Help

M1/M2 Recovery Lock management script

JCMBowman
New Contributor III

Posted on ‎12-14-2022 10:51 AM

I took the great work that had already been done here: https://github.com/shbedev/jamf-recovery-lock and expanded on it to create an single file comand-line script that will allow you to supply a search parameter and it will return all Apple Silicon computers in your Jamf instance with names that match your search parameter. It has options for clearing or setting the Recovery Lock passcode, and you can specify the passcode to use or have it generate a random number.


Here's the link to it:
https://github.com/jcmbowman/jamf-scripts/blob/main/SetRecoveryLockJAMF.py

Before you use it you'll need to edit the script to supply your Jamf url and a username and password that has access in Jamf to make api calls that can change the recovery lock. Since you're hardcoding your credentials into the script make sure to store the script in a secure location. This script is only for administrator use and should never be deployed to end-user computers. 

You will need Python3 installed, and also the Python 'requests' module - which can be installed by running '

python3 -m pip install requests'.

Run the script from the command line with -h as a flag to see usage:

usage: SetRecoveryLockJAMF.py [-h] [-p PASSCODE | -r [RANDOMPASSCODE]] SearchString

positional arguments:
  SearchString          String to use to search JAMF computer names

options:
  -h, --help            show this help message and exit
  -p PASSCODE, --Passcode PASSCODE
                        Specify Recovery Lock passcode (default is blank)
  -r [RANDOMPASSCODE], --RandomPasscode [RANDOMPASSCODE]
                        Generate a different random Recovery Lock passcode for each computer 
                        (default length is 20, specify a value for a different length)

So, for example, running "SetRecoveryLockJAMF.py 61249" will search for any apple silicon computer you have that has "61249" in the computer name, and then remove the Recovery Lock passcode on them. Running "SetRecoveryLockJAMF.py 61249 -p 1010101010101010" will find the same computer(s), but set the passcode to 1010101010101010. Running "SetRecoveryLockJAMF.py 61249 -r" will find the same computer(s), but set the passcode to a random 20-digit number. 

I included output that will tell you what changes it's going to make to which computers and then prompts you whether you wish to proceed - so feel free to play around with it without worrying about causing any issues.

--

I'm not the best at python yet, so please be gentle. I just wanted a way to clear the Recovery Lock on an entire computer lab all at once in order to wipe and re-image them when the time comes. If anybody has any suggested improvements I'd love to hear it.

 

0 REPLIES 0