-
-
Save talkingmoose/7f3d4b75c22e21332a11117937765247 to your computer and use it in GitHub Desktop.
| #!/bin/bash | |
| function logresult() { | |
| if [ $? = "0" ] ; then | |
| echo "$1" | |
| else | |
| echo "$2" | |
| exit 1 | |
| fi | |
| } | |
| # verify whether a firmware password is set | |
| echo "Checking for existing firmware password" | |
| checkFirmwarePassword=$( /usr/sbin/firmwarepasswd -check ) | |
| # if a firmware password is already set, stop the script and report failure in Jamf Pro | |
| if [ "$checkFirmwarePassword" != "Password Enabled: No" ] | [ -d /private/tmp/.fp ]; then | |
| echo "A firmware password is already set. Doing nothing." | |
| exit 0 | |
| else | |
| echo "No firmware password set" | |
| fi | |
| # create obscure directory | |
| fpdirectory="/private/var/.fp" | |
| /bin/mkdir -p "$fpdirectory" | |
| logresult "Creating \"$fpdirectory\" directory" "Failed creating \"$fpdirectory\" directory" | |
| # generate random password | |
| randpassword=$( /usr/bin/openssl rand -hex 6 ) | |
| logresult "Generating 8-character firmware passcode: $randpassword" "Failed generating 8-character firmware passcode." | |
| # write random password to temporary file | |
| /usr/bin/touch "$fpdirectory/$randpassword" | |
| logresult "Writing password to file \"$fpdirectory/$randpassword\"" "Failed writing password to file \"$fpdirectory/$randpassword\"" | |
| # update Jamf Pro computer record with firmware password and set only if inventory was updated | |
| /usr/local/bin/jamf recon && /usr/local/bin/jamf setOFP -mode command -password "$randpassword" | |
| # set the firmware password only after a successful inventory update to Jamf Pro | |
| if [ $? = "0" ]; then | |
| echo "Updating Jamf Pro inventory to upload firmware password" | |
| echo "Setting firmware password" | |
| exit 0 | |
| else | |
| echo "Failed setting firmware password" | |
| exit 1 | |
| fi |
| #!/bin/bash | |
| echo "<result>$( ls /private/var/.fp )</result>" | |
| exit 0 |
This is awesome and thank you @talkingmoose!
One thing that I am thinking of though, is that if a device was to be re-imaged then that firmware password EA would blank itself out on re-enrolment.
Have you any thoughts as to a potential "part 2" for this, in terms of ensuring that the firmware password is escrowed safely to a less ephemeral location?
Thanks again! :)
@peterlewis, unfortunately, this is the pitfall of how Jamf's Extension Attribute via script works. Even if the script terminates itself without echoing a result, Jamf Pro still considers this an empty response or <result></result>, which clears the data.
I haven't tested whether disabling Settings > Global Management > Re-enrollment > Clear extension attribute values on computers and mobile devices will preserve the data in Jamf Pro.
@talkingmoose
In the company I work, your solution has been implemented (before I joined) and works fine.
The only drawback I've just experienced is when you "startosinstall --eraseinstall" and re-enroll as pre-staged. The script worked as if no EFI password had been generated although there was one already. A new random key was created and uploaded in EA. But I have no trace of the original EFI password now.
Although there's a safety in the code to exit if it's Password Enabled, it does not seem to have worked for me. I've just earned the privilege of going to an AASP to have the computers reset.
@PascalAD if it's a t2 macbook, you should be able to revive the mac without data loss. But you're right, as said earlier this is a limitation of the script where jamf will delete it out if a machine is re-enrolled. If you use this, I would probably make use of a script that backs up your firmware passwords using api daily. Either that, or uploading it as an attachment
@dev-yeet thank you very much for the tip. I needed to go to the restore step. But now I don't EFI password anymore.
:/ you're right, I remembered wrong; dropping link in case it helps anyone else in the future.
https://mrmacintosh.com/how-to-remove-mac-firmware-password-new-way-if-you-have-a-2018-2020-t2-mac/
just tested this out and wanted to point this out:
I have a firmware password enabled and this script as is will still generate one, set it, and recon it to jamf i'm assuming due to it checking for /private/tmp/.fp and not /private/var/.fp
If you don't remove the recovery key generated , when the updated script/policy runs again the machine will show having a firmware password but because the script ran prior, there exists a firmware password on the machine that will still populate that machine's EA during a normal recon.