Firmware Password 10.10 Image

Eisiminger
New Contributor III

In our imaging endeavors set up by my predecessor, we turned the firmware password on on student computers by installing a package that placed "setregproptool" in the the JAMF/bin folder, and then running:

/Library/Application Support/JAMF/bin/setregproptool -m command -p *FirmwarePassword*

Well, with 10.10 that hasn't been working for us. It sets the password mode to "full". I figured I would try to use the built in /usr/sbin/firmwarepasswd command, but that does the same thing and I'm not sure how to define the mode and the password using the same command as I am very new when it comes to scripting. I'm sure it's probably something simple that I'm glossing over, but if anyone has any suggestion I'd be very grateful. Thanks!

16 REPLIES 16

justinrummel
Contributor III

There is a new command line tool called firmwarepasswd. Run sudo firmwarepasswd -h on a Yosemite client to see details.

More commands are documented at: https://www.justinrummel.com/new-binaries-in-yosemite/

Eisiminger
New Contributor III

justinrummel, I know, I've been using that but I can't build a working script that can set both the password and the mode.

Edit: Also wanted to say that your website was actually very helpful in my finding out where the problem was coming from when I started running into issues. So thank you!

Josh_Smith
Valued Contributor

I use a payload-free package to call a policy with a custom trigger at the end of the imaging process. The policy just uses the built-in functionality in Casper(9.63) for EFI.....works well for me in 10.8, 10.9, 10.10.

10.8 and 10.9 require the setregproptool, 10.10 just works: https://jamfnation.jamfsoftware.com/article.html?id=58

mthakur
Contributor
I use a payload-free package to call a policy with a custom trigger at the end of the imaging process. The policy just uses the built-in functionality in Casper(9.63) for EFI.....works well for me in 10.8, 10.9, 10.10.

Could you show the extract of a policy log on a 10.10.x computer where the EFI firmware password is being set?
I'm specifically interested in knowing which EFI firmware utility is being invoked by /usr/sbin/jamf on 10.10.x, i.e. setregproptool, nvram, or firmwarepasswd.

Josh_Smith
Valued Contributor

@mthakur

Sure, the verbose policy log doesn't show much though unfortunately:

10.10.2Mac:~ user$ sudo jamf policy -event customeEFItrigger -verbose
Password:
 verbose: Checking for an existing instance of this application...
Checking for policies triggered by "customeEFItrigger"...
 verbose: Checking for active connection on interface "Display Ethernet"...
 verbose: Found active connection on "Display Ethernet"...
 verbose: Checking for active connection on interface "Thunderbolt Ethernet"...
 verbose: No active connection on "Thunderbolt Ethernet"...
 verbose: The Management Framework Settings are up to date.
 verbose: Found 1 matching policies.
 verbose: Removing any cached policies for this trigger.
 verbose: Parsing servers...
 verbose: Parsing Policy EFI Password (4)...
 verbose: Parsing Policy EFI Password (4)...
Executing Policy EFI Password...
Setting EFI password...
Set EFI Password sent.  Reboot required to finalize change.
Submitting log to https://jssurl/

mthakur
Contributor

Thanks. I agree it's unclear.
The /usr/sbin/jamf executable has no reference to firmwarepasswd:

$ strings /usr/sbin/jamf | grep -i firmwarepasswd
$ 
$ sw_vers
ProductName:    Mac OS X
ProductVersion: 10.10.2
BuildVersion:   14C1510
$ jamf -version
version=9.63
$

So ... just how is the firmware password being set by the JSS on Yosemite? Anyone know?

greatkemo
Contributor II

@mthakur not sure if this was introduced in 9.7 of the casper suite, here is the output from a mavericks and yosemite clients. Not sure if it is of any help.

Mavericks

$ strings /usr/sbin/jamf | grep -i firmwarepasswd
/usr/sbin/firmwarepasswd
FirmwarePasswdEFIStrategy
$ sw_vers
ProductName:    Mac OS X
ProductVersion: 10.9.5
BuildVersion:   13F1077
$ jamf -version
version=9.7

Yosemite

$ strings /usr/sbin/jamf | grep -i firmwarepasswd
/usr/sbin/firmwarepasswd
FirmwarePasswdEFIStrategy
$ sw_vers
ProductName:    Mac OS X
ProductVersion: 10.10.3
BuildVersion:   14D131
$ jamf -version
version=9.7

mthakur
Contributor

@greatkemo Thanks! It would appear, then, for Yosemite and Casper Suite v9.7 and higher, we don't need to extract any EFI password tool from the OS X Installer dmg.

merps
Contributor III

I'm showing the same thing with Yosemite & Casper 9.65

bash-3.2$ strings /usr/sbin/jamf | grep -i firmwarepasswd
/usr/sbin/firmwarepasswd
FirmwarePasswdEFIStrategy
bash-3.2$ sw_vers
ProductName:    Mac OS X
ProductVersion: 10.10.3
BuildVersion:   14D131
bash-3.2$ jamf -version
version=9.65

ktappe
New Contributor III

Yosemite + Casper 9.63 is still on setregproptool:

bash-3.2# strings /usr/sbin/jamf | grep -i firmwarepasswd
bash-3.2# strings /usr/sbin/jamf | grep -i setregproptool
/Library/Application Support/JAMF/bin/setregproptool
isUsingSetRegPropTool

CasperSally
Valued Contributor II

Looks like Casper 9.65 moved over to the new tool

strings /usr/sbin/jamf | grep -i firmwarepasswd /usr/sbin/firmwarepasswd FirmwarePasswdEFIStrategy

boberito
Valued Contributor

So I'm going to bring this topic kind of back alive again.

The built in casper tool will set the firmware password. But I need to be able to remove it now sometimes remotely (via script or whatever) on 10.10 machines.

Any hints?

bse_college
New Contributor III
So I'm going to bring this topic kind of back alive again. The built in casper tool will set the firmware password. But I need to be able to remove it now sometimes remotely (via script or whatever) on 10.10 machines. Any hints?

Would also like to know how to do this.

plawrence
Contributor II

@boberito @Nick_Shortal Heres something I cobbled together using examples from the internet, the script will allow you to remove a firmware password by trying two different passwords. Replace 'password1' and 'password2' in the code below with your passwords. Changes to firmware passwords don't take effect until a reboot.

#!/usr/bin/expect

set verifyPassword [exec firmwarepasswd -check]

if { $verifyPassword eq "Password Enabled: Yes" } {

   spawn firmwarepasswd -delete
   expect "Enter password:"
   send “password1
”;
   expect {
      "Password incorrect" {
         puts "Trying 2nd password"
         expect eof
         spawn firmwarepasswd -delete
         expect "Enter password:"
         send “password2
”;
         expect "Password removed"
         puts "Firmware Password Deleted using 2nd Password"
       }
      "Password removed" {
        puts "Firmware Password Deleted using 1st Password"
        }
   }
}

lcopeland
New Contributor

What does the "Open firmware/ EFI password" portion of a policy do then?

uurazzle
Contributor II

Hello:

You might want to take a look at our firmware_password_manager script which allows management of firmware password.

Its available in our github repo here:

https://github.com/univ-of-utah-marriott-library-apple/firmware_password_manager

If you have any questions or problems, please let us know.