Removing recovery lock password

MacJunior
Contributor III

is there a way to remove the recovery lock password on Apple Silicon Macs without unenrolling/erasing them?

1 ACCEPTED SOLUTION
8 REPLIES 8

jtrant
Valued Contributor

Apple's documentation doesn't list an explicit command to clear the Recovery Lock, but I'd imagine setting a blank password using the API would achieve this:

 

{
    "clientData": [
        {
            "managementId": "x",
            "clientType": "COMPUTER"
        }
    ],
    "commandData": {
        "commandType": "SET_RECOVERY_LOCK",
        "newPassword": ""
    }
}

 

You'll need the Modern API /preview/mdm/commands endpoint. The Management ID (not the same as computer GUID) is needed, and you can get a list from the /preview/computers endpoint. Remember to change the 'size' value to something more appropriate for your environment, or you'll only get a partial list of computers returned.

Ref: https://developer.apple.com/documentation/devicemanagement/set_recovery_lock_command

dep
New Contributor II

Yes, like @jtrant suggested, you can use this python script and set the password to be blank.

michaelhusar
Contributor II

I tried using your script and for some reason it keeps saying that the target serial number is not found !
Have you encountered such a thing?

rhs615
New Contributor III

I'm having the same issue. 

rhs615
New Contributor III

@MacJunior I figured out the issue. On line 61 in the script, the GET to the `/api/preview/computers?` endpoint is starting on Page 1 (meaning the 1001st computer). If you set it to Page = 0, it works! 

rhs615
New Contributor III

Whoops - it’s line 42 in the original script.

You want to change from $URL/api/preview/computers?page=1&page-size=1000  to $URL/api/preview/computers?page=0&page-size=1000 instead. 

GoingUndergroud
New Contributor III

Have just been down this road for a single computer using info from https://docs.jamf.com/technical-articles/Recovery_Lock_Enablement_in_macOS_Using_the_Jamf_Pro_API.ht... 

Since I was experimenting on just one computer I implemented using the API interface available at https://myjamfinstance.jamfcloud.com/api/doc/#/mdm

I found that posting the API command  SET_RECOVERY_LOCK with a blank password for a computer does remove the password.

In addition the computer shows as Recovery Lock:Not Enabled in Computers > Inventory > Security.

Note that at time of writing there is a typo in the the example json payload provided in Jamf documentation at https://docs.jamf.com/technical-articles/Recovery_Lock_Enablement_in_macOS_Using_the_Jamf_Pro_API.ht... as shown below .

{
    "clientData": [
        {
            "managementId": "A9C3D1F0-DCB2-4D52-84C6-D5AD60140B04",
            "clientType": "COMPUTER"
        }
    ],
    "commandData": {
        "commandType": "SET_RECOVERY_LOCK",
        "newPassword": "password",
    }
}

 "password",  should not have the trailing comma.