Jamf Nation Community

tlarkin · ‎12-05-2011

So, if you are missing the setOFP ability from the Casper Suite, and want to automate firmware passwords at either post image or in the field with scripts you can do so with this command. This is due to Apple changing the hardware and firmware on all Macs in late 2010 and newer models. The example I will give in this is that I am plugging in a USB OS X drive that shipped with our current Macbook Airs. I think the drives shipped with OS X 10.6.6 or 10.6.4. You always want to use the newest version of the tool you can, and so you want to grab it off the newest restore disk or USB drive (or I suppose if you download it via app store that works too).

So first thing is first is we need to mount the OS image of your USB stick. Open up terminal and type this command:

open /Volumes/Mac OS X Install/MacOSX.dmg

This will mount the disk image and you will now be able to view it's entire contents from the command line. Note that some files are hidden so doing this from terminal really is the easiest way.

Now that the install image is mounted lets take a look at the password reset utility for firmware. It is located here:

cd /Volumes/Mac OS X Install Image/Applications/Utilities/Firmware Password Utility.app/Contents/Resources

Once in this directory you will see setregproptool. This is the tool you use to set the firmware password from the command line:

bash-3.2# ./setregproptool -h
setregproptool v 2.0 (7) Oct  3 2010
Copyright (C) 2001-2010 Apple Inc.
All Rights Reserved.

Usage: setregproptool [-c] [-d [-o <old password>]] [[-m <mode> -p <password>] -o <old password>]

    -c              Check whether password is enabled. 
                            Sets return status of 0 if set, 1 otherwise.
    -d              Delete current password/mode.
                            Requires current password on some machines.
    -p              Set password.
                            Requires current password on some machines.
    -m              Set security mode.
                            Requires current password on some machines.
                            Mode can be either "full" or "command".
                            Full mode requires entry of the password on
                            every boot, command mode only requires entry
                            of the password if the boot picker is invoked
                            to select a different boot device.

                    When enabling the Firmware Password for the first
                    time, both the password and mode must be provided.
                    Once the firmware password has been enabled, providing
                    the mode or password alone will change that parameter
                    only.

    -o              Old password.
                            Only required on certain machines to disable
                            or change password or mode. Optional, if not
                            provided the tool will prompt for the password.

Now if you want to copy that tool, you can do so by doing this, but we want to make sure we preserve the permissions here. Take a loot at the current permissions:

ls -al setregproptool 
-rwxr-xr-x  1 root  wheel  115696 Oct  3  2010 setregproptool

Now we will use cp with the -p switch to preserve everything:

cp -p setregproptool ~/Desktop/

and now to verify permissions/ownership were preserved:

ls -al ~/Desktop/setregproptool 
-rwxr-xr-x  1 root  wheel  115696 Oct  3  2010 /Users/tlarkin/Desktop/setregproptool

So, what I do is I copy this binary into the /usr/sbin directory of my OS image. So, now I can script setting the firmware password via post image shell scripts, or deploy a policy to reset it in the field.

Caveats I have found:

1 - anytime you modify or change the password you will be required to provide the old one. If you do not it will automatically go into interactive mode and halt your script and demand user input. So for example, in my script it looks like this, and remember I put the binary in /usr/sbin in my image so it is on all my Macs:

/usr/sbin/setregproptool -m command -p "newpassword" -o "oldpassword"

2 - if you clear the firmware password out, the binary states it will return a status of 0 when using the -c switch to check if firmware is enabled or not. If you clear it, it will not return 1 (disabled status) until you reboot the client. I tried getting fancy with my scripting and had it check status first then run a command based on if it was enabled or not.

3 - Software update WILL NOT update this binary. You must always pull the newest one out of the newest retail disk or recovery DVD/USB drive and use it. If you are on 10.7 this shouldn't be an issue since you can always pull down the newest build from the app store.

Hope this helps you guys. It is also present in 10.7 confirmed but but not tested by me personally.

tlarkin · ‎12-05-2011

Note that it is cutting off some of my code on the above post. The file location for the tool is located here:

/Volumes/Mac OS X Install Image/Applications/Utilities/Firmware Password Utility.app/Contents/Resources

entdev · ‎07-25-2013

Thank you. This solved the firmware password issue for me on an older install of Casper.

dgreening · ‎09-27-2013

I whipped up a small script which we use in Casper to set the firmware password on the 2011+ Macs. It checks to see if a firmware password is set using setregproptool, and then based on the results either echos a message that the password is set, or sets the password and echos a message to that effect:

#!/bin/bash

/Library/Application Support/JAMF/bin/setregproptool -c

if [ $? == 0 ] ; then echo "BPS 2011+ firmware password set, exiting."

exit 0 else echo "BPS 2011+ firmware password not set, setting firmware password and exiting."

/Library/Application Support/JAMF/bin/setregproptool -m command -p "password"

fi

exit 0

The reason I wrote this is that when using deploystudio to reimage machines, after flushing the policy logs and re-executing any policies post imaging, the post imaging workflow would hang if the password was already set. This bit of checking fixed that issue. Enjoy!

krichterjr · ‎09-27-2013

When I run the command below I never seem to get it to return anything. Has anyone else seen this?

/Library/Application Support/JAMF/bin/setregproptool -c

tlarkin · ‎09-27-2013

I whipped up a small script which we use in Casper to set the firmware password on the 2011+ Macs. It checks to see if a firmware password is set using setregproptool, and then based on the results either echos a message that the password is set, or sets the password and echos a message to that effect: #!/bin/bash /Library/Application Support/JAMF/bin/setregproptool -c if [ $? == 0 ] ; then echo "BPS 2011+ firmware password set, exiting." exit 0 else echo "BPS 2011+ firmware password not set, setting firmware password and exiting." /Library/Application Support/JAMF/bin/setregproptool -m command -p "password" fi exit 0 The reason I wrote this is that when using deploystudio to reimage machines, after flushing the policy logs and re-executing any policies post imaging, the post imaging workflow would hang if the password was already set. This bit of checking fixed that issue. Enjoy!

Hey Daniel,

Thanks for the script. Unless the binary has changed, in my experience the -c switch will not display the proper status once changed, unless the client reboots. Of course this was the case about a year ago, so not sure if it has changed. Good to know it is working for you.

When I run the command below I never seem to get it to return anything. Has anyone else seen this? /Library/Application Support/JAMF/bin/setregproptool -c

Hey Kenny,

This is an Apple owned binary, so you must manually copy it from an OS X installer image file/app. If you copy the binary from the InstallerESD.DMG file into the JAMF Application Support Folder path, you can then run the command like so.

In my example above I just copied the binary to the standard $PATH so I could call it in scripts and policies with out having to put in the long file path.

I hope this helps.

Thanks,
Tom

krichterjr · ‎09-30-2013

Hi Tom,

Yes, I have the binary (version v 2.0 (9) Jun 20 2012) in the /Library/Application Support/JAMF/bin/ folder. I've created scripts based off your original post to be able to enable and disable the firmware and those all work. For some reason I never get any output from the -c.

mm2270 · ‎09-30-2013

As far as I know, it is still the case that a reboot is required for the exit status of setregproptool -c to show accurate information. It would be great if this wasn't the case, but it still is, so any EA trying to capture that will only be accurate if a reboot was done after setting a FW password.
We run into a similar issue here. FW passwords are set at imaging time, but occasionally a tech unsets one and forgets to put it back and we try to round those up, but again, its hard to really know if what we see in our EA is true.

@krichterjr - are you running the above command as root? Since /Library/Application Support/JAMF/bin/ is a protected folder. only root can access anything in it. Even if it wasn't protected, setregproptool requires sudo or root to even give any output.

Edit: Also, you don't see the status after running the command. Only by using $? do you see it. So you could run something like this. If it still isn't showing 1 or 0 after this, then I don't know..

sudo /Library/Application Support/JAMF/bin/setregproptool -c; echo $?

krichterjr · ‎09-30-2013

@mm2270
That is exactly what it needed was echo $?. I'm not familiar with the $? and didn't see anything in the man page so I assumed I was missing something.

I have been running as root and am aware of the reboot. Everything else has been working so it was just that one command.

Thanks once again!

tlarkin · ‎09-30-2013

That is exactly what it needed was echo $?. I'm not familiar with the $? and didn't see anything in the man page so I assumed I was missing something. I have been running as root and am aware of the reboot. Everything else has been working so it was just that one command. Thanks once again!

Oops! I misread what you were asking. I am sorry for any confusion. The $? is a built in bash function that prints the exit status of the last binary ran. The -c switch will write either a 1 or a 0 to that binary's exit status depending on the outcome.

So for example:

bash-3.2$ grep "some_string" ~/Desktop/test.txt 
bash-3.2$ echo $?
1
bash-3.2$

This is a failure, because it did not find any strings named, "some_string." Now, if grep returns a successful match for a string it will return 0.

bash-3.2$ grep "test" ~/Desktop/test.txt 
test
bash-3.2$ echo $?
0

So, all that -c switch does is write the proper exit status. Last year at the JNUC Miles and I did a presentation on shell scripting and we went over exit statuses. When you are putting logic together to test for conditions you may want to have your script exit if those conditions aren't met. You can even go further and write custom exit codes and error messages to a log file. Basically, exit status 0 is success, everything else a fail.

Hopefully this better explains it.

Thanks,
Tom

krichterjr · ‎09-30-2013

Thanks for the further explanation. I learn something new everyday from this forum. :)

This will be my first JNUC and I will for sure attending one of the scripting sessions.

dgreening · ‎09-30-2013

The script which I wrote was mainly to stop my DeployStudio workflows from hanging, post flush of policies and upon re-execute of the firmware password application policy, which is set to "Once per computer". It works fine for the initial application of the firmware password to machines which do not have it as well. As it is only set to run "Once per computer", not having a reboot is not a problem for machines which don't have the password set in the first place. I will be writing an extension attribute to check the status of the firmware password, so I may need to re-work it a bit to ensure a reboot has happened and that I'm not getting false results due to the lack of reboot.

tlarkin · ‎09-30-2013

Daniel,

Yup I had the same hang ups when mass imaging Macbook Airs a couple years ago. If a password was already set, the setregproptool automatically goes into interactive mode, which will hang any imaging/workflow process since it requires human interaction. Unless you put the old password in the command to overwrite it. So, my answer was to always overwrite it, which may not be the best of workflows but I was no longer getting those hangs in my imaging process.

I wish there was more logic built into that binary to give more accurate results. Even if it would just post a state that simply read, "needs to be rebooted to apply changes," would be extremely helpful. When you get your EA working I would love to see it, and I am sure it would help a lot of people in the community.

Thanks for the further explanation. I learn something new everyday from this forum. :) This will be my first JNUC and I will for sure attending one of the scripting sessions.

That is great! We do have two scripting keynotes this year, but I Miles and I are not doing them this year. They are great ways to learn new things and also a great way to polish up some old skills. I will see you there though!

-Tom

jomo · ‎12-28-2013

Hi guys,

just a short note from here. I just tested a variety of ways to set the Firmware-Password on a MacBook Pro 13" Mid 2012 with OS X Mavericks 10.9.1 installed on it.

Every way i tested it from what i found here in jamfnation and elsewhere..... it just didn't work.

./setregproptool –p newpassword
Error, invalid arguments.

./setregproptool –p newpassword -m command
Error, invalid arguments.

./setregproptool -o -m command –p newpassword
Error, invalid arguments.

./setregproptool -m "command" –p newpassword
Error, invalid arguments.

anyways....i figured out what worked for me:

./setregproptool -m command -p 'newpassword'

so, after all it locks like 10.9 does not like "" or nothing....it likes '' to masquerade the password.

franton · ‎12-28-2013

I ended up scripting this: https://github.com/franton/Set-EFI-Password

jomo · ‎12-28-2013

thanks @franton , did you try this script with OS X 10.9.1? It is not working for me either....like the other script too:

localhost:~ support$ sudo jamf policy -trigger set-firmware-password
Checking for policies triggered by "set-firmware-password"...
Executing Policy CFG_Set Firmware Password...
Running script SetEFIpw.sh...
Script exit code: 1
Script result: Error: Missing security mode in policy. e.g. full

Submitting log to https://jss.customer.de:8443/
localhost:~ support$

There must be any formatting-issue....if i run the command local in terminal - everything works fine. But not through a policy...

franton · ‎12-28-2013

How did you call it via policy? It's very picky as to the parameters you have to pass to it. The error message in the log file indicates this.

jomo · ‎12-28-2013

I am running a 9.22 JSS and the Computer is a 2012 MBPro with 10.9.1

After downloading your script i copied the content into a new Script and labeled the Variables as described:
$4 = operatingmode
$5 = newpassword
$6 = oldpassword
$7 = securitymode

Then i created a policy with this script and filled the variables with:

$4 = initial
$5 = mypassword
$6 =
$7 = command

The result in my former post. The computer has no EFI-Password set already.

franton · ‎12-28-2013

You got it right (I think, i'm nowhere near the office right now). In answer to your question, yes i've had this work on my 10.9.1 test computer.

I would assume there's something up with your computer at this point.

jomo · ‎12-28-2013

hmmm...just tried it on another computer....in another network, managed by another JSS - new iMac - JSS 9.22, Mavericks 10.9.1

always the same error....

jomo · ‎12-28-2013

Here the result:

computer-05:~ ladmin$ sudo jamf policy -trigger set-firmware-password

WARNING: Improper use of the sudo command could lead to data loss
or the deletion of important system files. Please double-check your
typing when using sudo. Type "man sudo" for more information.

To proceed, enter your password, or type Ctrl-C to abort.

Password:
Checking for policies triggered by "set-firmware-password"...
Executing Policy CFG_Set Firmware Password...
Running script 109_SetFirmwarePassword...
Script exit code: 0
Script result: /Library/BAF/Apps/Firmware Password Utility.app/Contents/Resources/setregproptool -m command –p mypasswd
Error, invalid arguments.

tlarkin · ‎01-02-2014

Hey Jomo,

I hope you had a great new years. When you are trying to deploy this, where is the setregproptool located? Also, did you copy a new version for a 10.9 installer?

Thanks,
Tom

jomo · ‎01-03-2014

Hi Tom,

yes - i did copy it from the 10.9 Installer and located it here:

/Library/BAF/Apps/Firmware Password Utility.app/Contents/Resources/setregproptool

As far as i could see, the Version is the same for 10.9 and 10.9.1; i used the one from 10.9 in this case

tlarkin · ‎01-03-2014

Hi Jomo,

Unfortunately I have not tested this with 10.9 yet. If you execute the tool with the -h switch does it display the same help page? I posted this article a few years ago when it first came out for OS 10.6. I know in 10.7 and 10.8 the syntax was the same. I just would like to verify that is the case in version 9.

Thanks,
Tom

joelreid · ‎01-17-2014

"Error, invalid arguments."
Any luck?

We cannot get a MacBookAir6,1 running 10.9.1 to take a password with setregproptool at all...
tried the "Aug 24 2013" version from inside its Mavericks installer app, tried the "Jun 20 2012" version from the factory Recovery HD, tried this syntax and that... no dice.

ndudley · ‎01-29-2014

Has anyone had any luck with this on 10.9?

I cant seem to get my Iris Retinas to set a Firmware Password.

smurf729 · ‎02-10-2014

I am on 10.9 and my computer has the six digit passcode. I am firmiliar with the terminal but how do i get to it with the firmware passcode locked

rmaldonado · ‎01-22-2015

Does anyone here know if this would work on a 10.10 machine? I know it uses the new binary "firmwarepasswd" but I was wondering if anyone has tried copying the setregproptool to a 10.10 machine and scripting this

uurazzle · ‎02-02-2016

Hello:

You might want to take a look at our firmware_password_manager script which allows management of firmware password.

Its available in our github repo here:

https://github.com/univ-of-utah-marriott-library-apple/firmware_password_manager

If you have any questions or problems, please let us know.

Jamf Nation Community

Tips and Tricks: setregproptool