Jamf Nation Community

@JustDeWon yep, just tested it, pretty easy.

if user has admin rights it looks like they can go into system preferences and change the startup disk from there.

Will test on a FV2 enabled laptop also. I found that if FV2 is enabled and a person enters there FV2 password they can then press option and change/mess with the boot

Yea.. I would lock down the option to change startup disk if your company would allow it..

For FV2 enabled, i haven't run across anyone being able to change the boot at startup.

@JustDeWon how can i lock down the 'startup disk' option in system preferences ?

note: these users are admins themselves.

@JustDeWon how can i lock down the 'startup disk' option in system preferences ?

Configuration Profile. Its a built in option, and nowadays, you can specify a blacklist instead of a whitelist, which is much more user friendly since it won't block any 3rd party Preference Panes by default.

Configuration Profile>Restrictions>Check "Restrict items in System Preferences>disable selected item>select Startup Disk

@mm2270 yep, found it, had a feeling it would be in Configuration Profile

I am curious to know ,

how many of you set the firmware password?
For all your macs (imacs , laptops)?
What is your reasoning for setting it?

We set it on all Macs, laptops, desktops, etc. Our reasoning? Well, its mostly because our security office probably read some gov't recommendation/best practice on securing Macs and that enabling a firmware password was one of the recommendations. So they force us to do it.
Truthfully, if you have FileVault enabled on your Macs, as we do on all mobile Macs, it negates some of the need for the firmware password. With encryption on, all the local data is inaccessible from someone who acquired or stole the Mac, unless they know or can crack the password, which isn't going to be likely. The most they could do is wipe the system and try to re-install the OS, which isn't great I suppose, but it wouldn't constitute a security compromise.

A secondary reason we do it is because we need to prevent some of our more advanced clients from trying to use their Mac booted from another, insecure, non-protected partition or external disk. Like installing a non managed version of OS X on a bootable drive and using their Mac from that. This also applies to things like BootCamp, which is strictly off limits here. Once a fw password is in place, it stops them from doing an alternate boot (we also block the Startup Disk PrefPane with a Config Profile)

Sadly, this whole setup also prevents clients from doing something as helpful as booting to Recovery HD and running a full disk repair for some self triage. For our remote home based workers, this is problematic to say the least. If their Mac isn't booting correctly, they either need to ship it into an office for a tech to work on it, or drive possibly hundreds of miles to the nearest company office. A pain to say the least. I've wished (and we've officially requested) for some way for Apple to include an extra alternate boot option or two with a firmware password enabled, like a separate password to use Recovery HD only but a more strict password to lock out booting from another disk or disabling the Firmware Password. I doubt we will ever get this though. But it would be very helpful if it worked that way.

We seem to be leaning in the direction of eventually removing the Firmware Password from our Macs, though nothing has been decided yet. Its proven to be more a hassle than a security benefit when looking back at it now for the last 4-5 years. As I mentioned, its most useful when you don't have full disk encryption enabled since it blocks anyone with access to the Mac from getting to the data from another boot partition, or Single User Mode, etc.

@mm2270 i have fv2 setup on all mbair/mbpros. Recently a user returned a mbpro and completely wiped it themselves, this was like the 4th time this has happened so ive decided to test having a firmware password on 2 mbpros i recently setup. I also configured a configuration profile on those two computers to disable 'startup disk'. Yep, having the firmware password stops users from those helpful boot options.

I guess I"m not seeing (in JamfPro 10.1.1) where we can restrict users from setting a Firmware password. There is a "Passcode" option that lets you force one; is that ultimately the same, just with a different name? I'm thinking that this though is more like what you get when you "Lock" a Mac (from Find My iPhone in iCloud or via Jamf console Lock command). Our security team doesn't want users to be able to lock out their machines (i.e. as some sort of retribution/data access blockage action if they are terminated, etc).

@mm2270 I liked your reasoning for the FW password - good for and against.
One point that we're trying to address is if a mac is stolen is that you can simply wipe it from external USB and reuse - Theres no forcing someone to register DEP enrollment if you simply don't connect it to the internet during setup assistant.

Is this something that you guys have discussed?