Firmware Password 10.10 Image

There is a new command line tool called firmwarepasswd. Run sudo firmwarepasswd -h on a Yosemite client to see details.

More commands are documented at: https://www.justinrummel.com/new-binaries-in-yosemite/

justinrummel, I know, I've been using that but I can't build a working script that can set both the password and the mode.

Edit: Also wanted to say that your website was actually very helpful in my finding out where the problem was coming from when I started running into issues. So thank you!

I use a payload-free package to call a policy with a custom trigger at the end of the imaging process. The policy just uses the built-in functionality in Casper(9.63) for EFI.....works well for me in 10.8, 10.9, 10.10.

10.8 and 10.9 require the setregproptool, 10.10 just works: https://jamfnation.jamfsoftware.com/article.html?id=58

I use a payload-free package to call a policy with a custom trigger at the end of the imaging process. The policy just uses the built-in functionality in Casper(9.63) for EFI.....works well for me in 10.8, 10.9, 10.10.

Could you show the extract of a policy log on a 10.10.x computer where the EFI firmware password is being set?
I'm specifically interested in knowing which EFI firmware utility is being invoked by /usr/sbin/jamf on 10.10.x, i.e. setregproptool, nvram, or firmwarepasswd.

@mthakur

Sure, the verbose policy log doesn't show much though unfortunately:

10.10.2Mac:~ user$ sudo jamf policy -event customeEFItrigger -verbose
Password:
 verbose: Checking for an existing instance of this application...
Checking for policies triggered by "customeEFItrigger"...
 verbose: Checking for active connection on interface "Display Ethernet"...
 verbose: Found active connection on "Display Ethernet"...
 verbose: Checking for active connection on interface "Thunderbolt Ethernet"...
 verbose: No active connection on "Thunderbolt Ethernet"...
 verbose: The Management Framework Settings are up to date.
 verbose: Found 1 matching policies.
 verbose: Removing any cached policies for this trigger.
 verbose: Parsing servers...
 verbose: Parsing Policy EFI Password (4)...
 verbose: Parsing Policy EFI Password (4)...
Executing Policy EFI Password...
Setting EFI password...
Set EFI Password sent.  Reboot required to finalize change.
Submitting log to https://jssurl/

Thanks. I agree it's unclear.
The /usr/sbin/jamf executable has no reference to firmwarepasswd:

$ strings /usr/sbin/jamf | grep -i firmwarepasswd
$ 
$ sw_vers
ProductName:    Mac OS X
ProductVersion: 10.10.2
BuildVersion:   14C1510
$ jamf -version
version=9.63
$

So ... just how is the firmware password being set by the JSS on Yosemite? Anyone know?

@mthakur not sure if this was introduced in 9.7 of the casper suite, here is the output from a mavericks and yosemite clients. Not sure if it is of any help.

Mavericks

$ strings /usr/sbin/jamf | grep -i firmwarepasswd
/usr/sbin/firmwarepasswd
FirmwarePasswdEFIStrategy
$ sw_vers
ProductName:    Mac OS X
ProductVersion: 10.9.5
BuildVersion:   13F1077
$ jamf -version
version=9.7

Yosemite

$ strings /usr/sbin/jamf | grep -i firmwarepasswd
/usr/sbin/firmwarepasswd
FirmwarePasswdEFIStrategy
$ sw_vers
ProductName:    Mac OS X
ProductVersion: 10.10.3
BuildVersion:   14D131
$ jamf -version
version=9.7

@greatkemo Thanks! It would appear, then, for Yosemite and Casper Suite v9.7 and higher, we don't need to extract any EFI password tool from the OS X Installer dmg.

I'm showing the same thing with Yosemite & Casper 9.65

bash-3.2$ strings /usr/sbin/jamf | grep -i firmwarepasswd
/usr/sbin/firmwarepasswd
FirmwarePasswdEFIStrategy
bash-3.2$ sw_vers
ProductName:    Mac OS X
ProductVersion: 10.10.3
BuildVersion:   14D131
bash-3.2$ jamf -version
version=9.65

Yosemite + Casper 9.63 is still on setregproptool:

bash-3.2# strings /usr/sbin/jamf | grep -i firmwarepasswd
bash-3.2# strings /usr/sbin/jamf | grep -i setregproptool
/Library/Application Support/JAMF/bin/setregproptool
isUsingSetRegPropTool

Looks like Casper 9.65 moved over to the new tool

strings /usr/sbin/jamf | grep -i firmwarepasswd /usr/sbin/firmwarepasswd FirmwarePasswdEFIStrategy

So I'm going to bring this topic kind of back alive again.

The built in casper tool will set the firmware password. But I need to be able to remove it now sometimes remotely (via script or whatever) on 10.10 machines.

Any hints?

So I'm going to bring this topic kind of back alive again. The built in casper tool will set the firmware password. But I need to be able to remove it now sometimes remotely (via script or whatever) on 10.10 machines. Any hints?

Would also like to know how to do this.

@boberito @Nick_Shortal Heres something I cobbled together using examples from the internet, the script will allow you to remove a firmware password by trying two different passwords. Replace 'password1' and 'password2' in the code below with your passwords. Changes to firmware passwords don't take effect until a reboot.

#!/usr/bin/expect

set verifyPassword [exec firmwarepasswd -check]

if { $verifyPassword eq "Password Enabled: Yes" } {

   spawn firmwarepasswd -delete
   expect "Enter password:"
   send “password1
”;
   expect {
      "Password incorrect" {
         puts "Trying 2nd password"
         expect eof
         spawn firmwarepasswd -delete
         expect "Enter password:"
         send “password2
”;
         expect "Password removed"
         puts "Firmware Password Deleted using 2nd Password"
       }
      "Password removed" {
        puts "Firmware Password Deleted using 1st Password"
        }
   }
}

What does the "Open firmware/ EFI password" portion of a policy do then?

Hello:

You might want to take a look at our firmware_password_manager script which allows management of firmware password.

Its available in our github repo here:

https://github.com/univ-of-utah-marriott-library-apple/firmware_password_manager

If you have any questions or problems, please let us know.