Jamf Nation Community

MacJunior · ‎11-06-2021

is there a way to remove the recovery lock password on Apple Silicon Macs without unenrolling/erasing them?

michaelhusar · ‎08-30-2022

Here our bash script using jq https://gist.github.com/ExperimentalHeaven/09eeafa1122dd4bbac30cb9b91309b52

jtrant · ‎11-08-2021

Apple's documentation doesn't list an explicit command to clear the Recovery Lock, but I'd imagine setting a blank password using the API would achieve this:

{
    "clientData": [
        {
            "managementId": "x",
            "clientType": "COMPUTER"
        }
    ],
    "commandData": {
        "commandType": "SET_RECOVERY_LOCK",
        "newPassword": ""
    }
}

You'll need the Modern API /preview/mdm/commands endpoint. The Management ID (not the same as computer GUID) is needed, and you can get a list from the /preview/computers endpoint. Remember to change the 'size' value to something more appropriate for your environment, or you'll only get a partial list of computers returned.

Ref: https://developer.apple.com/documentation/devicemanagement/set_recovery_lock_command

dep · ‎01-23-2022

Yes, like @jtrant suggested, you can use this python script and set the password to be blank.

michaelhusar · ‎08-30-2022

Here our bash script using jq https://gist.github.com/ExperimentalHeaven/09eeafa1122dd4bbac30cb9b91309b52

MacJunior · ‎10-16-2022

I tried using your script and for some reason it keeps saying that the target serial number is not found !
Have you encountered such a thing?

rhs615 · ‎06-19-2023

I'm having the same issue.

rhs615 · ‎06-19-2023

@MacJunior I figured out the issue. On line 61 in the script, the GET to the `/api/preview/computers?` endpoint is starting on Page 1 (meaning the 1001st computer). If you set it to Page = 0, it works!

rhs615 · ‎06-20-2023

Whoops - it’s line 42 in the original script.

You want to change from $URL/api/preview/computers?page=1&page-size=1000 to $URL/api/preview/computers?page=0&page-size=1000 instead.

GoingUndergroud · ‎10-19-2022

Have just been down this road for a single computer using info from https://docs.jamf.com/technical-articles/Recovery_Lock_Enablement_in_macOS_Using_the_Jamf_Pro_API.ht...

Since I was experimenting on just one computer I implemented using the API interface available at https://myjamfinstance.jamfcloud.com/api/doc/#/mdm

I found that posting the API command SET_RECOVERY_LOCK with a blank password for a computer does remove the password.

In addition the computer shows as Recovery Lock:Not Enabled in Computers > Inventory > Security.

Note that at time of writing there is a typo in the the example json payload provided in Jamf documentation at https://docs.jamf.com/technical-articles/Recovery_Lock_Enablement_in_macOS_Using_the_Jamf_Pro_API.ht... as shown below .

{
    "clientData": [
        {
            "managementId": "A9C3D1F0-DCB2-4D52-84C6-D5AD60140B04",
            "clientType": "COMPUTER"
        }
    ],
    "commandData": {
        "commandType": "SET_RECOVERY_LOCK",
        "newPassword": "password",
    }
}

"password", should not have the trailing comma.

Jamf Nation Community

Removing recovery lock password