Security

How to automate setting a firmware password on Apple computers

Securing Mac computers means more than just protecting the data--limiting how a user can gain access to a device is easy to enable with a simple command.

istock-1040873246security.jpg
Image: bluebay2014, Getty Images/iStockphoto

Through the virtue of their Unix-based underpinings, macOS shares its security foundation alongside other operating systems, most notably Linux and its various distributions. Apple has always championed end-user security and the right to data privacy, even as recently as their newest yet-to-be-released version of macOS, dubbed Mojave.

While this is an added benefit for personal and corporate users alike, the sad fact remains that any form of security protection is essentially useless if not enabled or configured properly. One security protection that is often ignored is the firmware password protection built-in to every Mac new and old.

The firmware, or underlying computer settings that control how the device operates and interfaces with components, also holds a few backdoors that allow users to reset forgotten passwords on any local account, boot to other OSes to side step software-level security protections, and permits access to the Recovery Partition, which has full access to network connectivity and bash shell, which can be leveraged to overwrite and/or reinstall the existing protected macOS or aid in data exfiltration.

SEE: Information security policy (Tech Pro Research)

It is imperative that the firmware be locked down to prevent these and other forms of sophisticated attacks from occurring on your devices. Admins often neglect to secure the firmware on their devices, leaving them open to compromise.

That belief, however, is no longer a concern because there is a simpler way to enable the firmware passwords on Macs running at least OS X 10.10. Using a command, admins can set the firmware password manually if they choose, or they can utilize a deployment tool such as Apple Remote Desktop (ARD), JAMF Casper, Deploy Studio, Apple's Profile Manager—basically any management/deployment console that allows commands to be run remotely on Terminal—for quick and easy setting of the firmware password on local devices with little to no interaction depending on the level of automation desired.

Manually setting the firmware password

sudo firmwarepasswd -setpasswd

The command above—running with elevated privileges—will not only prompt the user for admin authentication, but also prompt for the desired firmware password to be set once, then a following prompt to confirm the password. That's it!

Automatically applying the firmware password

#! /usr/bin/expect
spawn sudo firmwarepasswd -setpasswd
expect {
     "Enter new password:" {
          send "FirstPassword\r"
          exp_continue
     }
     "Re-enter new password:" {
          send "SecondPassword\r"
          exp_continue
     }
}

As written above, the script also requires elevated privileges to run. However, all of the necessary information required is included so the admin will not be prompted for any additional information.

Once the command is executed by any of the previous methods, the device will require a restart to complete the process of securing the firmware against unauthorized access.

Also see

About Jesus Vigo

Jesus Vigo is a Network Administrator by day and owner of Mac|Jesus, LLC, specializing in Mac and Windows integration and providing solutions to small- and medium-size businesses. He brings 19 years of experience and multiple certifications from seve...

Editor's Picks

Free Newsletters, In your Inbox