Archived - Setting up firmware password protection in Mac OS X
You can use the Open Firmware Password application to set up low-level password protection with Mac OS X v10.1 and later.
Apple Open Firmware Update 4.1.7 and later provide the groundwork for password protecting computers at a low level (Open Firmware Password Protection). This feature is off by default. Apple provides the Open Firmware Password utility for use only with Mac OS X v10.1 and later. Apple does not endorse or provide technical support for this feature when used with earlier versions of Mac OS or with any third-party software utilities.
Intel-based Macintosh computers can be protected by firmware passwords as well. The firmware in an Intel-based computer uses Extensible Firmware Interface (EFI) technology—Open Firmware is used in computers that use PowerPC processors.
Warning: Attempts to use firmware in a manner that is not explicitly endorsed by Apple may damage your computer's logic board. Any repairs that are necessary because of this damage will not be covered under the terms of the Apple One-Year Limited Warranty, AppleCare Protection Plan, or other AppleCare agreement.
Computers compatible with Open Firmware Password Protection
Use of the Open Firmware Password Protection and the Open Firmware Password application requires an Apple computer that works with Open Firmware 4.1.7 or 4.1.8 or later, depending on the computer. To determine which version of Open Firmware is installed on your computer, open the Apple System Profiler and see the Production Information section. The Boot ROM version is also your computer's Open Firmware version. If you have an earlier version, an update would be required. A list of the latest firmware updates for various models is available.
All Intel-based Macintosh computers support firmware password protection.
The following Apple computers can use the Open Firmware Password application:
- iMac (Slot Loading) and later models of G3 iMac
- iMac (Flat Panel) and later models of G4 iMac
- iMac G5 and later models of G5 iMac
- iBook - all models, both G3- and G4-based
- eMac - all models
- PowerBook (FireWire)
- PowerBook G4 and later models of G4 PowerBook
- Power Mac G4 (AGP Graphics) and later models of G4 Power Mac
- Power Mac G4 Cube - all models
- Power Mac G5 and later models of G5 Power Mac
- Any Intel-based Mac
- MacBook Air: see MacBook Air: Recovering a lost EFI firmware password
|Features of Open Firmware Password Protection on PowerPC and Intel-based Mac computers||Power PC||Intel|
|Blocks the ability to use the "C" key to start up from an optical disc.||√||√|
|Blocks the ability to use the "D" key to start up from the Diagnostic volume of the Install DVD.||√|
|Blocks the ability to use the "N" key to start up from a NetBoot server.||√||√|
|Blocks the ability to use the "T" key to start up in Target Disk Mode (on computers that offer this feature).||√||√|
|Blocks the ability to start up in Verbose mode by pressing the Command-V key combination during startup.||√||√|
|Block the ability to start up a system in Single-user mode by pressing the Command-S key combination during startup.||√||√|
|Blocks a reset of Parameter RAM (PRAM) by pressing the Command-Option-P-R key combination during startup.||√||√|
|Requires the password to enter commands after starting up in Open Firmware, which is done by pressing the Command-Option-O-F key combination during startup.||√|
|Blocks the ability to start up in Safe Boot mode by pressing the Shift key during startup.||√||√|
|Requires the password to use the Startup Manager, accessed by pressing the Option key during startup (see below).||√||√|
Note: Firmware password protection does not prevent someone with physical access to the computer from restarting it or turning it off.
Preparing a computer to take advantage of password protection
Open Firmware Password Protection can only effectively protect a computer that enjoys some degree of physical security. To maximize the effectiveness of the firmware password, do all of the following:
- Use a secure password that contains both numerals and letters in the first eight characters.
- In the Users control panel, Accounts pane of System Preferences, or Server Admin application (whichever applies to your computer), strictly limit Admin user status to trusted personnel.
- Restrict physical access to the computer. Place the computer in a locked room, and lock the cover latch or use the security lock port.
- Only allow trusted users to start up the computer in Mac OS 9, if applicable.
- Make sure that you have selected the Mac OS X System folder for your startup device that you plan to protect.
- If your startup device is correctly selected, you should be able to select it in Startup Disk preferences, close the preference pane, and not receive a dialog box prompting you to save the changes. If you do receive this dialog, saving the changes sets your startup device.
Important: If you reset the PRAM or Open Firmware, you need to reselect your startup device prior to resetting the Open Firmware Password.
Warning: The Open Firmware Password can be reset and changed by any one of the following (except MacBook Air):
- By any administrator user, as designated in the Accounts preferences (or in Server Admin).
- Via physical access to the inside of the computer.
- When the computer is started up in Mac OS 9.
How to enable the Open Firmware Password
On any computer capable of firmware password protection (including Intel-based Macintosh computers), follow these steps:
- For Mac OS X v10.1 to v10.3.9, download and install the Open Firmware Password application, which you can get here.
For Mac OS X v10.4.x, you must use the updated version that can be copied from the software installation disc (located at /Applications/Utilities/ on the disc).
For Mac OS X v10.5.x, start from the Leopard Install DVD and choose Firmware Password Utility from the Utilities menu, then skip to step 5.
- Open the Open Firmware Password application.
- Click the icon to authenticate. Enter an administrator username and password when prompted.
- Click Change.
- Click to select the checkbox for "Require password to change Open Firmware settings", as shown below.
- Type your password in the Password and Verify fields.
- Click OK. A confirmation appears.
- Click lock icon to prevent further changes.
- Choose Quit from the application menu.