Help

Pre-MacOS Boot Authentication Possible?

db_sw
New Contributor II

Posted on ‎10-10-2018 10:10 AM

Got the EFI Firmware Password and Filevault 2 policies going recently for our Macs. Unfortunately one of the wants for management was to enable a pre-OS boot password. Essentially a form of multi-factor authentication via a secondary password/passphrase in case the user's local profile is compromised somehow.

Is there anything in JAMF that can do that? If not, any 3rd party software solutions out there?

0 Kudos
Reply
3 REPLIES 3

RobertHammen
Valued Contributor II

Posted on ‎10-10-2018 10:38 AM

Desktops or laptops? You could do smart card enforcement for user login. So that anyone would require both the password (to unlock the disk at the FileVault preboot window), and the physical smart card/PIN to actually log in.

There's a JNUC 2018 session by @golbiga on Smart Card Enforcement that you'll want to attend, or watch once it's posted.

Reply

bvrooman
Valued Contributor

Posted on ‎10-10-2018 11:03 AM

You could use a firmware password for this. The mode most people are familiar with is "command," where normal booting is allowed but a password is required to change the boot device. There is also "full" mode, which requires a password at each boot.

firmwarepasswd -setpasswd
firmwarepasswd -setmode full
Reply

db_sw
New Contributor II

Posted on ‎10-10-2018 11:22 AM

Mostly laptops but desktops spread out here and there also. Laptops are more the priority in case they get stolen and whatnot.

Full mode does sound like what I'm looking for but I don't see that option in my policy. Under the policy options I enabled the EFI Password, then the security level options are "none" or "command".

How would I go about enabling a policy and then scoping that out to computers? As an additional caveat, we also need to be able to remotely reset/change these firmware passwords when users leave the company and don't relay their firmware passwords to us.

0 Kudos
Reply