Skip to main content
Jamf Nation, hosted by Jamf, is a knowledgeable community of Apple-focused admins and Jamf users. Join us in person at the ninth annual Jamf Nation User Conference (JNUC) this November for three days of learning, laughter and IT love.

Configuration Profile for Firmware (EFI) Password Management (starting High Sierra)

Starting with macOS 10.13, two commands, SetFirmwarePassword and VerifyFirmwarePassword, let MDM manage firmware passwords.

It's Jamf goal to fully support all MDM features that Apple releases but it seems "Firmware (EFI) Password Management" is not Jamf Pro 10.

Mobile Device Management (MDM) Protocol: Firmware (EFI) Password Management

Comment
Order by:

Posted: by martin

Wondering when Jamf will implement this in Jamf Pro since their focus is on Apple only and express them-self as the company that supports all features Apple provide.

One of the biggest advantages of managing Firmware password using the MDM Protocol is that you can reset the Firmware Password. With the current Firmware Policy you have to know the current password. If a user has set the password you're unable to remove this. This feature request will allow you to set, reset of remove the Firmware Password.

Please add this!

Like

Posted: by gachowski

Lets vote this up.. it's a big deal with the new hardware...

C

Like

Posted: by bpavlov

@gachowski Can you elaborate on that? What's so special about the new hardware that makes managing firmware passwords differently in terms of priority?

Like

Posted: by gachowski

@bpavlov

I could be wrong but I think that a firmware password is the only way to lockdown secure boot and SIP.

: )

C

Like

Posted: by bpavlov

Given this another bump because we're almost at 10.13.5 which is most likely the last major update (or close to it) for High Sierra and yet this hasn't been implemented.

Like

Posted: by Strawberryjamf28

BUMP

Like

Posted: by bpavlov

I'm sure the features are set for Jamf Pro 10.7 at this point, but I'd love to see this looked at in Jamf Pro 10.8.

Like

Posted: by simon.brown

+1 want this added!

Like

Posted: by bentoms

+1.. would love to see this

Like

Posted: by merps

+1

Like

Posted: by RobertHammen

Yep, in the Federal government space, I need to rotate firmware passwords periodically as well. Would really, really like this feature so it would make that job easier.

Like

Posted: by seanhansell

New configuration profiles are dependent first on Apple to develop before Jamf can support. This request should be made with Apple first.

Like

Posted: by bpavlov

@seanhansell This is true. However, did you read the original feature request? It has nothing to do with Apple in this case. This has been part of the MDM Protocol Reference Guide as of macOS 10.13.

Starting with macOS 10.13, two commands, SetFirmwarePassword and VerifyFirmwarePassword, let MDM manage firmware passwords.

It hasn't been implemented because Jamf has not implemented it. Just like they haven't implemented the majority of these MDM features: https://www.jamf.com/jamf-nation/discussions/28360/list-of-configuration-profile-payloads-and-mdm-commands-not-implemented-by-jamf

Like

Posted: by bentoms

Bumpety bumpety, bump bump bump

Like

Posted: by mscottblake

I feel like I need to add my name to this and say that this could be a huge win for some people. I was just told last week that I have to drive a computer to the Apple Store (closest is 90 minutes away) to clear an EFI password from a former employee.

To me, adding features that are already in the MDM spec that can help prevent catastrophic loss should be pretty high on the priority list.

Like

Posted: by franton

Oh I've made the trip to the Apple Store with an EFI locked iMac and the proof of purchase paperwork before. Anything that stops me doing that is a good thing.

Like

Posted: by gachowski

@mscottblake

I have read that if you have GSX access, you can do it through GSX chat...

C

Like

Posted: by mtward

+1 This would be great for everyone. Please implement!

Like

Posted: by jgsims

bump

Like

Posted: by jmariani

BUMP!

Like

Posted: by lazyGhost

And my Axe!

Like

Posted: by JoshRouthier

And my Sword!

Like

Posted: by merps

bump

Like

Posted: by Sterritt

One does not simply waltz into Mordor without an MDM-provided EFI firmware reset!

Is there any kind of ETA on this?

Without this feature how are large orgs handling fleets’ firmware passwords?

Like

Posted: by charles.hitch

Bump

Like

Posted: by corbinmharris

Why hasn't this been added to Casper? Currently stuck in firmware hell :(

Like

Posted: by jeremyAtOmada

I just posted this. Maybe someone will find it useful.
https://www.jamf.com/jamf-nation/discussions/33124/efi-management-i-made-a-thing

Like

Posted: by joeselway

needs moar bump

Like

Posted: by RobertHammen

Still have a strong need for this. Still waiting for Jamf to give us a timetable on when this functionality, which has been in the MDM framework for a long time now, will actually be implemented.

Like

Jamf would like to understand your ideal online purchasing experience!