+3Got the EFI Firmware Password and Filevault 2 policies going recently for our Macs. Unfortunately one of the wants for management was to enable a pre-OS boot password. Essentially a form of multi-factor authentication via a secondary password/passphrase in case the user's local profile is compromised somehow.
Is there anything in JAMF that can do that? If not, any 3rd party software solutions out there?
+28Desktops or laptops? You could do smart card enforcement for user login. So that anyone would require both the password (to unlock the disk at the FileVault preboot window), and the physical smart card/PIN to actually log in.
There's a JNUC 2018 session by @golbiga on Smart Card Enforcement that you'll want to attend, or watch once it's posted.
+16You could use a firmware password for this. The mode most people are familiar with is "command," where normal booting is allowed but a password is required to change the boot device. There is also "full" mode, which requires a password at each boot.
firmwarepasswd -setpasswd
firmwarepasswd -setmode fullMostly laptops but desktops spread out here and there also. Laptops are more the priority in case they get stolen and whatnot.
Full mode does sound like what I'm looking for but I don't see that option in my policy. Under the policy options I enabled the EFI Password, then the security level options are "none" or "command".
How would I go about enabling a policy and then scoping that out to computers? As an additional caveat, we also need to be able to remotely reset/change these firmware passwords when users leave the company and don't relay their firmware passwords to us.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
