Securing your Mac doesn't just mean locking down macOS and/or software settings. Protecting the firmware is just as important to prevent unauthorized modifications to the system.
Given the security breaches and issues that have increased in frequency over the last few years, it boggles the mind how security is relegated to an after-thought by organizations and IT staff in place to protect against issues in the first place. In my 20+ years in the IT field, I simply cannot count how many times I've worked at sites with knowledgeable, talented staff that fail to lockdown the firmware on their systems, leaving them wide-open to any number of attacks--intentional and unintentional.
During a recent gig deploying Mac laptops used by students as part of a special take-home program, devices requiring tight controls to maintain the integrity of the program were returned by staff and students running unsupported applications and compromised local service accounts used by IT for management. Some devices were even reformatted, with macOS reinstalled and/or FileVault 2 enabled, effectively locking everyone but the sole user out of the device.
SEE: Password management policy (Tech Pro Research)
Issues such as these can be mitigated through the implementation of firmware passwords that work to prevent unauthorized password resets or system-wide changes, such as reformatting/reinstalling macOS. And while locking down the firmware would typically require that IT manually "touch" each device, there is a Terminal command that makes setting up security easier.
According to Terminal's manpage, "The firmwarepasswd command is used to add or remove firmware passwords from a system as well as check status and other options. The firmwarepasswd command requires root privileges to run."
Setting a new firmware password
sudo firmwarepasswd -setpasswd
After pressing the Enter key, the system will prompt the user interactively to input the password, as well as a to confirm the password a second time before writing it. It is necessary to restart the device in order to complete the change.
Resetting or changing a firmware password
This is the same command syntax as setting a new firmware password, however, you will first be prompted to enter the current password, then followed by a prompt to enter the new password, and its confirmation.
Checking if a firmware password exists
sudo firmwarepasswd -check
The system will respond with Password Enabled: Yes, if a password is currently set; or No, if a password is not set.
Deleting an existing password
sudo firmwarepasswd -delete
This command will prompt the admin to confirm the existing password by entering it before it can be removed. Again, reboot the device to complete the change.
- The major cyberthreats that macOS users should be worried aboutThe major cyberthreats that macOS users should be worried about (TechRepublic)
- AppleJeus: macOS users targeted in new Lazarus attacks (ZDNet)
- A bug in macOS' "Quick Look" feature leaks encrypted data, researchers find (ZDNet)
- macOS Mojave: A look at the new features (TechRepublic)
- Cybersecurity mistake meant Macs could have hosted nasty files (CNET)
- MacOS Mojave: Everything you need to know (CNET)