Monterey - Enable Firmware Password

Information

A firmware password _MUST_ be enabled and set.

Single user mode, recovery mode, the Startup Manager, and several other tools are available on macOS by holding the "Option" key down during startup. Setting a firmware password restricts access to these tools.

To set a firmware passcode use the following command:

[source,bash]
----
/usr/sbin/firmwarepasswd -setpasswd
----

NOTE: If firmware password or passcode is forgotten, the only way to reset the forgotten password is through the use of a machine specific binary generated and provided by Apple. Schedule a support call, and provide proof of purchase before the firmware binary will be generated.

NOTE: Firmware passwords are not supported on Apple Silicon devices. This rule is only applicable to Intel devices.

Solution

NOTE: See discussion on remediation and how to enable firmware password.

See Also

https://github.com/usnistgov/macos_security

Item Details

Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT

References: 800-53|AC-6, 800-53|CM-6b., CCE|CCE-90925-9, CCI|CCI-000366

Plugin: Unix

Control ID: 9c9175ab472b38b6679e259287e0f76b2e6dd4e8741603bfc166a759bb18fc64