JAMF have a great article on deploying the binary needed to set a firmware password on 2010+ Macs via the Casper Suite, here.

I recently had a chance to play with it, but found that the below command (which is used by the following EA to check EFI Password status) often returns nothing or just 0 after running. Regardless if an EFI password is set or not.

sudo /Library/Application\ Support/JAMF/bin/setregproptool -c

So below is a different version of the before linked Extension Attribute, using “expect” & maybe a inelegant check.. but hey, if it works!

With my ADPassMon fork I check to see if the login.keychain is locked, by trying to unlock it, then getting the result. The below is similar, in that to check to see if a EFI password is set we send the delete flag. This in turn should get a prompt on the command line like that below:

 Enter Current Password:

But that is not easily returnable,  & a script will hang at the prompt.

To my rescue came “expect.” This is something I had been looking for an excuse to use since Andrina Kelly’s JNUC2013 presentations (those scripts can be found here).

However, I’m not using it in it’s normal usage (to get a prompt & then send a command to it). Instead i’m just using it to get the prompt & timeout after 2 seconds, with the $EFIPasswordSet variable being set to the output.

If the $EFIPasswordSet variable contains the word “current” then a EFI password is set & will return “Set”, else it will return “Not Set.” If the setregproptool cannot be found in the correct directory, the script will return “Not Found.”