Firmware Password (macOS 10.14 Mojave+)

Description

Apple have seen to make some changes regarding this over time, through versions of macOS.  The following is a method that should work with macOS 10.10+ machines.  For our previous Fileset methods please see:

This recipe allows for creating, changing or deleting the Firmware password

This script in this recipe is setting the Firmware password of macOS devices. If set incorrectly, you could become locked out of the device. FileWave offers this script as is, use of this script is at the user's understanding and risk and FileWave holds no responsibility for devices that become locked and un-usable. If concerned, please refrain from using this script.

macOS Catalina

This script has been tested successfully on macOS Catalina (10.15.x)


Ingredients

  • FileWave
  • macOS 10.11+
  • Supplied Fileset

macOS versions

This method uses the binary 'firmwarepasswd'. This was known to exist in all versions of macOS 10.10 and above. It is possible that this was introduced in later versions of 10.9. However, FileWave 13+ supports macOS 10.11+


Directions

  1. Download the above Fileset recipe and import into FileWave
  2. Duplicate the Fileset and append the name appropriately: New, Change or Delete
  3. Change the Launch Arguments to match the renamed duplicated Fileset based upon the below table
  4. Edit the script if required for reboot options or set Fileset Properties Reboot
  5. Associate, test and then deploy

Launch Arguments

To set the Launch Arguments

  • Open the Fileset
  • Select the script within the Fileset
  • Choose Get Info
  • Select Executable tab

There are 3 options for this fileset: New, Change or Delete.  The Launch Arguments should be set as required based upon these options as seen in the table below:

Launch ArgumentNewChangeDelete
1newchangedelete
2new passwordnew passwordold password
3
old password
Examples

Reboot Options

By default, the script will not reboot once completed.  However, a reboot is required after setting.  This could be achieved by setting the Fileset Properties.  Alternatively, an option is built into the script to allow for this.  Please edit the script appropriately:

reboot_flag=false
# Default - do not reboot at script end; consider using Fileset properties for reboot.
# Firmware password change requires reboot.  Tests for alternate boot drive selected                               
# Alternative options: error, set or ignore
# Use ignore to set default to reboot
# Uncomment command as desired
# error: Script will abort and no firmware password will be set if set boot drive does not match current booted drive
# reboot_device error
# set: Script will set the firmware password without a reboot attempt if set boot drive does not match current booted drive
# reboot_device set
# ignore: Script will continue regardless, setting firmware password and rebooting
# reboot_device ignore

If choosing an option that does not reboot, the device will need a reboot before the firmware password setting is complete.

Options 'error' and 'set' will check to see if currently set boot drive matches currently booted drive.  If true, both options will continue to set the firmware password.  If false, 'error' will exit an error without any change, whilst 'set' will set the password but will not reboot.

All options: 'set', 'error' and 'ignore', will ensure (on success) that the current set boot drive matches the currently booted drive before rebooting.

Examples:

For the script to reboot, un-hash the following line:

# ignore: Script will continue regardless, setting firmware password and rebooting
reboot_device ignore

To allow the password to be changed, but only reboot if set boot drive matches currently booted drive, un-hash the following line:

# set: Script will set the firmware password without a reboot attempt
reboot_device set

Only un-hash one line from these options.

Firmware Password Unlock Seed

The unlock seed is a unique recovery key that can be used by Apple to unlock a device in the event of the password being forgotten.  Please see the following KB for an example Custom Field that may be used to report this key:

EUD Security Guidance: macOS 10.13 High Sierra