Device Action: Clear and Rotate Firmware Password
The Clear Firmware Password and Rotate Firmware Password actions manage the EFI firmware password on Intel-based Mac computers. A firmware password prevents users from booting from external drives, entering Recovery Mode, or resetting the Mac without providing the password. SimpleMDM can set, rotate, and clear firmware passwords remotely using the SetFirmwarePassword MDM command.
Apple documentation for the SetFirmwarePassword command can be found here:
- Apple Developer Documentation - SetFirmwarePassword MDM Command
- Apple Support Documentation - Set a firmware password on your Mac
- Apple Platform Security Documentation - Firmware password protection in an Intel-based Mac
Note: SimpleMDM uses a Firmware Password profile to set the firmware password for a device. This profile technically is an MDM command, but is configured in the UI it is typically used to achieve a desired state, thus a profile being a better UX fit.
Supported platforms
These actions are available for Intel-based Mac computers running macOS 10.13 or later. They are not supported on Macs with Apple silicon — use Recovery Lock Password for Apple silicon Macs instead. The device must be enrolled via device enrollment (not User Enrollment). Supervision is not required.
Clear Firmware Password
Clearing the firmware password removes it from the device entirely, allowing users to boot from external drives and access Recovery Mode without a password.
- In SimpleMDM, navigate to the device's Device Details page.
- Click the "Actions" menu.
- Select "Clear Firmware Password".
- Confirm the action when prompted.
The device must restart for the change to take effect.
Note: You must unassign any Firmware Password profile from the device before clearing the password. If a profile is still assigned, SimpleMDM will display an error and the command will not be sent.
Rotate Firmware Password
Rotating the firmware password replaces the current password with a new randomly generated one. The new password is stored in SimpleMDM and can be viewed by admins with the appropriate permission.
The rotate option appears as a refresh icon next to the firmware password in the Security section of the device's information panel. Click the icon and confirm to send the rotation command.
To rotate the Firmware Password for a device that already has one set:
- Navigate to the Device Details page and locate the "Firmware Password" field under the Security section.
- Click the "Rotate" icon next to the field.
- Confirm the action when prompted.
Rotation requires that the device has a Firmware Password profile assigned with the "Generate Password" option enabled. The device must also have an existing firmware password set by SimpleMDM and no pending password change.
Viewing the firmware password
The current firmware password is displayed in the Security section of the device's Device Details page. Admins with the appropriate permission can reveal the stored password. After rotation, the new password is shown once the device acknowledges the command.
Notes
- The device must restart for a firmware password change to take effect. A pending change is indicated in the device's security information.
- There is a 30-second throttle between firmware password commands. Sending a new command within this interval will result in an error.
- Firmware passwords only apply to Intel-based Macs. For Apple silicon Macs, use the Recovery Lock Password instead.
