Skip to main content
Solved

Setting Firmware Password

  • August 28, 2012
  • 7 replies
  • 33 views
mscottblake
Forum|alt.badge.img+24

I have some new hardware that I need to setup with firmware passwords so people cannot boot from USB. I read through the Setting EFI Passwords on Mac Computers (Models Late 2010 or Later) article, but it doesn't say anything about using Casper Remote or Imaging to set the passwords once that file is located on the client or if it has to be done with a script?

Once that file is located on the client computers, what methods do I have to choose from when setting the firmware?

iMac Intel (27-inch, Mid 2011)
13-inch MacBook Pro (Mid 2012)

Best answer by frozenarse

I have a startup triggered policy that is scoped to machines that don't have an EFI Password set. It makes sure the setregproptool is on the machine and runs a script that looks something like this:

/Path/to/setregproptool -m command -p typeEFIPwdHere

I think the setregproptool has a man page that you can dig up more details/options.

    7 replies

    F
    Forum|alt.badge.img+10
    • frozenarse
    • Contributor
    • Answer
    • August 28, 2012

    I have a startup triggered policy that is scoped to machines that don't have an EFI Password set. It makes sure the setregproptool is on the machine and runs a script that looks something like this:

    /Path/to/setregproptool -m command -p typeEFIPwdHere

    I think the setregproptool has a man page that you can dig up more details/options.

    T
    Forum|alt.badge.img+31
    • tlarkin
    • Honored Contributor
    • August 28, 2012

    Hey Scott,

    Once you put the setregproptool binary into the proper JAMF folder, you can set it via policy. under the Accounts pane in a policy in the JSS there is a field to input the firmware password. It will be in a box in the bottom right corner of that pane in the policy you'd create in the JSS.

    You can also obviously do it via a script as well, like previously mentioned.

    Thanks,
    Tom

    mscottblake
    Forum|alt.badge.img+24
    • mscottblake
    • Author
    • Honored Contributor
    • August 28, 2012

    Great. That's what I was looking to hear. I just wanted to make sure that those built-in functions in Casper still worked.

    I like the idea of a scoped script though.

    Thanks!

    F
    Forum|alt.badge.img+10
    • frozenarse
    • Contributor
    • August 28, 2012

    I didn't realize you could use the built in JAMF stuff once you put the setregproptool in the right spot. Cool! I'll have to check that out.

    You will still be able to scope the policy if you don't use a script. I just assumed that the JAMF option only worked for older models and that is why I went with the script.

    T
    Forum|alt.badge.img+31
    • tlarkin
    • Honored Contributor
    • August 28, 2012

    I used to do it via a script, and I put the setregproptool in the standard $PATH in my image, which was /usr/sbin for me. That way I could script changes later on if I needed to. I posted a tips and tricks article a while ago that is around here and of course we have the official JAMF KB article on it as well. You can pick whichever way you want to deploy firmware passwords. Obviously, putting passwords in scripts has a downside.

    Cheers!

    Tom

    T
    Forum|alt.badge.img+21
    • tkimpton
    • Honored Contributor
    • March 1, 2013

    Brock from jamf sent me this

    http://nbalonso.com/install-firmware-passwords/

    it really helped :)

    thanks

    U
    Forum|alt.badge.img+5
    • uurazzle
    • Contributor
    • February 1, 2016

    Hello:

    You might want to take a look at our firmware_password_manager script which allows management of firmware password.

    Its available in our github repo here:

    https://github.com/univ-of-utah-marriott-library-apple/firmware_password_manager

    If you have any questions or problems, please let us know.

    Terms & ConditionsCookie settingsAccessibility statement