Skip to main content
Jamf Nation, hosted by Jamf, is a dynamic and knowledgeable community of Apple-focused IT admins and Jamf Pro users. Join us in person, in October, for the annual Jamf Nation User Conference (JNUC) to discover new and better ways to manage Apple devices.

Setting EFI Passwords on Mac Computers (Models Late 2010 or Later)

Overview

Beginning with the release of MacBook Air (Late 2010), MacBook Pro (Early 2011), and iMac (Mid 2011), Apple has changed the method by which EFI passwords are managed. If you are using the Casper Suite v8.2 or later with any of the hardware listed above, the Apple “setregproptool” binary must exist on each computer and any alternate boot volumes that may be used when setting firmware. In addition, to set a firmware password for any of the hardware listed above, the previous password must be entered.

These additional steps are not required when setting the EFI password on computers with OS X v10.10 or later using the Casper Suite v9.64 or later.

Versions Affected

Casper Suite v8.2 and later

Requirements

Apple installation media for any of the following computers:

  • MacBook Air (Late 2010 or later)
  • MacBook Pro (Early 2011 or later)
  • iMac (Mid-2011 or later)

Procedure

To set an EFI password on the hardware listed above, you must obtain the “setregproptool” binary from Apple installation media, the OS X .app file from the Mac App Store, or a "Recovery HD" partition. Then, you must place it on any managed computers, OS packages, and NetBoot images that require an EFI password.

To obtain the “setregproptool” binary from Apple installation media:
Navigate to the following location on Apple installation media: /Volumes/Mac OS X Install DVD/Applications/Utilities/Firmware Password Utility.app/Contents/Resources/setregproptool

Note: This location is for the installation media for a MacBook Pro (Early 2011). The location for other hardware may vary slightly.

To obtain the “setregproptool” binary from the OS X .app file from the Mac App Store (10.7):

  1. Control-click (right-click) the .app file and select Show Package Contents.
  2. Mount the packages that are located in the following approximate locations:

  3. /Install Mac OS X Lion.app/Contents/SharedSupport/InstallESD.dmg

  4. /Volumes/Mac OS X Install ESD/BaseSystem.dmg

  5. Navigate to the following location: /Volumes/Mac OS X Base System/Applications/Utilities/Firmware Password Utility.app/Contents/Resources/setregproptool

To obtain the “setregproptool” binary from the OS X .app file from the Mac App Store (10.8):

  1. Control-click (right-click) the .app file and select Show Package Contents.
  2. Navigate to /Install Mac OS X Mountain Lion 10.8.app/Contents/SharedSupport/ and mount the InstallESD.dmg file.
  3. Execute the following command:
    hdiutil attach /Volumes/Mac\ OS\ X\ Install\ ESD/BaseSystem.dmg
  4. Navigate to the following location: /Volumes/Mac OS X Base System/Applications/Utilities/Firmware Password Utility.app/Contents/Resources/setregproprool

To obtain the “setregproptool” binary from a "Recovery HD" partition:
Execute the following commands on a standard OS X volume:

/usr/sbin/diskutil mount Recovery\ HD
/usr/bin/hdiutil attach -quiet /Volumes/Recovery\ HD/com.apple.recovery.boot/BaseSystem.dmg
/bin/cp /Volumes/Mac\ OS\ X\ Base\ System/Applications/Utilities/Firmware\ Password\ Utility.app/Contents/Resources/setregproptool /path/to/save/location/
/usr/bin/hdiutil detach /Volumes/Mac\ OS\ X\ Base\ System/
/usr/sbin/diskutil unmount Recovery\ HD

To place the “setregproptool” binary:
Copy the “setregproptool” binary to the following location on enrolled computers, OS packages, and NetBoot images that require an EFI password:
/Library/Application Support/JAMF/bin/

To set a firmware password:
Follow the instructions in the “Administering Open Firmware/EFI Passwords” section of the Casper Suite Administrator’s Guide. For the hardware listed above, you must add a script with the following command to Casper Remote or the policy in the JSS:

/Library/Application Support/JAMF/bin/setregproptool –p newpassword -o oldpassword

To remove a firmware password:
Follow the instructions in the “Administering Open Firmware/EFI Passwords” section of the Casper Suite Administrator’s Guide. For the hardware listed above, you must add a script with the following command to Casper Remote or the policy in the JSS:

/Library/Application Support/JAMF/bin/setregproptool –d –o oldpassword
Like Comment
SOLVED Posted: 5/29/12 at 2:10 PM by cHALANGARAN

Hello friends. I have a 2011 model MacBook Pro (mc700).
After update 10.7.3 to 10.7.4 operating systems and operating systems up to Meckel's got no deal. EFI Password not approve of your hand. Unfortunately I live in a country that allows me to communicate with Apple's technical support is available from Apple dealers there is no objectivity here. Is there a way to solve this problem?
Thnks a lot.

Like
SOLVED Posted: 12/28/13 at 11:54 AM by jomo

just a short update about this. I figured it worked for me only if i masquerade the password with ''

/Library/Application Support/JAMF/bin/setregproptool –p 'newpassword' -o 'oldpassword'

I am working on Mavericks 10.9.1 on a MacBook Pro 13" Mid 2012.

Like
SOLVED Posted: 1/20/14 at 1:32 PM by joelreid

A note from my experience; no syntax variations would get it to work via a policy-run script. Some variations even give an exit code of 0 from the setregproptool command, but don't actually set a password, and sometimes still show "Error, invalid arguments. setregproptool..." and a usage summary. I tried the many versions (all "v 2.0 (9)", but differently-dated), which came on several models' Recovery HDs and in different Mac OS Installer apps without success.

In the best case, logging in as a local admin and running the command [identical to the one in the policy!] would work fine. Thankfully that isn't required every time;

Contrary to the instructions above labeled "To set a firmware password:", installing the tool does not then require use of a script to add a new password. Rather, once a working setregproptool binary is packaged up and deployed, the built-in Casper policy "EFI Password" payload will then successfully make use of the installed setregproptool.

P.S. JAMF... you should really warn users right there in the EFI Password payload section that the functionality that worked all along in the past is now secretly guaranteed to fail, silently unless extra steps are taken.

Like
CCA Badge CCE Badge CJA Badge
SOLVED Posted: 1/29/14 at 4:51 PM by andyinindy

For the life of me I can't understand why JAMF doesn't simply install the setregproptool into /Library/Application\ Support/JAMF/bin, if this is all that is required in order to allow the built-in "Open Firmware/EFI Password" component to work properly.

Perhaps because this is an Apple proprietary tool?

Regardless, if you cannot set the EFI password without this tool, then why continue to include the ability to set EFI/Firmware password via a policy?? At minimum there should be a disclaimer stating that this will only work for systems manufactured prior to 2010, and that it will not function on newer systems without setregproptool being present in the /Library/Application\ Support/JAMF/bin.

Like
SOLVED Posted: 3/20/14 at 5:04 PM by robb1068

Glad I tested this out first! Process to set the firmware password works just fine, but removing the firmware password is another story. No policy, Casper Remote or running the command locally would work… finally gave up and booted into Recovery mode and ran the Firmware Password Utility to remove it.

Like
SOLVED Posted: 3/21/14 at 11:43 AM by justin.smith

A bit tricky, you actually need to provide efi with a password to remove it: you can either modify (or clone) the original policy and then change it to from "command" to "none" and then scope that to your devices: or set up a new efi policy, set it to "command" and save the password (without scoping it to a device) and then change it back to none and use that as your "remove" policy.

Like
CCA Badge CCE Badge
SOLVED Posted: 3/21/14 at 3:52 PM by seabash

As others have noted, I've been able to initially set EFI password (after packing-up setregproptool and deploying to targeted Macs) via Casper Remote. The issues I'm having are (A) changing/updating EFI password and (B) removing EFI password. Note: I'm just testing via Casper Remote, and will use actual policy later.

In both cases, I'm using Casper Remote's built-in Accounts tab to change/remote EFI password. The task fails with errors indicating "EFI password is already set". I've also rebooted the test Mac in case of some time-delay issues.

I've tried manually updating pw update command per the KB and @jomo][/url (above).
Though the new EFI password works, the EFI prompt now shows at every reboot—whether Option is pressed or not. Even more perplexing is that I cannot get into OS Boot selector or Target mode at this point.

UPDATE: Manually running ```
/path/to/setregproptool –d –o oldpassword
``` removes EFI password, still... p358 of Casper Admin Guide does not work as stated.

UPDATE 2: EFI Password was required due to inadvertently setting the `-m full` switch, which the manpage states will be required on every boot.

UPDATE 3: Getting same results via JSS policy (in case root user-context made a difference). E.g. whether or not a password set for "None" via policy, the EFI password is still set (policy shows "success" and is not red).

Since I can't boot to Restore partition, I can't manually disable EFI password either.

Here are pertinent details of my issue...
Production JSS v 8.73; test client OS X 10.9.2 (13C64); MacBook Pro 13" Retina (Late 2013); obtained setregproptool from Install OS X Mavericks.app (1.3.37, 13C64).

Like
CCA Badge CCE Badge CUG Badge Integrator Badge
SOLVED Posted: 5/10/14 at 3:42 PM by bentoms

Please amend the last 3 commands from:

/Library/Application Support/JAMF/bin/

To:

/Library/Application\ Support/JAMF/bin/

Oh & for 10.9 the path to get the firmware password utility is not:

/bin/cp /Volumes/Mac\ OS\ X\ Base\ System/Applications/Utilities/Firmware\ Password\ Utility.app/Contents/Resources/setregproptool

But:

/bin/cp /Volumes/OS\ X\ Base\ System/Applications/Utilities/Firmware\ Password\ Utility.app/Contents/Resources/setregproptool
Like
CCA Badge
SOLVED Posted: 7/14/14 at 3:58 PM by thanzig

Came up with a solution for this that is working (Tested on new 10.9.4 machines with Casper 9.32)

1) Used Composer to create a DMG with /Library/Application Support/JAMF/bin/setgrepprotocol and laid it down during imaging
2) Set the Open Firmware command at imaging.
3) Firmware password was set and working.

Seems like a simple solution. Thoughts? I am testing ways to change/disable firmware.

Like
CCA Badge CCE Badge CUG Badge Integrator Badge
SOLVED Posted: 7/14/14 at 6:57 PM by bentoms
Like
CCA Badge
SOLVED Posted: 7/29/14 at 3:52 PM by kirk.magill

thanzig \- I used your idea and it worked great! Thanks! However a follow-up to your post on the 14th would be awesome! Anything yet for removing the password just as easy?

Like
CCA Badge
SOLVED Posted: 7/29/14 at 4:11 PM by kirk.magill

Well \- I thought it was going to be a tough one but you already had the solution. I created a policy to run at check in \- interval \- and simply set Open Firmware/EFI Password Security level to set for Open Firmware/EFI None
It works beautifully! It all stems from having the setregpprotocol file in the /Library/Application Support/JAMF/bin/setgrepprotocol directory.

To do that I just created a package in composer and dumped it on the machines using a policy. Works great!

Like
CCA Badge CCE Badge CJA Badge
SOLVED Posted: 4/23/15 at 6:47 PM by ktappe

Unfortunately this does not work with Yosemite. There is no "BaseSystem.dmg" included in the OS X Install ESD anymore.

I looked in BaseSystemBinaries.pkg but it's not there. I think Apple has entirely deprecated setregproptool in Yosemite in favor of firmwarepasswd. While you can go back to 10.8 to obtain setregproptool, as others are doing, there's no guarantee it's going to keep working.

Problem is, I don't think firmwarepasswd is scriptable. My attempts to echo/pipe password values into it have failed. I've opened a ticket with Apple on this and will report back what I find out.

SEE SCRIPT BELOW.

Like
CCA Badge CCE Badge CUG Badge Integrator Badge
SOLVED Posted: 4/24/15 at 1:54 AM by bentoms
Like
SOLVED Posted: 4/28/15 at 11:56 AM by CasperSally

@ktappe - I haven't tested with 10.10 yet with the new tool, but I've been setting firmware via script for years. I believe I had to because we change firmware passwords and the built in JAMF firmware policy doesn't account for old/new password. See @plawrence post in my old thread here

firmware script

Like
CCA Badge CCE Badge CJA Badge
SOLVED Posted: 5/13/15 at 3:45 PM by ktappe

Here is the script I am using to set the firmware password in 10.10.3. It should work in cases where the password is not set and when it is, but does require you to know the previous password. Replace the hard-coded "Password" with hashes or whatever other security you like.

#!/usr/bin/expect
spawn firmwarepasswd -setpasswd
expect {
    "Enter password:" {
        send "Password\r"
        exp_continue
    }
    "Enter new password:" {
        send "Password\r"
        exp_continue
    }
    "Re-enter new password:" {
        send "Password\r"
        exp_continue
    }
}
Like
SOLVED Posted: 7/21/15 at 9:21 AM by crawlgsx

I don't know why but I cannot get that script to run.

If I run it manually in terminal it just goes into a loop with "Enter new password:" and "Invalid Password." repeating like its not sending the text I am asking it too.

(just a basic script with that exact code, run by going into terminal and typing sudo ./scriptname). All I did was change password to a plain text password of my own. These machines currently have no firmware password.

I've been messing with it for a couple days now and now matter what I try it seems like it doesn't send the password over.

Like
CCA Badge CCE Badge CJA Badge
SOLVED Posted: 9/22/15 at 8:16 AM by cstout

@ktappe Are you using a script-based deployment due to an existing EFI password in place on client machines? Isn't deployment of EFI passwords configurable via a policy using the built-in "EFI Password" payload?

Like
SOLVED Posted: 10/9/15 at 12:55 PM by CasperSally

here's my extension attribute checking for firmware password being set with new tool in case it helps anyone

#!/bin/sh
result=`/usr/sbin/firmwarepasswd -check`

if [[ "$result" == "Password Enabled: Yes" ]]; then
echo "<result>Set</result>"
else
echo "<result>Not Set</result>"
fi
Like
SOLVED Posted: 2/1/16 at 3:33 PM by uurazzle

Hello:

You might want to take a look at our firmware_password_manager script which allows management of firmware password.

Its available in our github repo here:
https://github.com/univ-of-utah-marriott-library-apple/firmware_password_manager

If you have any questions or problems, please let us know.

Like
SOLVED Posted: 3/14/16 at 4:58 PM by itstaff

Would be great if JAMF updated the JSS to remove the EFI PWD for 10.10 and 10.11 if they are allowing you to set it via the policy page then shouldn't removing it be just as easy?

Can we get this article updated to reflect 10.10 and 10.11?

Like
CCT Badge
SOLVED Posted: 3/14/16 at 10:08 PM by aporlebeke

@itstaff Create a script that runs this command /Library/Application Support/JAMF/bin/setregproptool –d –o oldpassword, firmwarepasswd -delete add to your same policy with the previous EFI payload removed, flush the logs of the policy, and you're set to have it undo to all your previously scoped computers.

Could be easier, granted, but it's not too complicated to do if you needed to. You can always put it in a feature request if there's not one already.

Like
SOLVED Posted: 11/21/16 at 1:16 PM by Chuey

@aporlebeke Bringing up an old thread but I'm trying to remove a firmware password and I'm using:

#!/bin/sh
/Library/Application\ Support/JAMF/bin/setregproptool -d -o 'PASSWORD_HERE'

But it doesn't seem to work. When I run it through ARD it just prompts me and continually states "Enter current password:"

Any ideas or new ways to do this ?

Like
CCT Badge
SOLVED Posted: 11/21/16 at 1:46 PM by aporlebeke

@Chuey Haven't had to do this in a while, but IIRC, you can use the built-in firmwarepasswd executable to remove the firmware password - firmwarepasswd -delete. Not sure if it prompts you to for the current firmware password before removing. Take a look at the firmwarepasswd man page.

If you are running the command through ARD, you'll want to make sure to click the "run as user" and enter root.

Like
SOLVED Posted: 11/21/16 at 1:51 PM by Chuey

@aporlebeke Thanks for the quick update. Firwarepasswd -delete does prompt me with "Enter password:". I've found a script using /usr/bin/expect to handle this but that can't be sent out via ARD unless I can change what interpreter it's sending the command as.

I'm not the best at bash scripting so I would have to dig a little to figure out how to pass that password using bash when it prompts for user input.

Thanks for your help

Like
CCT Badge
SOLVED Posted: 11/21/16 at 2:01 PM by aporlebeke

@Chuey can you share where you found the script? Is there a reason you're doing it through ARD and not via policy or Casper Remote?

Like
SOLVED Posted: 11/21/16 at 2:19 PM by Chuey

@aporlebeke Sure, I found the script using expect interpreter here.

I'm pushing this firmware password to all of our general machines. When the time comes to re-image all these machines during the summer I know the technicians are going to have a fit about removing the firmware because they'll need to remove it before netbooting. I can put a script in Casper to deploy through casper remote but that means all machines will need to have a current inventory. I know I will see a lot of complaining about the added steps to removing the firmware.

Like
SOLVED Posted: 11/21/16 at 2:30 PM by Chuey

@aporlebeke I've figured something out. I wrote a bash script that calls the expect within it. Just tested and verified this works:

#!/bin/bash 

/usr/bin/expect<<EOF

spawn firmwarepasswd -delete
expect "Enter password:"
send "PASSWORD_HERE\r"
interact

expect eof
EOF

sleep 5

reboot

After sending this through ARD immediately upon reboot I tested it out by booting to recovery which it allowed me to do confirming that EFI/Firmware password is off.

Like
CCT Badge
SOLVED Posted: 11/21/16 at 2:52 PM by aporlebeke

Cool. Thanks for sharing!

Like
SOLVED Posted: 11/21/16 at 4:31 PM by todd.mcdaniel

@Chuey Firmware Password Manager includes a sample script that would cover the situation you described. Run through ARD, it scp's over your current password file and executes FWPM.

I have a version of FWPM written to run within the JSS that will be available soon.

Like
SOLVED Posted: 3/29/17 at 3:22 PM by nberanger

Any update on this? I tried using the script supplied by @aporlebeke but it didn't work for me. Terminal requested a password when I ran the script, and then immediately rebooted the Mac. The firmware password was still on the machine though.

Like
SOLVED Posted: 3/29/17 at 3:36 PM by todd.mcdaniel

@nberanger : I'm not sure if you're asking me. I've been sidelined with other priorities, but have (very) recently returned to working on Firmware Password Manager. I hate to use the word "soon" again, but hopefully soon, I'll have an updated package ready.

Like
SOLVED Posted: 3/29/17 at 3:42 PM by nberanger

Hi @todd.mcdaniel , sorry I was actually just asking in general, thanks for the quick response though.

Has anyone else had any luck with changing/removing a firmware password?

Thanks!

Like
SOLVED Posted: 3/29/17 at 3:52 PM by uurazzle

Hello @nberanger :

Yes, we are constantly changing and removing firmware password with our firmware password manager solution.

See his github repository for more information and to download:
Firmware Password Manager (FWPM)

And here is a presentation on the Firmware Password Manager (FWPM):
Firmware Password Manager (FWPM) Presentation

This tool that @todd.mcdaniel hinted would be updated soon...

Like
SOLVED Posted: 3/29/17 at 6:50 PM by Chuey

@nberanger Have you tried my script a few posts up to remove the password? It works for me when deploying through ARD.

Thanks

Like
SOLVED Posted: 3/30/17 at 8:56 AM by nberanger

Hi @Chuey I had tried yesterday but it wasn't working. The computer would reboot after the script ran, but the password was still on the machine when it powered back on.

I'll try playing with it some more though. Thanks.

Like
SOLVED Posted: 3/30/17 at 8:57 AM by nberanger

Thanks @uurazzle This looks quite handy. I will certainly look into it more.

Like
SOLVED Posted: 3/30/17 at 11:32 AM by Chuey

@nberanger I just tested on my 10.12.3 Macbook Air and it successfully removed the EFI password. Are you replacing "PASSWORD_HERE" with your actual password? What version of OS X are you running? Are you deploying this through ARD or are you running the script locally?

Like
SOLVED Posted: 3/30/17 at 11:39 AM by nberanger

@Chuey I'm not sure what happened yesterday. I just tried your script now through ARD and it appears to have worked.

Is there any way that you know of that I can simply change the firmware password instead of removing it? I would prefer to be able to do that as opposed to having to remove it and then add it back again.

Thanks!

Like
SOLVED Posted: 3/30/17 at 11:47 AM by uurazzle

@nberanger , to give credit where credit is do. That is actually our script part of the Firmware Password Manager (FWPM) github repository from the University of Utah, Marriott Library, primarily written by a member of our group, Todd McDaniel.

https://github.com/univ-of-utah-marriott-library-apple/firmware_password_manager/tree/master/example%20scripts

Like
SOLVED Posted: 3/30/17 at 11:50 AM by uurazzle

@nberanger , to give credit where credit is due. That is actually our script part of the Firmware Password Manager (FWPM) github repository from the University of Utah, Marriott Library, primarily written by a member of our group, Todd McDaniel.

Firmware Password Manager (FWPM) - Extra Scripts

Like
SOLVED Posted: 3/30/17 at 11:54 AM by CasperSally

@nberanger

I set firmware password via a custom policy with script below - in JSS parameter 5 is old password and parameter 6 is new password. For expect scripts you need to use parameter=argv+1. Now if only Jamf would let me obfuscate passwords in parameters in the JSS....

#!/usr/bin/expect 
set oldpass [lindex $argv 4] 
set newpass [lindex $argv 5] 

spawn firmwarepasswd -setpasswd 
expect { 
"Enter password:" { 
  send "$oldpass\r" 
   exp_continue 
} 
"Enter new password:" { 
   send "$newpass\r" 
   exp_continue } 

"Re-enter new password:" { 
  send "$newpass\r" 
exp_continue } 
}
Like
SOLVED Posted: 3/30/17 at 11:57 AM by Chuey

@uurazzle I actually got inspiration and direction from this thread. I never even looked at your firmware utility.

@nberanger Didn't change that password field did ya!? haha just kidding :) glad it worked for you.

Yes - here is the code to add it back:

#!/bin/bash
#
/usr/bin/expect<<EOF

spawn firmwarepasswd -setpasswd
expect {

    "Enter new password:" {
        send "PASSWORD_HERE\r"
        exp_continue
    }
    "Re-enter new password:" {
        send "PASSWORD_HERE\r"
        exp_continue
    }
}
expect eof
EOF

echo "Complete"

echo "Now sleep"
sleep 5

echo "Initiating Reboot. . ."
reboot

Let me know how that works. ```

Like
SOLVED Posted: 3/30/17 at 12:18 PM by nberanger

@Chuey

Didn't change that password field did ya!? haha just kidding :) glad it worked for you.

It was the end of the day... so maybe? ;-)

Like
SOLVED Posted: 3/30/17 at 12:19 PM by nberanger

@CasperSally Thanks, I just tested this out and it works great.

Like
CCA Badge CMA Badge
SOLVED Posted: 4/3/17 at 11:13 AM by estes

@CasperSally Somehow this reset my firmware password to something that doesn't match the line 6 parameter... I reversed the values hoping to recover the original firmware password. No luck.

Like
SOLVED Posted: 4/3/17 at 11:25 AM by CasperSally

@estes

any non standard characters in what you had for parameter 6? I know we've had issues with some character that I'd guess would be fine in firmware (may have been exclamation point, not sure).

Anyone playing with firmware, I'd first test changing firmware within terminal using firmwarepasswd -setpasswd command to make sure the password you're trying to use is valid.

Once that's working, maybe script it like @Chuey script above and make sure that works with passwords in the script. Finally, if that works, migrate to the parameter script ran via jss because you don't want passwords living in scripts/db.

Like
CCA Badge CMA Badge
SOLVED Posted: 4/3/17 at 1:13 PM by estes

@CasperSally That's exactly what happened... exclamation point. Does it substitute another character?

Okay.... so it set a password of nothing. Deleting from terminal, when it asked for the password, I just pressed the return key and it deleted the password.

Like