Removing EFI password via policy not working

As I understand it, you can't reset it that easily. The old way involved removing RAM from the machine, and I believe that newer machines require you to take them to Apple to have the EFI chip replaced.

I believe the RAM trick does not work anymore with the newer models (late 2010 and newer). I know the password, and I can remove it by running the below command via terminal on the machine no problem. Just want to know how to do it with policy or a script (I am not very good at scripts).

/Library/Application Support/JAMF/bin/setregproptool –d –o oldpassword

Hopefully you've taken a look at this: https://jamfnation.jamfsoftware.com/article.html?id=58

I tried to remove the EFI password recently using the method at that link, and I couldn't get it to work either. I had no trouble setting the password via policy, but it won't remove. I had to manually remove it, which isn't feasible for a large number of Macs.

/Library/Application Support/JAMF/bin/setregproptool –d –o oldpassword

Put this command in the Run field of a policy and it should work.

Sgrall-pfg, I did see that link and tried it and it does not work. I am having the exact same issue you are having. I can do it manually on a client machine, but sending the command out in the Run Command field does not work as suggested in the article and by msblake.

I reported this to my account representative. JAMF has replicated the issue, and marked it as a bug.

Hi Everyone,

To reset the EFI password you must provide the old password. I wrote up a small "How To," when the setregproptool first came about. I used to use postflight scripts after imaging to set the password, and my script included the old password, as changing it fails with out it.

https://jamfnation.jamfsoftware.com/discussion.html?id=52

I hope this helps,

Tom, you're correct. The issue here is that I can't pass the password in scripts for security reasons, so scripting isn't a viable workaround for this bug.

Casper Remote and policies in JSS allow you to configure to remove the EFI password, and allow you to enter the EFI password to remove (as required by the newer Macs), but for whatever reason, the password is not sent in the command the JSS/Casper Remote sends on your behalf, and it returns "Error: EFI Password is already set."

For now, any machines that need to be re-imaged in my environment will have to have the EFI password manually removed by an authorized party first.

sgrall-pfg, thanks for submitting the bug. You are correct in your last post (as is Tom, thanks). We are in the same boat as you.

Thanks,

Steve

To be sure we are on the same page.

Doing this through casper remote under the accounts tab:

Turning on firmware password = Works
Turning off firmware password = Does not work and is a current bug?

Also it looks like setregproptool needs to be in the /jamf/bin folder ?

Hi Everyone,

Here is our KB article on this subject, and yes you need to move the binary into the proper Application Support folder.

https://jamfnation.jamfsoftware.com/article.html?id=58

If you have anymore questions or concerns please contact your account manager. There is an open bug for this as well, as I just checked. There are scripting options that can be used, and I would be more than happy to help with that, but I understand due to some policies at your place of employment that may not be allowed.

Thanks,
Tom

ClassicII, that is correct. We do have the setregproptool in the correct folder.

We may have to use Tom's solution (Thanks Tom), until it works the Casper way.

Thanks.

Just note that in my link I posted, I put the binary in /usr/sbin, so it was in my standard $PATH, and I used scripts to call it. I didn't use the Casper Tools at the time because this new firmware had just came out, and there wasn't support for it.

If anyone has any scripting questions with this, please let me know. There are some practices we could explore to make sure the script runs in an 'as secure as possible,' work flow.

Thanks,
Tom