Firmware Password Utility
macOS supports the use of a Firmware Password to prevent unintended modifications of firmware settings on a specific Mac. The Firmware Password is used to prevent selecting alternate boot modes such as booting into recoveryOS or Single-User mode, booting from an unauthorized volume, or booting into Target Disk Mode.
The most basic mode of Firmware Password can be reached from the recoveryOS Firmware Password Utility on Mac computers without an Apple T2 Security Chip, and from the Startup Security Utility on Mac computers with a T2 chip. Advanced options (such as the ability to prompt for the password at every boot) are available from the
firmwarepasswd command-line tool in macOS.
Setting a Firmware Password is especially important to reduce the risk of attacks on Mac computers without a T2 chip via a physically present attacker (such as in a computer lab or office environment). The firmware password can stop an attacker from booting to recoveryOS, from where they can disable System Integrity Protection. And by restricting boot of alternative media, an attacker can’t execute privileged code from another OS in order to attack peripheral firmwares.
A Firmware Password reset mechanism exists to help users who forget their password. Users press a key combination at boot, and be presented with a model-specific string to provide to an AppleCare. AppleCare digitally signs a resource that is signature-checked by the Uniform Resource Identifier (URI) . If the signature validates and the content is for the specific Mac, the UEFI firmware removes the Firmware Password.
For users who want no one but themselves to remove their Firmware Password by software means, the
-disable-reset-capability option has been added to the
firmwarepasswd command-line tool in macOS 10.15. Before setting this option, users must to acknowledge that if the password is forgotten and needs removal, the user must bear the cost of the motherboard replacement necessary to achieve this. Organizations that want to protect their Mac computers from external attackers and from employees must set a Firmware Password on organization-owned systems. This can be accomplished on the device:
At provisioning time, by manually using the
With third-party management tools that use the
Using mobile device management (MDM)