Firmware password protection in an Intel-based Mac
macOS on Intel-based Mac computers with an Apple T2 Security Chip supports the use of a Firmware Password to help prevent unintended modifications of firmware settings on a specific Mac. The Firmware Password is designed to prevent selecting alternate boot modes such as booting into recoveryOS or Single User Mode, booting from an unauthorized volume, or booting into target disk mode.
Note: The firmware password isn’t required on a Mac with Apple silicon, because the critical firmware functionality it restricted has been moved into the recoveryOS and (when FileVault is enabled) recoveryOS requires user authentication before its critical functionality can be reached.
The most basic mode of firmware password can be reached from the recoveryOS Firmware Password Utility on an Intel-based Mac without a T2 chip, and from the Startup Security Utility on an Intel-based Mac with a T2 chip. Advanced options (such as the ability to prompt for the password at every boot) are available from the firmwarepasswd
command-line tool in macOS.
Setting a Firmware Password is especially important to reduce the risk of attacks on Intel-based Mac computers without a T2 chip from a physically present attacker. The Firmware Password can help prevent an attacker from booting to recoveryOS, from where they could otherwise disable System Integrity Protection (SIP). And by restricting boot of alternative media, an attacker can’t execute privileged code from another operating system to attack peripheral firmwares.
A firmware password reset mechanism exists to help users who forget their password. Users press a key combination at startup, and are presented with a model-specific string to provide to AppleCare. AppleCare digitally signs a resource that's signature checked by the Uniform Resource Identifier (URI). If the signature is validated and the content is for the specific Mac, the UEFI firmware removes the firmware password.
For users who want no one but themselves to remove their firmware password by software means, the -disable-reset-capability
option has been added to the firmwarepasswd
command-line tool in macOS 10.15. Before setting this option, users must acknowledge that if the password is forgotten and needs removal, the user must bear the cost of the logic board replacement necessary to achieve this. Organizations that want to protect their Mac computers from external attackers and from employees must set a firmware password on organization-owned systems. This can be accomplished on the device in any of the following ways:
At provisioning time, by manually using the
firmwarepasswd
command-line toolWith third-party management tools that use the
firmwarepasswd
command-line toolUsing mobile device management (MDM)