Setting up a firmware password should be a must for companies and institutions that require a certain level of security. The reasons for this should be quite obvious so I won’t explain on these.
There are a couple of methods that an administrator can use to set up the firmware password before is handled to a user (DeployStudio being the most common?) or during the first login of that user using a first boot Applescript with a simple GUI.
The method I am going to explain here is how to set the password by using a simple installer. The main benefit of this being versatility.
No rocket science involved basically we are going to create an installer that runs a bash script and holds a copy of Apple’s binary
setregproptool. No file is installed on the computer other than the receipt of the installer itself.
Let’s dig into it!
- First we need to obtain a copy of the
setregproptool. We can do this easily enough if the computer in which you are working is a 10.7 or 10.8 by mounting the Recovery partition and copying it from there
Lets create a directory where we’ll store the binary, the scripts and the pkg
1 2 3 4 5 6
Now for the sake of documenting check which version you just got and read through the available switches
I am getting this on a 10.8.2
Create the two scripts, one for enabling the firmware password and the second to disable the same. I highly recommend you create the installer and “uninstaller” in pairs and always match the version numbers. This is specially critical if you are required to change the firmware passwords in the future and versioning starts to be an issue.
The main reason for this is that computer models newer than 2010 require the same password to disable the prompt, so the “uninstaller” version should always match the installer version used previously.
This is, for example, you receive a brand new recent model half batch of computers, then you install your firmware password version 1.0. Then the next week you receive the other half of the shipment and install the firmware password version 1.1. Then if you use the uninstaller 1.0 to target all of them only the first half will have it disabled. What a difficult explanation but I hope is clear
Also it is a good practice that when you set the password to blank when disabling it. This way you won’t face problem if the computer needs to be protected again
enable.postflight.sh could be something like this
1 2 3 4 5 6 7 8 9 10 11 12
and disable.postflight.sh could be
1 2 3 4 5 6 7 8 9 10 11 12 13 14
As long a you use the same pkg name you can verify what version of the password a computer has by running
Then use the correct uninstaller
Packing the installer should be easy enough :)
Let the mass deployment of firmware passwords begin!
PS: not clear? feel free to ask
EDIT: reader please note that when I created my package I was using the great Packages application. If you are reading this now and you use
pkgbuild to create your installers then your scripts need to be correctly named. See comments below for more info