I've been able to set the EFI password with the EFI Password portion of a policy. But now I need to remove the EFI password off of some machines.
Just pushing a policy with Security Level set to None fails...
Executing Policy Remove Firmware Password...
[STEP 1 of 1]
Removing EFI password...
Warning: Provided password is blank. EFI removal may not work depending on hardware.
Exception Encountered: The timeout was reached before the command finished executing.
Error: operation timed out
Then I've tried writing a 1 line script just calling the setregproptool
/Library/Application Support/JAMF/bin/setregproptool -d -o FIRMWAREPASSWORD
But that fails as well with....
[STEP 1 of 1]
Running script Remove Firmware Password...
Script exit code: 0
Script result: Error, invalid arguments.
setregproptool v 2.0 (9) Sep 9 2014
Copyright (C) 2001-2010 Apple Inc.
All Rights Reserved.
Usage: setregproptool [-c] [-d [-o ]] [[-m -p ] -o ]
-c Check whether password is enabled.
Sets return status of 0 if set, 1 otherwise.
-d Delete current password/mode.
Requires current password on some machines.
-p Set password.
Requires current password on some machines.
-m Set security mode.
Requires current password on some machines.
Mode can be either "full" or "command".
Full mode requires entry of the password on
every boot, command mode only requires entry
of the password if the boot picker is invoked
to select a different boot device.
When enabling the Firmware Password for the first
time, both the password and mode must be provided.
Once the firmware password has been enabled, providing
the mode or password alone will change that parameter
only.
-o Old password.
Only required on certain machines to disable
or change password or mode. Optional, if not
provided the tool will prompt for the password.
If I try it just at the command line, it doesn't seem that it passes the firmware password because it'll prompt to enter the firmware password.
Any ideas or thoughts? Or am I hitting a wall with this?
