Administering Open Firmware/EFI Passwords

You can administer Open Firmware or EFI passwords to ensure the security of managed computers.

There are two ways to set and remove an Open Firmware/EFI password: using a policy or using Casper Remote.

Requirements

The “setregproptool” binary must be present on each computer and any alternate boot volume(s) used to set firmware. For models “Late 2010” or later with macOS 10.9.x or earlier, the binary must be obtained and placed on the computer. (For more information, see the Setting EFI Passwords on Mac Computers (Models Late 2010 or Later) Knowledge Base article.)

Setting or Removing an Open Firmware/EFI Password Using a Policy

  1. Log in to the JSS with a web browser.

  2. Click Computers at the top of the page.

  3. Click Policies.

  4. Click New images/download/thumbnails/15181936/New_icon.png .

  5. Use the General payload to configure basic settings for the policy, including the trigger and execution frequency.
    For an overview of the settings in the General payload, see General Payload.

  6. Select the EFI Password payload and click Configure.

  7. Do one of the following:

    • To set an Open Firmware/EFI password, choose "Command" from the pop-up menu and enter and verify the password.

    • To remove an Open Firmware/EFI password, choose "None" from the pop-up menu.

  8. Use the Restart Options payload to configure settings for restarting computers.
    For more information, see Restart Options Payload.

  9. Click the Scope tab and configure the scope of the policy.
    For more information, see Scope.

  10. (Optional) Click the Self Service tab and make the policy available in Self Service.
    For more information, see Self Service Policies .

  11. (Optional) Click the User Interaction tab and configure messaging and deferral options.
    For more information, see User Interaction.

  12. Click Save.

The policy runs on computers in the scope the next time they check in with the JSS and meet the criteria in the General payload.

Setting or Removing an Open Firmware/EFI Password Using Casper Remote

  1. Open Casper Remote and authenticate to the JSS.

  2. Click Site images/download/thumbnails/15181936/Site.png and choose a site.
    This determines which items are available in Casper Remote.
    Note: This button is only displayed if you have a site configured in the JSS and are logged in with a JSS user account that has full access or access to multiple sites.

  3. In the list of computers, select the checkbox for each computer on which you want to set or remove an Open Firmware/EFI password.
    images/download/attachments/14453895/Computers_tab0.png

  4. Click the Accounts tab.

    images/download/attachments/14453944/Accounts_tab.png
  5. Select the Set Open Firmware/EFI Password checkbox.

  6. Do one of the following:

    • To set the password, choose "command" from the Security Level pop-up menu and enter and verify the password.

    • To remove the password, choose "none" from the Security Level pop-up menu.

  7. Click the Restart tab and configure settings for restarting computers.

    images/download/attachments/14453904/Restart_tab.png
  8. Do one of the following:

    • To immediately perform the tasks on the specified computers, click Go.

    • To schedule the tasks to take place at a specific day and time, click Schedule and choose a day and time. Then click Schedule again.

Related Information

For related information, see the following sections in this guide:

  • About Policies
    Learn the basics about policies.

  • Managing Policies
    Find out how to create a policy, view the plan and status of a policy, and view and flush policy logs.

Copyright | Privacy | Terms of Use | Security
© copyright 2002-2017 Jamf. All rights reserved.