JAMF have a great article on deploying the binary needed to set a firmware password on 2010+ Macs via the Casper Suite, here.
I recently had a chance to play with it, but found that the below command (which is used by the following EA to check EFI Password status) often returns nothing or just 0 after running. Regardless if an EFI password is set or not.
sudo /Library/Application\ Support/JAMF/bin/setregproptool -c
So below is a different version of the before linked Extension Attribute, using “expect” & maybe a inelegant check.. but hey, if it works!
With my ADPassMon fork I check to see if the login.keychain is locked, by trying to unlock it, then getting the result. The below is similar, in that to check to see if a EFI password is set we send the delete flag. This in turn should get a prompt on the command line like that below:
Enter Current Password:
But that is not easily returnable, & a script will hang at the prompt.
To my rescue came “expect.” This is something I had been looking for an excuse to use since Andrina Kelly’s JNUC2013 presentations (those scripts can be found here).
However, I’m not using it in it’s normal usage (to get a prompt & then send a command to it). Instead i’m just using it to get the prompt & timeout after 2 seconds, with the $EFIPasswordSet variable being set to the output.
If the $EFIPasswordSet variable contains the word “current” then a EFI password is set & will return “Set”, else it will return “Not Set.” If the setregproptool cannot be found in the correct directory, the script will return “Not Found.”
Where’s the code? I would love to see this as I’m running into the same thing – setregproptool just gives me blank output.
Well nevermind. After writing this comment, the code showed up. Weird.
where is the code
I can see the code fine in Safari.
What browser are you using?
The problem with this is that it leaves the `setregproptool -d` command running in memory (waiting for input). Each of these checks then consumes a TTY and eventually the system runs out of available TTYs and Terminal.app (or iTerm, etc.) is unable to launch new sessions.