Firmware Password Manager 2.5 - New Release

uurazzle
Contributor II

Firmware Password Manager 2.5 - New Release

Firmware Password Manager is a Python script to help MacAdmin programmatically manage the firmware passwords of their Mac systems. The firmware password is one of the three interlocking methods used to secure Mac systems. The other two are: using strong passwords (and password policy) on user accounts and FileVault to apply full disk encryption (FDE). Strong account passwords are always the first line of defense. FDE effectively scrambles the information written a storage device and renders it unreadable by unauthorized persons. Using all three methods can make a Mac system unusable should it be lost or stolen.

New features include:

  • Removed Flags
    This allows the user to select and remove the firmware password and set no firmware password.

  • Configuration File
    The configuration file allows you to easy modify the Firmware Password Manager options for your environment needs.

  • Ported to Python 3
    The script has been ported from Python 2 to Python 3.7+.

  • .Added JAMF Controller Script and Skeleton Key
    Skeleton Key was written to add a GUI to the firmwarepasswd command and Firmware Password Manager and give it multiple ways to obtain the keylist file.

The controller script makes it easy for Jamf Admins to integrate Firmware Password in their infrastructure. It directs the automated configuration and launch of FWPM. It contains the new and old firmware passwords, the logic to error check and create an obfuscated keyfile and configuration file, and launches FWPM.

Firmware Password Manager will work with any client management system, for example, popular options like Jamf Pro and Munki, or multiple others.

If you are interested in checking it out see our GitHub repository:

https://github.com/univ-of-utah-marriott-library-apple/firmware_password_manager#jamf-fwpm-controlle...

7 REPLIES 7

estes
New Contributor III

I'm struggling with this... Just need the script, config file, and pexpect? Script complains it can't find pexpect.

todd_mcdaniel
New Contributor III

There is a binary included in the github repo. I would suggest starting there, instead of attempting to use the python source. The binary includes all of the dependencies.

uurazzle
Contributor II

@estes Did you see @todd.mcdaniel 's response above?

There is a binary included in the GitHub repo. I would suggest starting there, instead of attempting to use the python source. The binary includes all of the dependencies.

estes
New Contributor III

Thanks for the replies. I'm going need a paint by numbers demonstration. I'm installing the binary and capturing with composer then deploying through JSS? I've tried to watch a few Utah Marriott videos looking for a how to demo but they only seem to mention release notes etc.

Thanks gentlemen.

uurazzle
Contributor II

Hello @estes :

Sorry, we are "really" busy right now but will add it to my todo's to create step-by-step instructions for FWPW set up in Jamf Pro. And let you know when it's available, probably post to our blog and maybe, update the GitHub repository.

estes
New Contributor III

@uurazzle

I appreciate that you've created this and made it available. Thanks again.

mclaus
New Contributor

I'm having an issue with fwpm v2.5. I was hoping someone here could point me in the correct direction.
In our university we set passwords via a JAMF policy, using the JSS FWPM controller script.py script, leaving all flags to default.
Removing a firmware password is offered as a self-service policy. To remove the firmware password, we use a 2d copy of the controller script but now use the flag 'use_fwpw': False. This removes the firmware password and the nvram hash without any issues.

The problem we are seeing is as soon as we run the policy that sets a firmware password again after a reboot, the policy fails. The error code in /var/log/fwpm_controller.log does not show much info;

2020-12-18 01:22:33,998 - INFO - fwpm controller launched. 2020-12-18 01:22:33,998 - INFO - fwpm controller version 1.0 2020-12-18 01:22:34,006 - INFO - prepare_keyfile: activated 2020-12-18 01:22:34,006 - INFO - sanity check new. 2020-12-18 01:22:34,006 - INFO - sanity check previous. 2020-12-18 01:22:34,007 - INFO - Sanity check successful. 2020-12-18 01:22:34,008 - INFO - launching fwpm. 2020-12-18 01:22:35,578 - CRITICAL - Command '['/usr/local/fwpm/firmware_password_manager', '-c', '/tmp/cfg.cfg']' returned non-zero exit status -9

After a factory reset the script runs again without any issues. Is there anything we can do to troubleshoot this issue?