Skip to main content
This Library Item is available for Mac computers
The Recovery Password library item allows you to configure and apply recovery passwords to Mac computers with Apple silicon and EFI firmware passwords to Intel-based Mac computers, all from within the same library item. Iru Endpoint supports automatically generating per-device passwords with optional configurable time-based rotation, or you can set a manual static password. You can also provide existing known firmware passwords for Intel-based Mac computers to update them using Iru Endpoint automatically.

Create a Recovery Password Library Item

To add this Library Item to your Iru Endpoint Library, follow the steps outlined in the Library Overview article.

Configure the Recovery Password Library Item

1

Name and Icon

Name your library item, and choose an icon if desired.
2

Select Blueprints

Select your desired Blueprints.
3

Choose Password Method

Choose whether to have Iru Endpoint automatically generate device-specific passwords or to specify a static password manually.
4

Configure Password Rotation

If you have Iru Endpoint automatically generate device-specific passwords, choose whether Iru Endpoint should automatically rotate the password and specify how often.
5

Enable Legacy Passwords

If you have firmware passwords already deployed to Intel-based Mac computers, enable the Legacy Firmware passwords option so Iru Endpoint can update them.
6

Add Legacy Password

Add a Legacy password already deployed to Intel-based Mac computers
7

Add Additional Passwords

Optionally add up to 19 more legacy passwords (20 total) for Iru Endpoint to use when updating them.
1

Save configuration

Click Save.
Iru Endpoint cannot update existing deployed firmware passwords on Intel-based Mac computers unless the currently in-use password(s) are provided to Iru Endpoint in the Legacy Firmware passwords section.

Device Experience

  • Mac computers with Apple silicon: The recovery password is applied and no user interaction is required.
  • Intel-based Mac computers: Users are prompted by the Kandji Agent to restart within 30 minutes after a legacy firmware password is applied, whether for the first time or when being rotated. As with the FileVault library item, this counter can not be deferred.

View Recovery Password for a Device

After the recovery password has been set, this option becomes available when the device’s next daily check-in completes.
1

Access Device Action Menu

Open the Device Action Menu.
2

View Recovery Lock password

Click View Recovery Lock password.
When removing the Recovery Password library item, the recovery password will still show on the device record, even though there won’t be a visible password. This will be removed from the device record at the next daily check-in.

Additional Considerations

Blueprint Changes

When you move a device between Blueprints, Iru Endpoint automatically updates the recovery password to match the new Blueprint’s settings. For instance, if you move a device from a Blueprint with randomized passwords to one with a fixed password, the device will switch to the fixed password automatically.

Removing Recovery Passwords

If you remove the Recovery Password library item from a Blueprint or move a device to a Blueprint that doesn’t have one, Iru Endpoint will attempt to remove the recovery password from the device.

Device Unenrollment

When you delete a device record (which unenrolls it from Iru), macOS automatically removes any applied recovery password. However, legacy firmware passwords remain on the device and must be removed manually.

Password Format

When using an automatically generated recovery password to unlock a device, enter it exactly as displayed—including all capital letters and hyphens.

Erase Device Commands on Intel Macs with T2 Chip

Intel-based Mac computers with the Apple T2 Security Chip have special behavior when receiving an Erase Device command. If a legacy firmware password is still present, the device will perform a complete erase and require macOS reinstallation instead of the standard Erase All Content and Settings (EACS). To avoid this and preserve the EACS behavior, move the device to a Blueprint without a Recovery Password library item before sending the Erase Device command. This step isn’t required for Mac computers with Apple silicon.