Administering Open Firmware/EFI Passwords

You can administer Open Firmware or EFI passwords to ensure the security of managed computers.

There are two ways to set and remove an Open Firmware/EFI password: using a policy or using Jamf Remote.

Requirements

The “setregproptool” binary must be present on each computer and any alternate boot volume(s) used to set firmware. For models “Late 2010” or later with macOS 10.9.x or earlier, the binary must be obtained and placed on the computer. (For more information, see the Setting EFI Passwords on Mac Computers (Models Late 2010 or Later) Knowledge Base article.)

Setting or Removing an Open Firmware/EFI Password Using a Policy

  1. Log in to Jamf Pro.

  2. Click Computers at the top of the page.

  3. Click Policies.

  4. Click New images/download/thumbnails/16441959/Icon_New_Button.png .

  5. Use the General payload to configure basic settings for the policy, including the trigger and execution frequency.
    For an overview of the settings in the General payload, see General Payload.

  6. Select the EFI Password payload and click Configure.

  7. Do one of the following:

    • To set an Open Firmware/EFI password, choose "Command" from the pop-up menu and enter and verify the password.

    • To remove an Open Firmware/EFI password, choose "None" from the pop-up menu.

  8. Use the Restart Options payload to configure settings for restarting computers.
    For more information, see Restart Options Payload.

  9. Click the Scope tab and configure the scope of the policy.
    For more information, see Scope.

  10. (Optional) Click the Self Service tab and make the policy available in Self Service.
    For more information, see Making Items Available to Users in Jamf Self Service for macOS.

  11. (Optional) Click the User Interaction tab and configure messaging and deferral options.
    For more information, see User Interaction.

  12. Click Save.

The policy runs on computers in the scope the next time they check in with Jamf Pro and meet the criteria in the General payload.

Setting or Removing an Open Firmware/EFI Password Using Jamf Remote

  1. Open Jamf Remote and authenticate to the Jamf Pro server.

  2. Click Site images/download/thumbnails/16441959/Site.png and choose a site.
    This determines which items are available in Jamf Remote.
    Note: This button is only displayed if you have a site configured in Jamf Pro and are logged in with a Jamf Pro user account that has full access or access to multiple sites.

  3. In the list of computers, select the checkbox for each computer on which you want to set or remove an Open Firmware/EFI password.
    images/download/attachments/14453895/Computers_tab0.png

  4. Click the Accounts tab.

    images/download/attachments/17107195/Accounts_tab.png
  5. Select the Set Open Firmware/EFI Password checkbox.

  6. Do one of the following:

    • To set the password, choose "command" from the Security Level pop-up menu and enter and verify the password.

    • To remove the password, choose "none" from the Security Level pop-up menu.

  7. Click the Restart tab and configure settings for restarting computers.

    images/download/attachments/14453904/Restart_tab.png
  8. Do one of the following:

    • To immediately perform the tasks on the specified computers, click Go.

    • To schedule the tasks to take place at a specific day and time, click Schedule and choose a day and time. Then click Schedule again.

Related Information

For related information, see the following sections in this guide:

  • About Policies
    Learn the basics about policies.

  • Managing Policies
    Find out how to create a policy, view the plan and status of a policy, and view and flush policy logs.

Copyright | Privacy | Terms of Use | Security
© copyright 2002-2017 Jamf. All rights reserved.