Posted on 08-03-2023 07:46 AM
Hello Jamf Nation!
I work for an asset recovery company that regularly buys large lots of Apple equipment from schools, and as a result we are well versed in helping schools remove their devices from MDM and releasing them from ASM/ABM.
Lately we've been encountering issues from more than one school (system) where Macs are fully erased, but are locked with EFI firmware passwords and the IT departments 100% insist that they don't know what the password is. We know that EFI passwords can be deployed and removed via MDM, so we sent them links to Jamf documentation for managing EFI passwords in hopes of refreshing their memory and they still insist they know nothing. We asked them to check with any employees or volunteers who may have helped deploy these Macs and still nothing.
If this were one school system, we'd chalk it up to an unfortunate mistake, but we've received batches of Macs from different parts of the country with this exact same issue— No one in their technology departments knows what the passwords are and seem surprised to learn that the equipment is locked.
My question is: Has there been a recent change to Jamf or Mac management that could enable a firmware password on a fleet either by default, or otherwise without the admin knowing? Everything I've seen and read seems to indicate that an admin would have to either use built-in functionality to enable EFI passwords or deploy a script or package that configures it.
Posted on 08-03-2023 08:19 AM
Having worked in education environments, this is most likely a case where staff have set the firmware password themselves, left the district or received a replacement, and nobody knows the password. They aren't using their MDM to manage the firmware password so of course they are going to be surprised when one is set.
My suggestion is if the firmware password has not been removed and they are unable to provide it, then value the MacBook the same way you would as scrap. I've worked with very few vendors that provide a detailed checklist that includes checking for a firmware password before the sale or else it will be declined or lose value, if you're not doing that already.
To answer your question directly, there has been no change in MDM to enable this by default or without being configured previously by an admin.