Mac OS X,  Mac Security,  Mass Deployment

Those Pesky Firmware Passwords

The summer is upon us. Our users are watching videos like this one:

While it’s actually way easier than what they show here, let’s look at stopping people from circumventing our admin goodness using the old school firmware password. Keep in mind, these passwords are somewhat easily reversible as they’re encrypted in a junior varsity way, so don’t use the same password that you use for anything else. To create our password in a script, we’re going to use EFIPW available http://code.google.com/p/efipw. Move the download to somewhere like /usr/local/bin folder. Then, to set the password to supah-secret:

efipw_0.2b.py -p supah-secret -m command

The client will now be in command mode, unless the password is typed in. This disables booting from anything but internal hard drives. Full mode is a bit more annoying as it requires a password every reboot:

efipw_0.2b.py -p supah-secret -m full

Now, we can take off our tin foil hats. Disabling EFI passwords is then as easy as sending the following through ARD:

nvram -d security-mode
nvram -d security-password

The above would need to be part of any ARD templates that involve a bless command, etc… Now that we’ve used some of the worse encryption ever, I’ll queue up Dirty Deeds, Done Dirt Cheap and sip some Budweiser. Enjoy.