- Jamf Nation Community
- Products
- Jamf Pro
- Setting Firmware Password
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-27-2012 10:00 PM
I have some new hardware that I need to setup with firmware passwords so people cannot boot from USB. I read through the Setting EFI Passwords on Mac Computers (Models Late 2010 or Later) article, but it doesn't say anything about using Casper Remote or Imaging to set the passwords once that file is located on the client or if it has to be done with a script?
Once that file is located on the client computers, what methods do I have to choose from when setting the firmware?
iMac Intel (27-inch, Mid 2011)
13-inch MacBook Pro (Mid 2012)
Solved! Go to Solution.
2 ACCEPTED SOLUTIONS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-28-2012 06:44 AM
I have a startup triggered policy that is scoped to machines that don't have an EFI Password set. It makes sure the setregproptool is on the machine and runs a script that looks something like this:
/Path/to/setregproptool -m command -p typeEFIPwdHere
I think the setregproptool has a man page that you can dig up more details/options.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-28-2012 08:52 AM
Hey Scott,
Once you put the setregproptool binary into the proper JAMF folder, you can set it via policy. under the Accounts pane in a policy in the JSS there is a field to input the firmware password. It will be in a box in the bottom right corner of that pane in the policy you'd create in the JSS.
You can also obviously do it via a script as well, like previously mentioned.
Thanks,
Tom
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-28-2012 06:44 AM
I have a startup triggered policy that is scoped to machines that don't have an EFI Password set. It makes sure the setregproptool is on the machine and runs a script that looks something like this:
/Path/to/setregproptool -m command -p typeEFIPwdHere
I think the setregproptool has a man page that you can dig up more details/options.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-28-2012 08:52 AM
Hey Scott,
Once you put the setregproptool binary into the proper JAMF folder, you can set it via policy. under the Accounts pane in a policy in the JSS there is a field to input the firmware password. It will be in a box in the bottom right corner of that pane in the policy you'd create in the JSS.
You can also obviously do it via a script as well, like previously mentioned.
Thanks,
Tom
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-28-2012 12:08 PM
Great. That's what I was looking to hear. I just wanted to make sure that those built-in functions in Casper still worked.
I like the idea of a scoped script though.
Thanks!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-28-2012 02:10 PM
I didn't realize you could use the built in JAMF stuff once you put the setregproptool in the right spot. Cool! I'll have to check that out.
You will still be able to scope the policy if you don't use a script. I just assumed that the JAMF option only worked for older models and that is why I went with the script.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-28-2012 02:31 PM
I used to do it via a script, and I put the setregproptool in the standard $PATH in my image, which was /usr/sbin for me. That way I could script changes later on if I needed to. I posted a tips and tricks article a while ago that is around here and of course we have the official JAMF KB article on it as well. You can pick whichever way you want to deploy firmware passwords. Obviously, putting passwords in scripts has a downside.
Cheers!
Tom
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-01-2013 07:57 AM
Brock from jamf sent me this
http://nbalonso.com/install-firmware-passwords/
it really helped :)
thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-01-2016 01:35 PM
Hello:
You might want to take a look at our firmware_password_manager script which allows management of firmware password.
Its available in our github repo here:
https://github.com/univ-of-utah-marriott-library-apple/firmware_password_manager
If you have any questions or problems, please let us know.
