case if you can do that."
Knowing apple this is how it's going to be, but at least you have a you tried sticker. We use(d) UFI passwords for the exact same reason. Apple really needs to do better at this stuff.
Annoying. I've spent the morning digesting what the impact of this is and changes to working practices with remote working. I've built this as a POC and it seems to work, just need to fully understand the implications.
Revoking admin rights, switch current users to standard user accounts upon logon and using the Privileges app to elevate. Log off-script resets account status to Standard user.
Removing EFI password on existing devices
Scripting a temp admin logon with a random password that changes daily for any rebuild self-service req, feeding part of said passwork into JSS schema for Service Desk support.
Is there any option you can set an EFI Password for M1 Macbooks? Jamf Healtcheck Supporter said this would work, but I can't get it. You need an admin-account password, but that means everyone with an admin-account can reset the device. With Intel you can set a seperat EFI-password.