Recovery Lock/Firmware password
Apple provides various options to secure data on Mac devices such as configuring a system passcode and encrypting the data using FileVault. Firmware passwords on MacBooks provides an additional layer of security on Mac devices with Intel processors by prompting the user to enter a passcode when the user tries to boot the system from external or internal storage devices, other than the default startup disks. Similarly, for MacOS devices which have Apple Silicon processor in them, a Recovery Lock can be used to prompt for a password when the Mac is booted to recoveryOS.
In most cases the process of manually configuring a Recovery Lock/Firmware password on Macs can be tedious for users, while Mobile Device Manager Plus allows the Recovery Lock/Firmware password to be automatically configured on MacBooks.
This feature is available in Professional, Free, and Trial editions of MDM.
To apply the Firmware password on Mac using Mobile Device Manager Plus the following prerequisites need to be met:
- The Mac must be running macOS 10.13 and above.
- The Mac must be powered by an Intel processor.
- The Mac must not have a Firmware password pre-configured by the user.
To apply the Recovery Lock on Mac using Mobile Device Manager Plus the following prerequisites need to be met:
- The Mac must be powered by Apple Silicon processor.
- The Mac must not have a Recovery Lock pre-configured by the user.
Steps to configure Recovery Lock/Firmware password
Follow the steps given below to configure the Recovery Lock/Firmware password on a Mac
- On the Mobile Device Manager Plus server, navigate to Device Mgmt -> Profiles and create a new Mac profile.
- Click on Recovery Lock/Firmware password, and enter the Recovery Lock/Firmware password to be configured on the systems.
- Re-enter the password in the confirm password field.
- Save and publish the profile.
- Associate the profile to the devices or groups.
To successfully apply the Firmware password profiles, the Macs must be restarted. To restart the device remotely, navigate to Inventory and click on the device to which the profile is associated. Under Actions, click on Restart device. You can either restart the device immediately, or notify the user to restart the Mac.However, Recovery Lock does not need a system restart to apply the profile.
Removing or modifying Recovery Lock/Firmware password
- To remove the Recover Lock/Firmware password from the devices, disassociate the profile from the devices.
- To modify the Recover Lock/Firmware password, modify the profile saved earlier, associate the upgraded version and restart the machines.
Viewing the Recovery Lock/Firmware password
The admin can view the configured Recovery Lock/Firmware password from the Inventory page by navigating to the Security details tab. Here, the admin can also note whether Recover Lock/Firmware password is enabled on devices and if it was admin or user enabled.
- Mobile Device Manager Plus can only configure the Recovery Lock/Firmware password in Command mode. It means the user will be prompted to enter the password only when they try to boot the system from another drive or partition or when trying to enter the recoveryOS.
- The admin must ensure the Macs have restarted after the profile was applied before updating and re-applying the profile on Macs if a Firmware password is applied.
- The user can modify the password set through MDM.
- You have applied the Firmware password on the system but the status is not updated in the Inventory page.
Despite performing a system restart, if the status of the Firmware password is not updated in Inventory, try scanning the machine. You can also manually check the status by running the following command on the Terminal of the machine: sudo firmwarepasswd -check