Firmware password smart group?

Noret
New Contributor

Hello all,

Is it possible to identify which Macs have a firmware password set using smart groups?

Many thanks

Phill

2 ACCEPTED SOLUTIONS

mm2270
Legendary Contributor III

The answer is Yes and No.

For one, it partly depends on how your Macs are set up. For example, you would need either the Firmware Password Utility.app installed somewhere on the systems, or at the very least the setregproptool pulled from the above app's /Contents/Resources/ directory deployed to your Macs.
With one of those in place, you could have an Extension Attribute script that called the setregproptool binary to check the EFI firmware status. It returns 0 for set and I think 1 for un-set. Using that, you could return the result in your EA and build a Smart Group from there.

There's one problem with this approach that could affect your Smart Groups. The status of the firmware password (0 or 1) only gets properly updated after a reboot. Meaning, if you set the firmware password using the binary and the machine doesn't reboot. the status will still report as 1 or "not set", in which case those Macs will fall into (or out of) your Smart Group.
Just something to keep in mind. As far as I know there is no other way to check the status other than through the setregproptool and the reboot is a necessity to have it update after its been either set or un-set.

View solution in original post

mscottblake
Valued Contributor

There is an Extension Attribute found at https://jamfnation.jamfsoftware.com/viewProductFile.html?id=135&fid=598 that does just what mm2270 described.

View solution in original post

6 REPLIES 6

mm2270
Legendary Contributor III

The answer is Yes and No.

For one, it partly depends on how your Macs are set up. For example, you would need either the Firmware Password Utility.app installed somewhere on the systems, or at the very least the setregproptool pulled from the above app's /Contents/Resources/ directory deployed to your Macs.
With one of those in place, you could have an Extension Attribute script that called the setregproptool binary to check the EFI firmware status. It returns 0 for set and I think 1 for un-set. Using that, you could return the result in your EA and build a Smart Group from there.

There's one problem with this approach that could affect your Smart Groups. The status of the firmware password (0 or 1) only gets properly updated after a reboot. Meaning, if you set the firmware password using the binary and the machine doesn't reboot. the status will still report as 1 or "not set", in which case those Macs will fall into (or out of) your Smart Group.
Just something to keep in mind. As far as I know there is no other way to check the status other than through the setregproptool and the reboot is a necessity to have it update after its been either set or un-set.

mscottblake
Valued Contributor

There is an Extension Attribute found at https://jamfnation.jamfsoftware.com/viewProductFile.html?id=135&fid=598 that does just what mm2270 described.

Noret
New Contributor

Hi Both,

Apologies for the late response. Thank you for your comments, I'll give it a try now :)

Phill

giang
New Contributor II

Hi,

I have tried the extension Attribute and it still report none for me even thought I have a firmware password set with setregproptool. where does setregproptool need to be located at in for the script to report back.

dmohs
Contributor

I have tried the Extension Attribute, Casper reports my machines to be "Not Set". Yet, my machines have had firmware passwords set for years.

Just prior to adding this Extension Attribute, I placed "setregproptool" at /Library/Application Support/JAMF/bin/

Thoughts as to what I am missing?

mm2270
Legendary Contributor III

I just downloaded msblake's EA for this. If that's the one you guys are using, it doesn't have a full path to the setregproptool when it calls it.
This is what it looks like:

#!/bin/sh

setregproptool -c
result = $?

if [[ "$result" == "0" ]]; then
     echo "<result>Set</result>"
else
     echo "<results>Not Set</result>"
fi

I assume this would work if the setregproptool was located in /Library/Application Support/JAMF/bin/, but if you've placed it there and its still not working, you may want to edit the script for the EA to just include the full path to the tool.

Edit to look like this instead:

#!/bin/sh

/Library/Application Support/JAMF/bin/setregproptool -c
result="$?"

if [[ "$result" == "0" ]]; then
     echo "<result>Set</result>"
else
     echo "<results>Not Set</result>"
fi

Also please remember that if a Mac has its firmware set using a script calling the setregproptool, it will not show as Set until a full reboot is done.