[MacTUG] [UW-MFCF #79079] Mac Labs - firmware password problems with 2011 imacs
Steve Hellyer
phasetwo at apple.com
Wed Sep 7 12:33:31 EDT 2011
Hi Ian,
Great to here! And here's a bit more info/ideas...
Yes There is a new tool with these newer Mac systems (I believe this started around February?) where you can set the open firmware password with the 'setregproptool' which is embedded in the new 2.0 Firmware Password Utility.app. There are several ways to extract this tool from the app, it is located in 'Firmware Password Utility.app/Contents/Resources/'.
You have two options when using the setregproptool which you can extract and use remotely via ARD.
You can remove the current Firmware password you have deployed or you can change the behaviour from requesting the password when reboot the machine to leaving the password in place but only prompting when a secondary device or bootable volume is attached to the machine.
There are two security modes, 'Full' mode which is require a password to boot the machine, and 'Command' mode, only requires entry of the password if the boot picker is invoked to select a different boot device.
I would recommend the command mode, it is a good idea to have a Firmware password in place.
Steps to take:
• Test on one machine, and then apply to all.
• Using ARD:
• Copy 'setregproptool' to /usr/bin/ and set permissions to be inherited
• Use Send Unix command to send out the following command:
• /usr/bin/setregproptool -m command
• You may need to include the current password and then the new password along with the command for it to set, if the above does not work, try this:
• /usr/bin/setregproptool -o typeyourpassword -m command -p typeyourpassword
• If you simply want to remove it, then the following should work:
• /usr/bin/setregproptool -d -p typeyourpassword
• Reboot your test machine and test your settings
• If good, apply to all machines in the lab
Here is the usage information:
Usage: setregproptool [-c] [-d [-o <old password>]] [[-m <mode> -p <password>] -o <old password>]
-c Check whether password is enabled.
Sets return status of 0 if set, 1 otherwise.
-d Delete current password/mode.
Requires current password on some machines.
-p Set password.
Requires current password on some machines.
-m Set security mode.
Requires current password on some machines.
Mode can be either "full" or "command".
Full mode requires entry of the password on every boot, command mode only requires entry of the password if the boot picker is invoked to select a different boot device.
When enabling the Firmware Password for the first time, both the password and mode must be provided.
Once the firmware password has been enabled, providing the mode or password alone will change that parameter only.
-o Old password.
Only required on certain machines to disable or change password or mode. Optional, if not provided the tool will prompt for the password.
Hope this helps!
Steve
On 2011-09-07, at 12:04 PM, Ian Turner wrote:
> thanks Steve
> Yes, we could change the workflow, but I was concerned about the long run
>
> Dale Kentner from CampusTech has been talking to his Apple Support, and found out the new process, so we are going to walk through it on one machine as a sample - the rest of the new order are already in the labs, and we're happy to have the firmware password set!!!
>
> And, I'm going to have to eat my words, again - I'll post to everyone, but Ed found a different install disk from the same set of machines, and it worked for re-setting or turning off the firmware password!!!
>
> Ian
>
> On 2011/09/07 11:39 , Steve Hellyer via RT wrote:
>> Serial #: 79079
>> Subject: Mac Labs - firmware password problems with 2011 imacs
>> Owner: iturner echrzano
>> Requesters: iturner
>> Status: open
>>
>> commented
>>
>> From: Steve Hellyer<phasetwo at apple.com>
>> To: rt-owner at math.uwaterloo.ca
>>
>> Date: Wed, 07 Sep 2011 11:38:47 -0400
>> From: Steve Hellyer<phasetwo at apple.com>
>> To: Ian Turner<iturner at uwaterloo.ca>
>> Cc: "MacTUG at lists.uwaterloo.ca"<MacTUG at lists.uwaterloo.ca>,
>> Ian Woodley<iwoodley at uwaterloo.ca>, Dale F Kentner
>> <dkentner at uwaterloo.ca>, Peter Schepers
>> <schepers at ist.uwaterloo.ca>, Silvia Stalzer
>> <sstalzer at uwaterloo.ca>,
>> Subject: Re: [MacTUG] mid-2011 imac and firmware password issue and
>> DeployStudio
>>
>> Hi Ian,
>>
>> You are correct the firmware on these new machine is much more strict. Let face it the old way was pretty easy to get around. Students and others were knowledge on how to defeat.
>> Question: Can you not hold down option key, enter password, and then set startup to your imaging server and image that computer? Workflow should skip the setting of password in this case.
>>
>> Steve
>>
>> On 2011-09-07, at 10:14 AM, Ian Turner wrote:
>>
>>> [snip...]
>>
>> -------------------------------------------------------
>> Steve Hellyer
>> Pre-Sales Systems Engineer
>> Apple Canada Inc.
>> 7495 Birchmount Rd.
>> Markham, Ontario, Canada
>> L3R 5G2
>>
>> PH: (905)513-5647
>> Mailto: phasetwo at apple.com
>>
>> Training Websites
>> http://training.apple.com/
>> http://www.witzapplecertifiedtraining.com/
>>
>> AppleCare Online Support
>> http://www.apple.com/ca/support/
>>
>> AppleCare Technical Phone Support
>> tel:1-800-263-3394 (basic up and running support for individual consumers)
>>
>> AppleCare Enterprise Level Support
>> http://www.apple.com/ca/support/products/macosxserver_sw_supt.html
>>
>> AppleCare Service Locations (Canada)
>> http://www.apple.ca/buy/locator/
>> Select Service Locations from pull down menu
>>
>>
>> -------------------------------------------- Managed by Request Tracker
-------------------------------------------------------
Steve Hellyer
Pre-Sales Systems Engineer
Apple Canada Inc.
7495 Birchmount Rd.
Markham, Ontario, Canada
L3R 5G2
PH: (905)513-5647
Mailto: phasetwo at apple.com
Training Websites
http://training.apple.com/
http://www.witzapplecertifiedtraining.com/
AppleCare Online Support
http://www.apple.com/ca/support/
AppleCare Technical Phone Support
tel:1-800-263-3394 (basic up and running support for individual consumers)
AppleCare Enterprise Level Support
http://www.apple.com/ca/support/products/macosxserver_sw_supt.html
AppleCare Service Locations (Canada)
http://www.apple.ca/buy/locator/
Select Service Locations from pull down menu
More information about the MacTUG
mailing list