Removing EFI password via policy not working

steventhemacman
New Contributor III

Hi,

I set a EFI password via policy and it worked great, now I need to re-image some machines and I would like to remove the EFI password for easier imaging. I figured all I had to do was create a policy, and under the Accounts you choose "Set EFI Password" and then choose "None". The policy fails and states that an EFI password is already set. Any help would be appreciated.

Thanks!

13 REPLIES 13

chris_kemp
Contributor III

As I understand it, you can't reset it that easily. The old way involved removing RAM from the machine, and I believe that newer machines require you to take them to Apple to have the EFI chip replaced.

steventhemacman
New Contributor III

I believe the RAM trick does not work anymore with the newer models (late 2010 and newer). I know the password, and I can remove it by running the below command via terminal on the machine no problem. Just want to know how to do it with policy or a script (I am not very good at scripts).

/Library/Application Support/JAMF/bin/setregproptool –d –o oldpassword

sgrall-pfg
Contributor

Hopefully you've taken a look at this: https://jamfnation.jamfsoftware.com/article.html?id=58

I tried to remove the EFI password recently using the method at that link, and I couldn't get it to work either. I had no trouble setting the password via policy, but it won't remove. I had to manually remove it, which isn't feasible for a large number of Macs.

mscottblake
Valued Contributor
/Library/Application Support/JAMF/bin/setregproptool –d –o oldpassword

Put this command in the Run field of a policy and it should work.

steventhemacman
New Contributor III

Sgrall-pfg, I did see that link and tried it and it does not work. I am having the exact same issue you are having. I can do it manually on a client machine, but sending the command out in the Run Command field does not work as suggested in the article and by msblake.

sgrall-pfg
Contributor

I reported this to my account representative. JAMF has replicated the issue, and marked it as a bug.

tlarkin
Honored Contributor

Hi Everyone,

To reset the EFI password you must provide the old password. I wrote up a small "How To," when the setregproptool first came about. I used to use postflight scripts after imaging to set the password, and my script included the old password, as changing it fails with out it.

https://jamfnation.jamfsoftware.com/discussion.html?id=52

I hope this helps,

sgrall-pfg
Contributor

Tom, you're correct. The issue here is that I can't pass the password in scripts for security reasons, so scripting isn't a viable workaround for this bug.

Casper Remote and policies in JSS allow you to configure to remove the EFI password, and allow you to enter the EFI password to remove (as required by the newer Macs), but for whatever reason, the password is not sent in the command the JSS/Casper Remote sends on your behalf, and it returns "Error: EFI Password is already set."

For now, any machines that need to be re-imaged in my environment will have to have the EFI password manually removed by an authorized party first.

steventhemacman
New Contributor III

sgrall-pfg, thanks for submitting the bug. You are correct in your last post (as is Tom, thanks). We are in the same boat as you.

Thanks,

Steve

ClassicII
Contributor III

To be sure we are on the same page.

Doing this through casper remote under the accounts tab:

Turning on firmware password = Works
Turning off firmware password = Does not work and is a current bug?

Also it looks like setregproptool needs to be in the /jamf/bin folder ?

tlarkin
Honored Contributor

Hi Everyone,

Here is our KB article on this subject, and yes you need to move the binary into the proper Application Support folder.

https://jamfnation.jamfsoftware.com/article.html?id=58

If you have anymore questions or concerns please contact your account manager. There is an open bug for this as well, as I just checked. There are scripting options that can be used, and I would be more than happy to help with that, but I understand due to some policies at your place of employment that may not be allowed.

Thanks,
Tom

steventhemacman
New Contributor III

ClassicII, that is correct. We do have the setregproptool in the correct folder.

We may have to use Tom's solution (Thanks Tom), until it works the Casper way.

Thanks.

tlarkin
Honored Contributor

Just note that in my link I posted, I put the binary in /usr/sbin, so it was in my standard $PATH, and I used scripts to call it. I didn't use the Casper Tools at the time because this new firmware had just came out, and there wasn't support for it.

If anyone has any scripting questions with this, please let me know. There are some practices we could explore to make sure the script runs in an 'as secure as possible,' work flow.

Thanks,
Tom