MacOS – Setting a firmware password

bashfirmware-passwordmacosscript

Currently trying to use a script (preferably shell) to setup the firmware password on a fresh OSX install. I obviously found this:

http://osxdaily.com/2014/01/06/set-firmware-password-mac/

which would work during a manual install, but we would like to automate this as much as possible. I can't seem to find any documentation on writing a script to setup a (dynamic) firmware password.

My question is:

Is it possible to use a script or program to setup a dynamic firmware password on OSX 10.8/10.9? If so, do you know how? Do you know of any documentation?

Best Answer

If you mount the hidden "Recovery HD" partition in Terminal:

sudo diskutil mount Recovery\ HD

and then again mount the "BaseSystem.dmg" by double clicking it:

enter image description here

then you should be able to use the setregproptool, located inside "Firmware Password Utility.app":

enter image description here

To get to the folder containing setregproptool right-click (or Control click) "Firmware Password Utility.app", select "Show Package Contents" and navigate to Contents/Resources.

Alternatively to the description in this link:

Set a firmware password from the command line - (see post from "Sep 13, '11 05:04:00AM ")

you can copy the "Firmware Password Utility.app" to a more acceptable location (for example on your local drive) and then use it from there.

These are the options of setregproptool:

$ sudo Firmware\ Password\ Utility.app/Contents/Resources/setregproptool -h
Password:
setregproptool v 2.0 (9) Aug 24 2013
Copyright (C) 2001-2010 Apple Inc.
All Rights Reserved.

Usage: setregproptool [-c] [-d [-o <old password>]] [[-m <mode> -p <password>] -o <old password>]

-c              Check whether password is enabled.
                        Sets return status of 0 if set, 1 otherwise.
-d              Delete current password/mode.
                        Requires current password on some machines.
-p              Set password.
                        Requires current password on some machines.
-m              Set security mode.
                        Requires current password on some machines.
                        Mode can be either "full" or "command".
                        Full mode requires entry of the password on
                        every boot, command mode only requires entry
                        of the password if the boot picker is invoked
                        to select a different boot device.

                When enabling the Firmware Password for the first
                time, both the password and mode must be provided.
                Once the firmware password has been enabled, providing
                the mode or password alone will change that parameter
                only.

-o              Old password.
                        Only required on certain machines to disable
                        or change password or mode. Optional, if not
                        provided the tool will prompt for the password.
Related Question