Enforce a firmware password to increase security at the hardware level when allowing macOS v10.10+ to start up using an external drive, partition, or using Recovery Mode.

Prerequisites

The Workspace ONE Intelligent Hub v2.2+ for macOS is required with this profile that provides enhanced security and allows you to determine when end users need to enter firmware passwords.

Important: If a firmware password is already set on the computer, then profile installation will fail.

Procedure

  1. Navigate to Resources > Profiles & Baselines > Profiles and select Add. Select Apple macOS, and then select Device Profile, since this profile is only applicable to the entire device.
  2. Configure the profile's General settings.
  3. Configure the Firmware Password:
    Setting Description
    Firmware Password Enter the password for the device.
    Mode

    Select the Mode when end users are required to enter the password:

    • Command Mode – Require the password when attempting to boot to another drive or partition. After the end user enters the password, the computer begins using Command Mode. Then, the macOS Hub prompts the end user to re-start the computer.
    • Full Mode – Require the password every time the computer starts up. After the end user enters the password, the macOS Hub prompts the end user to re-start the computer. When the computer re-starts, it begins using Full Mode.

    Once the profile is configured, it cannot be removed remotely.

  4. Select Save & Publish to push the profile to the device.