Install Firmware passwords

Setting up a firmware password should be a must for companies and institutions that require a certain level of security. The reasons for this should be quite obvious so I won’t explain on these.

There are a couple of methods that an administrator can use to set up the firmware password before is handled to a user (DeployStudio being the most common?) or during the first login of that user using a first boot Applescript with a simple GUI.

The method I am going to explain here is how to set the password by using a simple installer. The main benefit of this being versatility.

No rocket science involved basically we are going to create an installer that runs a bash script and holds a copy of Apple’s binary setregproptool. No file is installed on the computer other than the receipt of the installer itself.

Let’s dig into it!

1st we need to obtain a copy of the setregproptool . We can do this easily enough if the computer in which you are working is a 10.7 or 10.8 by mounting the Recovery partition and copying it from there

Lets create a directory where we’ll store the binary, the scripts and the pkg

cd ; mkdir firmwareInstaller ; cd firmwareInstaller
diskutil mount Recovery HD
hdiutil attach -quiet /Volumes/Recovery HD/com.apple.recovery.boot/BaseSystem.dmg
cp /Volumes/Mac OS X Base System/Applications/Utilities/Firmware Password Utility.app/Contents/Resources/setregproptool .
hdiutil detach /Volumes/Mac OS X Base System/
diskutil unmount Recovery HD

Now for the sake of documenting check which version you just got and read through the available switches

sudo ./setregproptool

I am getting this on a 10.8.2

setregproptool v 2.0 (9) Jun 20 2012

Create the two scripts, one for enabling the firmware password and the second to disable the same. I highly recommend you create the installer and “uninstaller” in pairs and always match the version numbers. This is specially critical if you are required to change the firmware passwords in the future and versioning starts to be an issue.
The main reason for this is that computer models newer than 2010 require the same password to disable the prompt, so the “uninstaller” version should always match the installer version used previously.

This is, for example, you receive a brand new recent model half batch of computers, then you install your firmware password version 1.0. Then the next week you receive the other half of the shipment and install the firmware password version 1.1. Then if you use the uninstaller 1.0 to target all of them only the first half will have it disabled. What a difficult explanation but I hope is clear

Also it is a good practice that when you set the password to blank when disabling it. This way you won’t face problem if the computer needs to be protected again

touch enable.postflight.sh disable.postflight.sh

enable.postflight.sh could be something like this

1
2
3
4
5
6
7
8
9
10
11
12
#!/bin/sh
###
# VERSION 1.0 of the password enabler. Use the same version to disable it.
###
# Deactivating the password if it was set. Asuming the password was blank
./setregproptool -d -o “”
sleep 1
# Setting the password and the mode
$setregproptool -m command -p “NewPassword” -o ""
# Logging
echo "The firmware password version 1.0 is now set up!"
exit 0

and disable.postflight.sh could be

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#!/bin/sh
###
# VERSION 1.0 of the password disabler. Works only if the password was set up using the same version enabler
###
# Setting the password to blank WILL TAKE EFFECT AFTER REBOOT
$setregproptool -p "" -o "NewPassword"
sleep 1
# Disable the prompt for password
$setregproptool -d -o "NewPassword"
# Logging
echo "Firmware password now set to blank and prompt disabled, reboot for the changes to take effect!"
#forget that the password was ever installed. Munki likes this
pkgutil --forget com.mycompany.pkg.firm.pass
exit 0

As long a you use the same pkg name you can verify what version of the password a computer has by running

pkgutil --info com.mycompany.pkg.firm.pass

Then use the correct uninstaller

Packing the installer should be easy enough

Let the mass deployment of firmware passwords begin!

EDIT: reader please note that when I created my package I was using the great Packages application. If you are reading this now and you use pkgbuild to create your installers then your scripts need to be correctly named. See comments below for more info