Posted on 04-24-2020 07:31 AM
Hi JamfNation,
In my organisation there are macs which have random firmware password set. I need ideas about how i can change them to a single one.
Via EFI payload its difficult because old keys are not same for everyone.
btw, i have an extension attribute created to get the list of existing firmware passwords for emergency uses.
TIA
Posted on 04-24-2020 07:55 AM
You have an EA that gets the firmware password? Sounds cool, how does that work? I wasn't aware that the firmware password is stored in plain text on the device.
Posted on 04-24-2020 08:41 AM
@mschroder i found the passwords in install.logs (plain text), as a result of failed jamf policy.however i am not sure, how they come from.
I did few firmwarepasswd -verify and found they were correct.
Posted on 04-24-2020 10:20 AM
Curious why you'd want to go from a unique password on every device to the same password. Information likes to be free and once you provide that password to the wrong person, all your Macs are vulnerable.
Posted on 04-25-2020 10:58 PM
Actually you are correct.Its better to have a unique password rather than a single for all. But the issue is the passwords are not saved anywhere, they are randomly created.Hence i am planning to change them just to have them tracked.
@talkingmoose how you are saving/tracking the unique FW passwords? is there a way to save those ,apart from offline excel/csv?
I would like to know the best practice for that.
thank you
Posted on 04-27-2020 10:17 PM
@Rohitds14, I have a script and an Extension Attribute to generate a random 8-character password and to capture it to Jamf Pro to the computer record. Once the script has run, the Mac needs to be restarted for the firmware password to activate.
https://gist.github.com/talkingmoose/7f3d4b75c22e21332a11117937765247
Posted on 04-28-2020 03:16 AM
Thanks @talkingmoose , this is useful.
In my environment, the passwords are already set (randomly), and managed in excel. I believe this script will only work in FW password is not set only.
Posted on 04-28-2020 04:12 AM
@Rohitds14 The following may prove helpful: Firmware Password Manager.
Posted on 08-05-2020 11:40 AM
hi @talkingmoose ,
Thanks for the help, this working fine,
Just an additional query, i believe the password is getting saved in a file in clear text.
can we encrypt that or anything else, So that the user does not stumble on the password.
Posted on 08-05-2020 12:03 PM
@Rohitds14, I started to say, "Unfortunately, due to the way Extension Attributes work, we always have to have that file present. Otherwise, the EA will go blank."
However, it would probably be possible to write the script to encode the data on disk and then decode it when reporting it to the EA. I'll need to dig into it. Doesn't sound difficult, but will take some time to make sure it's right.
Could you add your comment to the comments section on GitHub for me? I'll take a look at what I can do.
Posted on 08-06-2020 08:36 AM
thank you it will be awesome! @talkingmoose
Posted on 09-09-2020 07:08 AM
Hi @talkingmoose, I'm looking at the possibility of implementing your awesome work. Something that's not clear to me based on the current version of the script on Github is around the temporary file and cleanup.
Thanks a lot,
Justin.
Posted on 09-09-2020 11:41 AM
@jtrant, if I'm still referring to that file as "temporary" in my instructions, that's my fault. It should reside there permanently.
I had hoped to make that file temporary, but later learned that I must choose to return something to a Jamf Pro extension attribute. A value is always returned and if I don't specify that value, it returns nothing and wipes out the password in Jamf Pro.
I'm looking at what it would take to store the password in a different format — possibly using something like Jamf's Encrypted Script Parameters.
No ETA yet on when I'll have a working encrypted solution, but I'm looking at it indeed!
Posted on 09-09-2020 12:31 PM
managing firmware passwords is a nightmare because of how it is designed compounded by no one has really built a solid tool to manage them either. I would highly suggest not using firmware passwords unless you are contractually obligated to do so
Posted on 09-09-2020 01:23 PM
Thanks @talkingmoose, appreciate your efforts on this. My issue is that our users are admins, and storing it anywhere locally is not possible in my case.
@tlarkin I agree that firmware passwords are a nightmare, but we are obligated to set them globally.
Posted on 09-09-2020 06:23 PM
@jtrant yeah I feel ya, I had to do it at a previous job because we were told we had to, and we just did a master password for all Macs firmware. Luckily, at the rest of my jobs I have convinced the people that it is too much of a hassle and FV2, plus remote lock/wipe is pretty much all that is needed given the pitfalls of firmware password automation, maintenance and execution and that it is not securely done in any way with out building some sort of custom system.