Given the security breaches and issues that have increased in frequency over the last few years, it boggles the mind how security is relegated to an after-thought by organizations and IT staff in place to protect against issues in the first place. In my 20+ years in the IT field, I simply cannot count how many times I’ve worked at sites with knowledgeable, talented staff that fail to lockdown the firmware on their systems, leaving them wide-open to any number of attacks–intentional and unintentional.

During a recent gig deploying Mac laptops used by students as part of a special take-home program, devices requiring tight controls to maintain the integrity of the program were returned by staff and students running unsupported applications and compromised local service accounts used by IT for management. Some devices were even reformatted, with macOS reinstalled and/or FileVault 2 enabled, effectively locking everyone but the sole user out of the device.

SEE: Password management policy (Tech Pro Research)

Issues such as these can be mitigated through the implementation of firmware passwords that work to prevent unauthorized password resets or system-wide changes, such as reformatting/reinstalling macOS. And while locking down the firmware would typically require that IT manually “touch” each device, there is a Terminal command that makes setting up security easier.

According to Terminal’s manpage, “The firmwarepasswd command is used to add or remove firmware passwords from a system as well as check status and other options. The firmwarepasswd command requires root privileges to run.”

Setting a new firmware password

sudo firmwarepasswd -setpasswd

After pressing the Enter key, the system will prompt the user interactively to input the password, as well as a to confirm the password a second time before writing it. It is necessary to restart the device in order to complete the change.

Resetting or changing a firmware password

This is the same command syntax as setting a new firmware password, however, you will first be prompted to enter the current password, then followed by a prompt to enter the new password, and its confirmation.

Checking if a firmware password exists

sudo firmwarepasswd -check

The system will respond with Password Enabled: Yes, if a password is currently set; or No, if a password is not set.

Deleting an existing password

sudo firmwarepasswd -delete

This command will prompt the admin to confirm the existing password by entering it before it can be removed. Again, reboot the device to complete the change.

See also