Check EFI Password State Extension Attribute


JAMF have a great article on deploying the binary needed to set a firmware password on 2010+ Macs via the Casper Suite, here.

I recently had a chance to play with it, but found that the below command (which is used by the following EA to check EFI Password status) often returns nothing or just 0 after running. Regardless if an EFI password is set or not.

sudo /Library/Application\ Support/JAMF/bin/setregproptool -c

So below is a different version of the before linked Extension Attribute, using “expect” & maybe a inelegant check.. but hey, if it works!

With my ADPassMon fork I check to see if the login.keychain is locked, by trying to unlock it, then getting the result. The below is similar, in that to check to see if a EFI password is set we send the delete flag. This in turn should get a prompt on the command line like that below:

 Enter Current Password:

But that is not easily returnable,  & a script will hang at the prompt.

To my rescue came “expect.” This is something I had been looking for an excuse to use since Andrina Kelly’s JNUC2013 presentations (those scripts can be found here).

However, I’m not using it in it’s normal usage (to get a prompt & then send a command to it). Instead i’m just using it to get the prompt & timeout after 2 seconds, with the $EFIPasswordSet variable being set to the output.

If the $EFIPasswordSet variable contains the word “current” then a EFI password is set & will return “Set”, else it will return “Not Set.” If the setregproptool cannot be found in the correct directory, the script will return “Not Found.”

5 thoughts on “Check EFI Password State Extension Attribute

  1. Jeff

    Where’s the code? I would love to see this as I’m running into the same thing – setregproptool just gives me blank output.

  2. Scott W

    The problem with this is that it leaves the `setregproptool -d` command running in memory (waiting for input). Each of these checks then consumes a TTY and eventually the system runs out of available TTYs and (or iTerm, etc.) is unable to launch new sessions.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.