Posted on 11-02-2023 08:47 AM
We have encountered a situation with a company Mac that a previous user was using, they left the company some time ago. The issue at hand is that the user's Apple ID is still associated with the device. Additionally, it appears that a firmware password has been set on the device, which we do not have access to. This has rendered the Mac unusable.
In my current role at Jamf, I am relatively new, so I appreciate your patience if this is a basic question. Is there a method to discover or reset the firmware password? We do have access to the ex-employee's computer account as a local admin.
Additionally, how can I prevent such situations in the future? Can Jamf store firmware passwords, if yes, how? The Mac model in question is a MacBook Pro (13-inch, 2020, Two Thunderbolt 3 ports) with an Intel i7 processor.
Thank you everyone in advance.
Solved! Go to Solution.
Posted on 11-02-2023 09:03 AM
Two issues at play here, activation lock and the EFI firmware password. In order to avoid issues with activation lock and personal apple IDs; I would recommend enabling 'Prevent user from enabling activation lock' in the prestige that the Macs are assigned too; this will prevent end users from doing this. You may also want to restrict the apple id pref pane.
As far as the other issue is concerned, jamf does have the ability to add or remove an EFI password via a policy, but I think you have ot know what it is to remove it. If you lack the password, I believe the only other option is to contact apple and prove ownership and they will remove the password for you.
As an aside while modifying your prestige, you may want ot enable the option to lock RecoveryOS; these will provide EFI style passwords for apple silicon macs that are automatically logged in JAMF and automatically removed when the mac is removed from ABM / ASM.
hope that helps.
Posted on 11-02-2023 09:03 AM
Two issues at play here, activation lock and the EFI firmware password. In order to avoid issues with activation lock and personal apple IDs; I would recommend enabling 'Prevent user from enabling activation lock' in the prestige that the Macs are assigned too; this will prevent end users from doing this. You may also want to restrict the apple id pref pane.
As far as the other issue is concerned, jamf does have the ability to add or remove an EFI password via a policy, but I think you have ot know what it is to remove it. If you lack the password, I believe the only other option is to contact apple and prove ownership and they will remove the password for you.
As an aside while modifying your prestige, you may want ot enable the option to lock RecoveryOS; these will provide EFI style passwords for apple silicon macs that are automatically logged in JAMF and automatically removed when the mac is removed from ABM / ASM.
hope that helps.
Posted on 11-27-2023 10:48 AM
As an aside while modifying your prestige, you may want ot enable the option to lock RecoveryOS
Other than re-enrolling.. is there a way to enable this with the rotating password functionality ?
Posted on 11-02-2023 10:14 AM
Contact apple to get it removed. You will need to provide the proof of purchase for the device. This can be done online or via a apple store depending on which country your in.
Posted on 11-02-2023 10:35 AM
Can confirm that heading to the Apple Store works. Haven't tried Apple Enterprise yet.
Posted on 11-27-2023 09:20 AM
Thank you everyone! This was really helpful. :)