Jamf Nation Community

Thomas,

So the way Apple has implemented the Firmware password has changed.

Before 2011 MacBook Pro one could either user the Casper policy to set
firmware password or script something along these lines:

# Replace $mode-value with "command" or "full"

sudo nvram security-mode="$mode-value"

I'm guessing the Casper method does the same thing as this script but
neither works on the 2011 MBP. JAMF knows about it and is looking into
it but I haven't heard of any workarounds other than manually running
firmware password utility.

Thanks!

Michael Blaha | UHG IT 952.512.8019 michael_blaha at uhc.com <mailto:michael_blaha at uhc.com> Macintosh Group

you can try this, which takes the plain text password and obfuscates it properly where you can use the nvram command. I cannot take full credit for this script, as I asked a Unix community for help when I was messing with it

#!/bin/bash

function mac
{ while IFS="" read -r -n 1 C do I=$(printf "%d" "'${C}") printf "%%%02x" $((I^0xaa)) done echo
}

echo -n "$1" | mac

see this: http://paulmakowski.blogspot.com/2009/03/apple-efi-firmware-passwords.html

So, you would call the function, then put the password after it and the output is what you cold use with the nvram command

Has the man page for the command been updated? (if there is one).

Regards,

Ben.

this seems to indicate apple's changed the way they deal with firmware passwords. it may be worth looking for docs on the dev pages.

http://code.google.com/p/efipw/

Hey Nate,

Thanks for the link! Unfortunately all I came up with was dead ends...
I've really quite surprised Apple hasn't published anything on this new
firmware pw system!

Michael Blaha | UHG IT 952.512.8019 michael_blaha at uhc.com
Macintosh Group

If you can use something like pacifist and pull out this from the newest OS X install disk

/Applications/Utilities/Firmware Password Utility.app/Contents/Resources/setregproptool

That should allow you to set EFI passwords. I have not tested this, but typically this should have command line arguments

here's the help page for setregproptool which lists the command line parameters:
setregproptool v 2.0 (9) May 25 2011
Copyright (C) 2001-2010 Apple Inc.
All Rights Reserved.

Usage: setregproptool [-c] [-d [-o <old password>]] [[-m <mode> -p <password>] -o <old password>]

-c Check whether password is enabled. Sets return status of 0 if set, 1 otherwise. -d Delete current password/mode. Requires current password on some machines. -p Set password. Requires current password on some machines. -m Set security mode. Requires current password on some machines. Mode can be either "full" or "command". Full mode requires entry of the password on every boot, command mode only requires entry of the password if the boot picker is invoked to select a different boot device.

When enabling the Firmware Password for the first time, both the password and mode must be provided. Once the firmware password has been enabled, providing the mode or password alone will change that parameter only.

-o Old password. Only required on certain machines to disable or change password or mode. Optional, if not provided the tool will prompt for the password.

This does work to set the password, but the -c switch doesn't seem to work- I get no output with that switch regardless of whether a password has been set or not, so I have no way of reporting whether a password has been set in the JSS.
Anyone found a good way to report on this via extension attributes?

JAMF has documented the changes and how to deal with it.

https://jamfnation.jamfsoftware.com/article.html?id=58

Hey guys, I posted this how to article a bit back

https://jamfnation.jamfsoftware.com/discussion.html?id=52

This does work to set the password, but the -c switch doesn't seem to work- I get no output with that switch regardless of whether a password has been set or not, so I have no way of reporting whether a password has been set in the JSS. Anyone found a good way to report on this via extension attributes?

The -c option won't display any output you need to run echo "$?" to get the output of the last command in your bash shell. Also, it doesn't clear unless you reboot, if you look at the caveats section of that post I made, I cover that bit.

Hope that helps.

Hi Guys , I had this problem.I was unable to boot from any devices . I find seller on ebay who remove that password for me. My mac work again.