Mac firmwarepasswd

I’m trying to use the firmwarepasswd utility on the Mac 10.10+ to set the firmware password, but it is not working when run from bigfix.

The script is fairly basic:

action parameter query "PASSWORD" with description "Enter the new firmware password"
delete __createfile

createfile until ##END##
#!/bin/sh
/usr/bin/expect -c "spawn /usr/sbin/firmwarepasswd -setpasswd -setmode full; expect "":"" ; send ""{parameter "PASSWORD" of action}\\n"" ; expect "":"" ; send ""{parameter "PASSWORD" of action}\\n"" ; interact" 

##END##
delete fwset.sh
move __createfile fwset.sh
wait /bin/sh fwset.sh
//delete fwset.sh
action requires restart
restart 1

Bigfix reports that the task has completed successfully and the exit code is 0, but when I restart and check for the firmware password, it is not set. If I run the script from the command line /bin/sh fwset.sh as root, then restart the computer, then the password is set… what am I doing wrong?

bigfix log:

At 15:09:15 -0700 -
ActionLogMessage: (action:50710039) Action signature verified for Execution
ActionLogMessage: (action:50710039) starting action
At 15:09:15 -0700 - actionsite (http://bigfix.contoso.com:52311/cgi-bin/bfgather.exe/actionsite)
Command succeeded action parameter query “PASSWORD” with description “Enter the new firmware password” (action:50710039)
Command succeeded delete No ‘/Library/Application Support/BigFix/BES Agent/__BESData/opsite999/__createfile’ exists to delete, no failure reported (action:50710039)
Command succeeded createfile until (action:50710039)
Command succeeded delete No ‘/Library/Application Support/BigFix/BES Agent/__BESData/opsite999/fwset.sh’ exists to delete, no failure reported (action:50710039)
Command succeeded move __createfile fwset.sh (action:50710039)
Command started - wait /bin/sh fwset.sh (action:50710039)
At 15:09:15 -0700 -
Encryption: reports encrypted
At 15:09:17 -0700 -
Encrypted Report posted successfully
At 15:09:17 -0700 - actionsite (http://bigfix.contoso.com:52311/cgi-bin/bfgather.exe/actionsite)
Command succeeded (Exit Code=0) wait /bin/sh fwset.sh (action:50710039)
Command succeeded action requires restart (action:50710039)
At 15:09:17 -0700 -
ActionLogMessage: (action:50710039) ending action
At 15:09:18 -0700 - mailboxsite (http://bigfix.contoso.com:52311/cgi-bin/bfgather.exe/mailboxsite59359887)
Not Relevant - Firmware Password for Mac OS X (fixlet:50710039)

It may be due to the process we spawn not having the full environment of root, so you might need to use a form of su to run the shell script so it runs as the “root” user not as the limited environment we have.

I’ve tried a few things, but I have yet to get it working on a physical mac (it works on vmware VMs, but not actual macs).

I’ve tried various permutations, but they all just appear not to actually set the password after restarting.
I think I’m getting close with this:

delete /private/tmp/fwset.sh move __createfile /private/tmp/fwset.sh //wait /bin/sh fwset.sh wait /bin/sh -c "chmod +x /private/tmp/fwset.sh" wait /bin/sh -c "/usr/bin/su -l root -i -c ""/private/tmp/fwset.sh"" "
the script runs, but no actual firmware password is set.

Got it working… it’s the interactive-ness, the same issue one would encounter if they used expect inside a cron job/script. replaced ; interact with ; expect eof; exit

old code:

/usr/bin/expect -c "spawn /usr/sbin/firmwarepasswd -setpasswd; expect "":"" ; send ""{parameter "PASSWORD" of action}\\n"" ; expect "":"" ; send ""{parameter "PASSWORD" of action}\\n"" ; interact"

New code:

/usr/bin/expect -c "spawn /usr/sbin/firmwarepasswd -setpasswd; expect "":"" ; send ""{parameter "PASSWORD" of action}\\n"" ; expect "":"" ; send ""{parameter "PASSWORD" of action}\\n"" ; expect eof; exit"

2 Likes