The Recovery Password library item allows you to configure and apply recovery passwords to Mac computers with Apple silicon and EFI firmware passwords to Intel-based Mac computers, all from within the same library item.Iru Endpoint supports automatically generating per-device passwords with optional configurable time-based rotation, or you can set a manual static password. You can also provide existing known firmware passwords for Intel-based Mac computers to update them using Iru Endpoint automatically.
Choose whether to have Iru Endpoint automatically generate device-specific passwords or to specify a static password manually.
4
Configure Password Rotation
If you have Iru Endpoint automatically generate device-specific passwords, choose whether Iru Endpoint should automatically rotate the password and specify how often.
5
Enable Legacy Passwords
If you have firmware passwords already deployed to Intel-based Mac computers, enable the Legacy Firmware passwords option so Iru Endpoint can update them.
6
Add Legacy Password
Add a Legacy password already deployed to Intel-based Mac computers
7
Add Additional Passwords
Optionally add up to 19 more legacy passwords (20 total) for Iru Endpoint to use when updating them.
1
Save configuration
Click Save.
Iru Endpoint cannot update existing deployed firmware passwords on Intel-based Mac computers unless the currently in-use password(s) are provided to Iru Endpoint in the Legacy Firmware passwords section.
Mac computers with Apple silicon: The recovery password is applied and no user interaction is required.
Intel-based Mac computers: Users are prompted by the Kandji Agent to restart within 30 minutes after a legacy firmware password is applied, whether for the first time or when being rotated. As with the FileVault library item, this counter can not be deferred.
After the recovery password has been set, this option becomes available when the device’s next daily check-in completes.
1
Access Device Action Menu
Open the Device Action Menu.
2
View Recovery Lock password
Click View Recovery Lock password.
When removing the Recovery Password library item, the recovery password will still show on the device record, even though there won’t be a visible password. This will be removed from the device record at the next daily check-in.
When you move a device between Blueprints, Iru Endpoint automatically updates the recovery password to match the new Blueprint’s settings. For instance, if you move a device from a Blueprint with randomized passwords to one with a fixed password, the device will switch to the fixed password automatically.
If you remove the Recovery Password library item from a Blueprint or move a device to a Blueprint that doesn’t have one, Iru Endpoint will attempt to remove the recovery password from the device.
When you delete a device record (which unenrolls it from Iru), macOS automatically removes any applied recovery password. However, legacy firmware passwords remain on the device and must be removed manually.
Intel-based Mac computers with the Apple T2 Security Chip have special behavior when receiving an Erase Device command. If a legacy firmware password is still present, the device will perform a complete erase and require macOS reinstallation instead of the standard Erase All Content and Settings (EACS).To avoid this and preserve the EACS behavior, move the device to a Blueprint without a Recovery Password library item before sending the Erase Device command. This step isn’t required for Mac computers with Apple silicon.
