Hello,
I'm tasked with rotating the firmware password on our fleet. Clearing and setting is fine, either using a policy or a simple script. My issue is that the old password could potentially be one of two values. Both are known so I was thinking of future-proofing with a script containing an array that would attempt to clear it using any values in that array and set the new password once it succeeds.
I'm not a bash expert so before I go down that rabbit hole I was wondering if anyone has had to do this, and if someone has already gone to the effort of writing such a script that they would be willing to share. I am aware of solutions that will store a temporary file containing a password in an obscure folder, but that's not an option for me since my users are admins on their machines.
Here's what I have so far, the script sets an array with the possible current values and verifies that a password is set. From there it verifies the passwords in the array and uses that to delete the current password. If that returns "Password removed" it then sets the new password.
The problem I'm running into is that the 'delete' portion of the script returns '0', presumably because I'm trying multiple old passwords. This doesn't change if the old password is incorrect so I'm definitely going wrong somewhere.
Note: I am NOT a bash expert, and my use of 'sudo' in the script is for local testing purposes only.
#!/bin/bash
# Assign the new firmware password to a variable
newPassword=newpasswordgoeshere
# Declare an array with the possible existing firmware passwords
array=( oldpassword1 oldpassword2 oldpassword3 )
# Verify whether a firmware password is set
echo "Checking for existing firmware password."
checkFirmwarePassword=$( sudo /usr/sbin/firmwarepasswd -check )
# If a firmware password is not set, stop the script and report failure to Jamf
if [ "$checkFirmwarePassword" = "Password Enabled: No" ]; then
echo "No firmware password set. This will be set using another policy."
exit 1
else
echo "Firmware password is set. Rotating."
for i in "${array[@]}"
do
printf "%s
" "$i" > sudo "/usr/sbin/firmwarepasswd" "-delete"
removeResult=$?
echo $removeResult
if [[ "$removeResult" =~ "Password removed" ]]; then
echo "Firmware password removed! Setting new password"
# Set the password, exit and report success to Jamf
sudo /usr/sbin/firmwarepasswd -setpasswd "$newPassword"
exit 0
else
echo "Firmware password verification failed. Exiting!"
exit 1
fi
done
fi
Thanks a lot,
Justin.