jamf setOFP in 10.6.8

tlarkin
Honored Contributor

Can anyone get this to work? I have a Macbook Air running 10.6.8 (shipped with 10.6.7) and I set the firmware password via script and this is not working, the command actually goes through with no errors but when I reboot holding the option key I don't get prompted for the password.

jamf setOFP -mode command -passhash passhash -password password

I guess I could do it via policy if that works, but doesn't the policy just call the jamf setOFP command?

Thoughts?

-Tom

5 REPLIES 5

tlarkin
Honored Contributor

Now to make it even more weird.....

nvram -p returns that the security mode is in fact command, but it still doesn't prompt me for a password when booting with the option key down.

Not applicable

JAMF is unable to set firmware passwords for all Macs models introduced in Late 2010 or later. In fact there is no way to override an existing firmware password without getting someone from Apple to help. This means setting an EFI password gets very tricky in general.

tlarkin
Honored Contributor

Ben,

You got a kbase on this? I am going to contact Enterprise support.

Thanks,

tom

tlarkin
Honored Contributor

I figured it out, this makes it three times now this week I have contacted our paid Apple Enterprise support and resolved the issue before they can even respond to me....time to probably cancel that plan and just do case by case when we actually need it.

So, the issue was that something changed....now typically in 10.6 off a retail installer DVD you could do this.

cd /Volumes/Mac OS X Installer/Applications/Utilities/Firmware Password Utility/Contents/Resources

then

sudo ./setregproptool -h
Password:
setregproptool v 2.0 (7) Oct 3 2010
Copyright (C) 2001-2010 Apple Inc.
All Rights Reserved.

Usage: setregproptool [-c] [-d [-o ]] [[-m -p ] -o ]

-c Check whether password is enabled. Sets return status of 0 if set, 1 otherwise. -d Delete current password/mode. Requires current password on some machines. -p Set password. Requires current password on some machines. -m Set security mode. Requires current password on some machines. Mode can be either "full" or "command". Full mode requires entry of the password on every boot, command mode only requires entry of the password if the boot picker is invoked to select a different boot device.

When enabling the Firmware Password for the first time, both the password and mode must be provided. Once the firmware password has been enabled, providing the mode or password alone will change that parameter only.

-o Old password. Only required on certain machines to disable or change password or mode. Optional, if not provided the tool will prompt for the password.

However, I don't have a new enough retail 10.6 DVD, the one I have is for 10.6.1, but I got a ton of these usb rescovery images for our Macbook Airs. If you go into the package contents of the installer app off the USB stick, like this:

/Volumes/Mac OS X Install

You will see there is a MacOSX.dmg file in there. Copy it to your desktop via `cp MacOSX.dmg ~/Desktop` then once it copies you want to remove the hidden flag from it,

chflags nohidden ~/Desktop/MacOSX.dmg

Then you can mount it and navigate to the setregproptool binary and copy that into your OS base install image and you can now script the changing of firmware passwords.

-Tom

tlarkin
Honored Contributor

Just one caveat of this....Once you set the firmware password to ever set it again you MUST use the -o options with the old password, so it goes like this:

setregproptool -m command -p mypassword -o oldpassword

If you do not do this in your scripts the binary stops everything and prompts for the current password. There is currently no way to force it to continue on error. So, once you image a machine and this command sets the firmware password, and for whatever reason you have to reimage it....the script that runs post image will halt. Since I have no touch scripts that run all my configurations after booting, and finish with a shutdown at the end a lot of things weren't getting added.

Once I figure this out, I just added the -o option to include the old password (same password for now) and it now does not halt the script and completes the rest of the configurations and imports users and MCX from file and sets the wireless network and such. It took me a few minutes to figure out why this is happening.

Also, a really great tool for debugging a script (in bash) is run it via sudo bash -x /path/to/script it will display every line of code as it executes, which is how I figured this out.

Just a FYI

-Tom