Firmware Password Manager

Contributor II

FYI, we have released a new python script that allows management of the firmware password, called Firmware Password Manager. it works using a JAMF JSS extention attribute.

For more info, see web page:

We can leverage the nvram string and smart groups in JAMF Casper to automate the distribution of an updated keyfile package and direct clients to change their firmware passwords. We do this by defining an extension attribute (EA) in the JSS. We've included the script we run in the repository for FWPM 2.0.

The EA script runs during recon and pushes the hash up to the JSS. We then define a smart group that contains any machine not sharing the same hash as the current keyfile. This makes it possible to apply a policy directing those machines to download the new keyfile package and run FWPM.

Try it out and let us know.


Contributor II

Let us know if you have any suggestions or feature requests.

New Contributor

I'm so glad I came across looks like this could get us out of the current bind we are in. We manage about 130 machines in our office, and currently have about three different firmware passwords on said machines. This tool looks like we can check against the three known passwords and then reset it to a new password? I loved the part about the "Set-it-and-forget it" because that's what put us in the this position in the first place...and of course, lack of documentation/rotation of hires in IT. I read the documentation and installed all the necessary requirements, but I can't figure out how to actually run the script and check against the keyfile on the local machine. Any tips for a newbie? I've only used python a few times. A straight forward example guide for dummies would be awesome (but I totally get that we are all busy) :)

Thanks for the hard work! This is what makes the community awesome.

Contributor II


Yes, our tool (aka script) can check for 3+ firmware passwords, it could be unlimited. For example, we have it checking against 65 firmware passwords.

Have you have download the script you create a keyfile in a location....

Here's an example keyfile:




Then you can run the following command: -k path/to/keyfile -#

Or you use JAMF Software Server and setup an extension attribute and scope its implementation on your fleet.

You will need to know your possible previous firmware passwords to have the script reset to your new firmware password. If you don't know a previous firmware password, you will need to contact Apple Authorized Service Provider or Apple Store for them to forcible remove the forgotten firmware password.

We have a blog post here:

We will work on creating additional documentation and maybe a video presentation on setting it up and using it. I will post back once we have any additional documentation or presentation available.

Contributor II

FYI we use this for our lab machines to help cleanup all the old firmware passwords and it's been AWESOME! Nice work and thanks for providing this to the community.

Contributor III

@uurazzle I don't seem to have the management_tools python module. Is this a separate install?

edit: Looks like i found it.

New Contributor III

@rdwhitt Thank you for your kind words!

The highest road block that I've seen is the requirement that the pxepect module needs to be installed on your clients. I'm looking at methods to make the script easier to deploy.

The next milestone on our road map is finishing a version of FWPM that will run from the JSS. It will be available soon.

We're eager to hear from folks with suggestions for additional features or bugs!