-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathFirmware_Password_Removal.sh
93 lines (72 loc) · 2.4 KB
/
Firmware_Password_Removal.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
#!/bin/sh
# Jason Filice
# Technology Support Services in IT
# California State University, Monterey Bay
# https://csumb.edu/it
# This script requires /Library/Application Support/JAMF/bin/setregproptool.
#
# Use as script in Jamf JSS.
SCRIPTNAME=`/usr/bin/basename "$0"`
SCRIPTPATH=`/usr/bin/dirname "$0"`
# Jamf JSS Parameters 1 through 3 are predefined as mount point, computer name, and username
pathToScript=$0
mountPoint=$1
computerName=$2
userName=$3
shift 3
# Shift off the $1 $2 $3 parameters passed by the JSS so that parameter 4 is now $1
# set alias for PlistBuddy and several others so I don't have to specify full path.
# Prefix sudo path because I'm using it here for all commands.
# If I want to run a command without the alias, then specify the full path.
alias PlistBuddy="/usr/libexec/PlistBuddy"
alias chown="/usr/sbin/chown"
alias chmod="/bin/chmod"
alias ditto="/usr/bin/ditto"
alias defaults="/usr/bin/defaults"
alias rm="/bin/rm"
alias cp="/bin/cp"
alias mkdir="/bin/mkdir"
alias sudo=/usr/bin/sudo
# https://www.jamf.com/jamf-nation/articles/58/setting-efi-passwords-on-mac-computers-models-late-2010-or-later
# To remove a firmware password:
# Follow the instructions in the “Administering Open Firmware/EFI Passwords” section of the Casper Suite Administrator’s Guide. For the hardware listed above, you must add a script with the following command to Casper Remote or the policy in the JSS:
# Check whether password is enabled.
# return status of 0 if set, 1 otherwise.
echo "Pre-check whether firmware password is set..."
setregproptoolresult=""
setregproptoolresult=$("/Library/Application Support/JAMF/bin/setregproptool" -c; echo $?)
if [ "$setregproptoolresult" = "0" ]; then
echo "Firmware password is set."
else
echo "Firmware password is not set."
exit
fi
echo "Attempting to disable firmware, trying $# known password(s)..."
# Test that there is at least one parameter for the old password.
if [ $# -ge 1 ]
then
while [ $# != 0 ]
do
if [ "${1}" != "" ]; then
/usr/bin/expect <<EOL
spawn "/Library/Application Support/JAMF/bin/setregproptool" -d -o "${1}"
expect "Enter current password" {
close
send_error "Error: Incorrect old firmware password\r"
}
EOL
echo $?
# if does not contain "Error"
if [ "$?" != *"Error"* ]; then
break
fi
sleep 1
fi
# shift off one argument, before loop back.
shift
done
else
exit 1
fi
exit