- Jamf Nation Community
- Products
- Jamf Pro
- Re: Firmware password smart group?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-22-2013 04:29 AM
Hello all,
Is it possible to identify which Macs have a firmware password set using smart groups?
Many thanks
Phill
Solved! Go to Solution.
2 ACCEPTED SOLUTIONS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-22-2013 07:31 AM
The answer is Yes and No.
For one, it partly depends on how your Macs are set up. For example, you would need either the Firmware Password Utility.app installed somewhere on the systems, or at the very least the setregproptool pulled from the above app's /Contents/Resources/ directory deployed to your Macs.
With one of those in place, you could have an Extension Attribute script that called the setregproptool binary to check the EFI firmware status. It returns 0 for set and I think 1 for un-set. Using that, you could return the result in your EA and build a Smart Group from there.
There's one problem with this approach that could affect your Smart Groups. The status of the firmware password (0 or 1) only gets properly updated after a reboot. Meaning, if you set the firmware password using the binary and the machine doesn't reboot. the status will still report as 1 or "not set", in which case those Macs will fall into (or out of) your Smart Group.
Just something to keep in mind. As far as I know there is no other way to check the status other than through the setregproptool and the reboot is a necessity to have it update after its been either set or un-set.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-22-2013 08:49 AM
There is an Extension Attribute found at https://jamfnation.jamfsoftware.com/viewProductFile.html?id=135&fid=598 that does just what mm2270 described.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-22-2013 07:31 AM
The answer is Yes and No.
For one, it partly depends on how your Macs are set up. For example, you would need either the Firmware Password Utility.app installed somewhere on the systems, or at the very least the setregproptool pulled from the above app's /Contents/Resources/ directory deployed to your Macs.
With one of those in place, you could have an Extension Attribute script that called the setregproptool binary to check the EFI firmware status. It returns 0 for set and I think 1 for un-set. Using that, you could return the result in your EA and build a Smart Group from there.
There's one problem with this approach that could affect your Smart Groups. The status of the firmware password (0 or 1) only gets properly updated after a reboot. Meaning, if you set the firmware password using the binary and the machine doesn't reboot. the status will still report as 1 or "not set", in which case those Macs will fall into (or out of) your Smart Group.
Just something to keep in mind. As far as I know there is no other way to check the status other than through the setregproptool and the reboot is a necessity to have it update after its been either set or un-set.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-22-2013 08:49 AM
There is an Extension Attribute found at https://jamfnation.jamfsoftware.com/viewProductFile.html?id=135&fid=598 that does just what mm2270 described.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-06-2013 03:48 AM
Hi Both,
Apologies for the late response. Thank you for your comments, I'll give it a try now :)
Phill
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-30-2013 03:13 PM
Hi,
I have tried the extension Attribute and it still report none for me even thought I have a firmware password set with setregproptool. where does setregproptool need to be located at in for the script to report back.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-11-2013 12:33 PM
I have tried the Extension Attribute, Casper reports my machines to be "Not Set". Yet, my machines have had firmware passwords set for years.
Just prior to adding this Extension Attribute, I placed "setregproptool" at /Library/Application Support/JAMF/bin/
Thoughts as to what I am missing?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-11-2013 01:15 PM
I just downloaded msblake's EA for this. If that's the one you guys are using, it doesn't have a full path to the setregproptool when it calls it.
This is what it looks like:
#!/bin/sh
setregproptool -c
result = $?
if [[ "$result" == "0" ]]; then
echo "<result>Set</result>"
else
echo "<results>Not Set</result>"
fiI assume this would work if the setregproptool was located in /Library/Application Support/JAMF/bin/, but if you've placed it there and its still not working, you may want to edit the script for the EA to just include the full path to the tool.
Edit to look like this instead:
#!/bin/sh
/Library/Application Support/JAMF/bin/setregproptool -c
result="$?"
if [[ "$result" == "0" ]]; then
echo "<result>Set</result>"
else
echo "<results>Not Set</result>"
fiAlso please remember that if a Mac has its firmware set using a script calling the setregproptool, it will not show as Set until a full reboot is done.
