The pre-boot firmware password available in macOS can provide a high level of security to devices in your organization. This password can prevent the device from being booted into alternate states, like from a bootable USB or macOS recovery mode. When enabled, the password must be entered before booting to any device except the default internal drive. This plays a key role in stopping your devices from being tampered with should it become lost or compromised.

This article references some techniques for deploying scripts through the Addigy portal. Those techniques are explained thoroughly in the article How to Create and Run Scripts.    

To check if the firmware password is set on devices, select the Check for Firmware Password command in the Security category, and run the command on whichever devices you would like.

The output will display whether the password is enabled or not.

To set the firmware password on a device, make sure that the firmware password is currently not set. Then, copy the Predefined Command called Enable Firmware Password (Requires Password). We will be using this as a template for our script which will contain the password.

Note: running the unedited command will result in setting the firmware password as "INSERT PASSWORD HERE". This can disabled by running the command

firmwarepasswd -delete

with either the spawn command to imitate password entry or through an interactive shell.

Create a new Predefined Command, and paste the copied code into the Bash file content field. Change the second line of the script to include your desired password.


Give the script an appropriate name. Now your script is ready to run. The script will set your firmware password, and attempt to reboot the device. If a user is logged into the device, then a notification will appear prompting them to restart to complete the process.

Note: your password is being stored in plain-text within the Addigy portal, and will be downloaded as plain-text onto the device. To protect your password, it is imperative that you delete the download script on the device within the /tmp directory, and remove the password from the Predefined Command.