Category filter
Verify firmware password set on Mac
The Verify Firmware Password remote action allows IT administrators to confirm if the firmware password currently active on an Intel-based Mac matches the value escrowed in the Hexnode UEM portal.
What is a macOS Firmware Password?
A firmware password is a hardware-level security measure for Intel-based Macs that prevents unauthorized users from altering the startup process. When enabled, the device requires this password before it can boot from any storage medium other than the designated startup disk or before using startup key combinations such as Recovery Mode or Target Disk Mode.
- Access Control: Ensures only authorized personnel can bypass or troubleshoot the startup sequence.
- Remote Management: Hexnode UEM provides the capability to set, clear, and verify these passwords remotely.
- Device Support: This specific verification action is available only on Intel-based Macs running macOS 10.13 or later.
Prerequisites and Password Escrow
When a firmware password is configured through the Hexnode console using the Set Firmware/Recovery Lock Password action, the password is automatically and securely escrowed.
Viewing Escrowed Passwords
- Navigate to Manage > Devices and select the target Mac.
- Go to the Device Info sub-tab and select Security Info.
- The password will be displayed next to the Firmware Password field.
If the password is changed manually on the physical device, the escrowed value in Hexnode will not update automatically. The verification action is required to identify such discrepancies.
Step-by-Step Guide: Verifying the Firmware Password
Use this process to check if the escrowed portal password is still valid or if it has been modified locally on the machine.
- Log in to the Hexnode UEM portal.
- Navigate to the Manage tab and select the target device.
- Click on Actions > Security > Verify Firmware Password.
- Enter the password you wish to check against the device.
- Click Verify.
Understanding Verification Results
After the command is processed, administrators can check the outcome in the Action History tab. If the status is Success, click the info icon to see the specific message:
| Message | Interpretation |
|---|---|
| “The password you entered matches…” | The portal’s record is current and valid. |
| “The password you entered does not match…” | The password has been changed locally or an incorrect value was tested. |
| “No firmware password is set.” | No password is currently configured or it was recently cleared. |
Troubleshooting Guides
| Problem | Potential Root Cause | Resolution |
|---|---|---|
| Action is missing from the menu | Device is not an Intel-based Mac or OS is older than 10.13. | Verify the hardware and OS version; Apple silicon (M-series) devices use Recovery Lock, which has different management rules. |
| Action fails to execute | Device is offline or management profile is interrupted. | Ensure the Mac has an active internet connection and that the Hexnode MDM profile is properly installed and active. |
| Verification result is “No password set” | The password was manually cleared or never initialized. | Use the Set Firmware/Recovery Lock Password action to re-establish hardware security. |
Frequently Asked Questions (FAQs)
Does “Verify Firmware Password” change the password?
No. This action is read-only; it purely compares the password you provide against the one currently residing on the Mac hardware.
Why doesn’t the portal update automatically if the user changes the password?
For security reasons, macOS does not “push” firmware-level changes back to the MDM server. Verification must be triggered manually by an administrator to sync administrative knowledge with the device state.
What happens if the firmware password is lost?
If the password is lost and not escrowed in the portal, you may be unable to troubleshoot the device or boot from external media. In such cases, the device may require physical service by Apple.
Can the password be verified in bulk?
Yes. You can select multiple Intel-based Macs in the Manage tab and push the Verify Firmware Password action as a bulk command, provided you are checking for a uniform password.
