MacOS Recovery Lock | Firmware Lock Question

JB1
New Contributor

Hello everyone,

I'm a new Mac JAMF admin at my organization and first time poster here. First off want to say thanks to the community here, as I've already received lots of help here already perusing the forums with other questions I've had (that have previously been covered).  I do have a question as it pertains to firmware / recovery locks as it pertains to M1 Macs.

Currently managing a fleet of around 700 Macs. I'll just state what our organization is wanting to have happen and maybe some of you have suggestions that I haven't thought of or found. I have orders from up top to try to lock down MacOS, so employees are unable to wipe it and bypass JAMF. There was some sort of an incident, which has prompted this request. Ultimately if a user is having a problem with their MacOS device, we would like them to bring it to IT for a reimage to ensure the JAMF MDM profile is present. It was my understanding a Firmware password was previously used on Intel Macs but this feature is not present on M1 Macs.

In my testing (MacOS Monterey) on an M1 equipped device, I can currently choose "Erase All Content and Settings". This will reset the Mac. It then checks for Activation Lock and kicks me back into User Account creation. At this point, I can disconnect the Mac from WiFi / Ethernet and can continue setting up the Mac and bypass JAMF (MDM) enrollment.

In JAMF Pro, I have found options to disable "Erase All Content and Settings" and disable the ability to turn off FileVault. This will remove the "easy" method for users to bypass MDM. The trickier part that I'm finding, would be to lock up recovery mode, which would prevent a user from erasing the drive, reinstalling MacOS, and setting it up from scratch.

The issue is my organization currently allows the majority of its users to be local admins on these devices (this may change in the future but for now will remain the same). In certain situations they are bound to the domain, but again the majority ... are local admins. So the issue I am running into, one of our users can boot into recovery, use their local admin credentials to unlock the FileVault encrypted drive and wipe the device and bypass MDM by disconnecting from WiFi / ethernet.

I'm searching for a way to lock recovery mode so only IT can wipe the device / reinstall MacOS etc. Has anyone else come across this and found a solution? I'm still continuing to read threads and test, so if I do find a solution that meets our needs (prior to a comment) I'll update at that time. Thanks in advance for any help provided.

1 ACCEPTED SOLUTION

Tribruin
Valued Contributor
Valued Contributor

For M1 computers, you can set a Recovery Lock password via an API call:

Recovery Lock Enablement in macOS Using the Jamf Pro API - Technical Articles | Jamf

You can also enable it in your prestage: 

  • Recovery Lock functionality 

    You can set Recovery Lock for computers with Apple silicon (i.e., M1 chip) with macOS 11.5 or later during enrollment. Enabling this feature prevents access to macOS Recovery without a password, providing additional security for the computers in your environment. Jamf Pro allows you to create and store this password for each computer. You can view the information in the computer's inventory information. For more information about Recovery Lock, see Use macOS Recovery on a Mac with Apple silicon from Apple's macOS User Guide.

    You can select one of the following methods to configure the Recovery Lock password:

    • Manually enter a password that is applied to all computers in the scope of the PreStage

    • Enable Jamf Pro to generate a random password that is unique to each computer in the scope

      To enhance the security of the Recovery Lock password, you can configure Jamf Pro to generate a new, random Recovery Lock password 60 minutes after the password is viewed in a computer’s inventory information.

 

View solution in original post

4 REPLIES 4

sdagley
Honored Contributor III

@JB1 Not quite what you're asking for exactly, but with macOS Ventura a Mac with a T2 security chip or an Apple Silicon processor that is in ABM/ASM, and has previously gone through Automated Device Enrollment, will not be able to go through the Setup Assistant process after an EACaS or device erase without a network connection.

Tribruin
Valued Contributor
Valued Contributor

For M1 computers, you can set a Recovery Lock password via an API call:

Recovery Lock Enablement in macOS Using the Jamf Pro API - Technical Articles | Jamf

You can also enable it in your prestage: 

  • Recovery Lock functionality 

    You can set Recovery Lock for computers with Apple silicon (i.e., M1 chip) with macOS 11.5 or later during enrollment. Enabling this feature prevents access to macOS Recovery without a password, providing additional security for the computers in your environment. Jamf Pro allows you to create and store this password for each computer. You can view the information in the computer's inventory information. For more information about Recovery Lock, see Use macOS Recovery on a Mac with Apple silicon from Apple's macOS User Guide.

    You can select one of the following methods to configure the Recovery Lock password:

    • Manually enter a password that is applied to all computers in the scope of the PreStage

    • Enable Jamf Pro to generate a random password that is unique to each computer in the scope

      To enhance the security of the Recovery Lock password, you can configure Jamf Pro to generate a new, random Recovery Lock password 60 minutes after the password is viewed in a computer’s inventory information.

 

taochunhua
New Contributor II

hi,Tribruinhow can we   generate a random password that is unique to each computer in the scope?Can we get a document or a brief, please?😁

JB1
New Contributor

Hey @Tribruin,

Apologize on the delay with my response as I wanted to do some testing. After referencing the first article you linked I was eventually able to successfully deploy the firmware lock to a M1 Mac already in circulation. The JAMF API took some getting used to and locating the ManagementID for the target device proved to be a challenge. Also, I found the "," after "password" in the script, kept throwing errors. Once removed, all went flawlessly.

Thank you for pointing out the recovery lock feature in prestage enrollment. We were not aware that feature was tucked away there. We will be implementing this on all future deployments.

Thank you so much for your help! If I can be of assistance to anyone else trying to set this up feel free to chime in.