Posted on 03-18-2015 07:23 AM
In our imaging endeavors set up by my predecessor, we turned the firmware password on on student computers by installing a package that placed "setregproptool" in the the JAMF/bin folder, and then running:
/Library/Application Support/JAMF/bin/setregproptool -m command -p *FirmwarePassword*
Well, with 10.10 that hasn't been working for us. It sets the password mode to "full". I figured I would try to use the built in /usr/sbin/firmwarepasswd command, but that does the same thing and I'm not sure how to define the mode and the password using the same command as I am very new when it comes to scripting. I'm sure it's probably something simple that I'm glossing over, but if anyone has any suggestion I'd be very grateful. Thanks!
Posted on 03-18-2015 07:29 AM
There is a new command line tool called firmwarepasswd. Run sudo firmwarepasswd -h
on a Yosemite client to see details.
More commands are documented at: https://www.justinrummel.com/new-binaries-in-yosemite/
Posted on 03-18-2015 07:47 AM
justinrummel, I know, I've been using that but I can't build a working script that can set both the password and the mode.
Edit: Also wanted to say that your website was actually very helpful in my finding out where the problem was coming from when I started running into issues. So thank you!
Posted on 03-18-2015 02:46 PM
I use a payload-free package to call a policy with a custom trigger at the end of the imaging process. The policy just uses the built-in functionality in Casper(9.63) for EFI.....works well for me in 10.8, 10.9, 10.10.
10.8 and 10.9 require the setregproptool, 10.10 just works: https://jamfnation.jamfsoftware.com/article.html?id=58
Posted on 03-31-2015 09:18 AM
I use a payload-free package to call a policy with a custom trigger at the end of the imaging process. The policy just uses the built-in functionality in Casper(9.63) for EFI.....works well for me in 10.8, 10.9, 10.10.
Could you show the extract of a policy log on a 10.10.x computer where the EFI firmware password is being set?
I'm specifically interested in knowing which EFI firmware utility is being invoked by /usr/sbin/jamf on 10.10.x, i.e. setregproptool, nvram, or firmwarepasswd.
Posted on 03-31-2015 10:57 AM
Sure, the verbose policy log doesn't show much though unfortunately:
10.10.2Mac:~ user$ sudo jamf policy -event customeEFItrigger -verbose
Password:
verbose: Checking for an existing instance of this application...
Checking for policies triggered by "customeEFItrigger"...
verbose: Checking for active connection on interface "Display Ethernet"...
verbose: Found active connection on "Display Ethernet"...
verbose: Checking for active connection on interface "Thunderbolt Ethernet"...
verbose: No active connection on "Thunderbolt Ethernet"...
verbose: The Management Framework Settings are up to date.
verbose: Found 1 matching policies.
verbose: Removing any cached policies for this trigger.
verbose: Parsing servers...
verbose: Parsing Policy EFI Password (4)...
verbose: Parsing Policy EFI Password (4)...
Executing Policy EFI Password...
Setting EFI password...
Set EFI Password sent. Reboot required to finalize change.
Submitting log to https://jssurl/
Posted on 03-31-2015 02:31 PM
Thanks. I agree it's unclear.
The /usr/sbin/jamf executable has no reference to firmwarepasswd:
$ strings /usr/sbin/jamf | grep -i firmwarepasswd
$
$ sw_vers
ProductName: Mac OS X
ProductVersion: 10.10.2
BuildVersion: 14C1510
$ jamf -version
version=9.63
$
So ... just how is the firmware password being set by the JSS on Yosemite? Anyone know?
Posted on 04-12-2015 06:45 AM
@mthakur not sure if this was introduced in 9.7 of the casper suite, here is the output from a mavericks and yosemite clients. Not sure if it is of any help.
Mavericks
$ strings /usr/sbin/jamf | grep -i firmwarepasswd
/usr/sbin/firmwarepasswd
FirmwarePasswdEFIStrategy
$ sw_vers
ProductName: Mac OS X
ProductVersion: 10.9.5
BuildVersion: 13F1077
$ jamf -version
version=9.7
Yosemite
$ strings /usr/sbin/jamf | grep -i firmwarepasswd
/usr/sbin/firmwarepasswd
FirmwarePasswdEFIStrategy
$ sw_vers
ProductName: Mac OS X
ProductVersion: 10.10.3
BuildVersion: 14D131
$ jamf -version
version=9.7
Posted on 04-13-2015 06:51 AM
@greatkemo Thanks! It would appear, then, for Yosemite and Casper Suite v9.7 and higher, we don't need to extract any EFI password tool from the OS X Installer dmg.
Posted on 04-13-2015 09:27 AM
I'm showing the same thing with Yosemite & Casper 9.65
bash-3.2$ strings /usr/sbin/jamf | grep -i firmwarepasswd
/usr/sbin/firmwarepasswd
FirmwarePasswdEFIStrategy
bash-3.2$ sw_vers
ProductName: Mac OS X
ProductVersion: 10.10.3
BuildVersion: 14D131
bash-3.2$ jamf -version
version=9.65
Posted on 04-24-2015 02:13 PM
Yosemite + Casper 9.63 is still on setregproptool:
bash-3.2# strings /usr/sbin/jamf | grep -i firmwarepasswd
bash-3.2# strings /usr/sbin/jamf | grep -i setregproptool
/Library/Application Support/JAMF/bin/setregproptool
isUsingSetRegPropTool
Posted on 04-28-2015 09:46 AM
Looks like Casper 9.65 moved over to the new tool
strings /usr/sbin/jamf | grep -i firmwarepasswd /usr/sbin/firmwarepasswd FirmwarePasswdEFIStrategy
Posted on 05-04-2015 10:52 AM
So I'm going to bring this topic kind of back alive again.
The built in casper tool will set the firmware password. But I need to be able to remove it now sometimes remotely (via script or whatever) on 10.10 machines.
Any hints?
Posted on 10-05-2015 10:29 PM
So I'm going to bring this topic kind of back alive again. The built in casper tool will set the firmware password. But I need to be able to remove it now sometimes remotely (via script or whatever) on 10.10 machines. Any hints?
Would also like to know how to do this.
Posted on 10-05-2015 10:55 PM
@boberito @Nick_Shortal Heres something I cobbled together using examples from the internet, the script will allow you to remove a firmware password by trying two different passwords. Replace 'password1' and 'password2' in the code below with your passwords. Changes to firmware passwords don't take effect until a reboot.
#!/usr/bin/expect
set verifyPassword [exec firmwarepasswd -check]
if { $verifyPassword eq "Password Enabled: Yes" } {
spawn firmwarepasswd -delete
expect "Enter password:"
send “password1
”;
expect {
"Password incorrect" {
puts "Trying 2nd password"
expect eof
spawn firmwarepasswd -delete
expect "Enter password:"
send “password2
”;
expect "Password removed"
puts "Firmware Password Deleted using 2nd Password"
}
"Password removed" {
puts "Firmware Password Deleted using 1st Password"
}
}
}
Posted on 10-07-2015 07:13 AM
What does the "Open firmware/ EFI password" portion of a policy do then?
Posted on 02-02-2016 07:29 AM
Hello:
You might want to take a look at our firmware_password_manager
script which allows management of firmware password.
Its available in our github repo here:
https://github.com/univ-of-utah-marriott-library-apple/firmware_password_manager
If you have any questions or problems, please let us know.