Currently Being ModeratedAug 21, 2012 6:49 AM (in response to jonathan.enriquez)
There isn't an OS in the world that can be locked down against a knowledgable person with direct access to a computer. Even a firmware password can be worked around. If necessary, lock your computer away in a separate room, safe, or if it's a Mac tower, even consider removing the hard drive at the end of the day. But basically, you need to find out who has access to your Mac, keeps changing it and fire them (or have them fired), or kicked out if they're a roommate.
Currently Being ModeratedAug 21, 2012 6:56 AM (in response to Kurt Lang)
Thank you Kurt, but I was looking for more of an enterprise solution.
Currently Being ModeratedAug 21, 2012 7:07 AM (in response to jonathan.enriquez)
Yup, but the reality is you can't fully lock down any computer against a person sitting in front of one. At least not a person who knows how to get around your attempts to block them.
Currently Being ModeratedAug 21, 2012 7:14 AM (in response to jonathan.enriquez)
It isn't fsk that re-sets the password, by the way. It is Single User Mode where you enter the commands, and that's easy to enter.
An open firmware password makes it a lot more difficult for somebody to re-set the password. I'm not how sure how things are with new computers but with older Macs you would have to remove memory chips to re-set it. I guess you have to figure out if in your business you anticipate people bringing a screwdriver to work and disassembling their computer.
Currently Being ModeratedAug 21, 2012 7:34 AM (in response to Kurt Lang)
To expand a bit on Limno' comment. If you do set a firmware password, then IT would have to be the ones at the start of each day (or any restart) to enter the password and allow the Mac to finish booting while standing there and waiting until it was at the desktop. If you were to give the firmware password to each employee, you'd gain nothing. All they'd have to do is enter the password and then go right into Single User Mode.
Setting up a firmware password is explained here. Also note it tells you three ways to remove the password.
Currently Being ModeratedAug 21, 2012 7:36 AM (in response to Kurt Lang)
I think I found a solution. http://www.securemac.com/macosxsingleuser.php
Knowing to search for Single User Mode was very helpful.
Guys let me know if what you think. Thanks.
Currently Being ModeratedAug 21, 2012 7:50 AM (in response to jonathan.enriquez)
Not sure if that would help. They note it works with build 4K78, which is 12 years back to OS X 10.0, which would be era of PowerPC Macs and Open Firmware, which doesn't exist on Intel based Macs. OS X has also changed drastically since then.
Currently Being ModeratedAug 21, 2012 8:20 AM (in response to Kurt Lang)
Kurt Lang: I don't have firsthand experience with firmware passwords but my understanding (and supported by comments in the document you linked) is that it would not prevent normal booting of the machine for a regular user. It does, however, prohibit the actions (see list in the link) that would enable a person to override regular login. You could not, for example, start up in Single User Mode to reset the admin password, or use a separate startup volume to get access to the system files from the "outside". You would not have to have an IT person sitting there at startup every day ready to login at the base level before the user could then get into their account.
Currently Being ModeratedAug 21, 2012 8:18 AM (in response to jonathan.enriquez)
Guys let me know if what you think. Thanks.
It looks like the links to that item are all dead.
Currently Being ModeratedAug 21, 2012 8:50 AM (in response to Limnos)
It does, however, prohibit the actions (see list in the link) that would enable a person to override regular login.
As Limnos noted, those links appear to be long dead. They were also created for the very first version of OS X. I think it would be pretty much a guarantee they wouldn't work on any newer Mac, even if you could download them.
You would not have to have an IT person sitting there at startup every day ready to login at the base level before the user could then get into their account.
Yes, you are correct. My mistake above. However, it would be imperative that the user not know the Admin account name and password for that Mac so they couldn't disable the firmware password.
Currently Being ModeratedAug 21, 2012 9:11 AM (in response to Kurt Lang)
I believe the only direct way to remove the firmware password would be for a person to do it in the firmware password setup, and for that you need to know the firmware password. Even if you know the admin. password that will not bypass firmware password level restrictions. The firmware password operates at a much lower level than any of the OSX features. You wouldn't even need to have OSX installed and the firmware password features would still be active if you set them up. That's why you really have to start taking apart the computer in order to reset them, and I am not sure if even that will work with all Mac models and you may have to take it into an Apple Store.
If you set a firmware password, do not forget it or you are really in a mess.
Currently Being ModeratedAug 21, 2012 9:42 AM (in response to Limnos)
According to Apple's article, the Admin user can remove or change a firmware password:
Warning: The Open Firmware Password can be reset and changed by any one of the following (except MacBook Air):
- By any administrator user, as designated in the Accounts preferences (or in Server Admin).
So if you knew the Admin name and password, you could login to the Admin account and change or remove the password in the Account settings of the System Preferences. While a firmware password blocks a variety of ways to startup your Mac, or boot to another drive, it doesn't appear to block logging out of an account and switching over to the Admin account.
Really bad if you have a disgruntled employee who then changes the firmware password so only they know it.
Currently Being ModeratedAug 21, 2012 10:55 AM (in response to Kurt Lang)
Interesting, thanks. Still, if a person does not trust an employee sufficiently to provide them with admininstrator access in the first place, and there is a firmware password set so they cannot hack admin. access, they will not be able to get into the administrator features. If you trust them enough to provide them with admin. access then they already have open access to the computer and it doesn't matter if you set a firmware password they can remove. So the firmware password does provide a reasonable level of security against unauthorized admin. status unless you're worried about somebody walking off with the computer, but that's a whole different level of security concern.
Currently Being ModeratedAug 21, 2012 11:06 AM (in response to Limnos)
Haha! Yes, it's kind of a Catch-22. Somebody has to be able to reset the firmware password, or the Mac would be locked in its current state essentially forever since no one would be able to install a new OS (on a bootable disk or flash drive). So the Admin is the only account which can do that.
But there's still other ways around it. The second way Apple's article notes is:
Via physical access to the inside of the computer.
It doesn't elaborate what you would do (good thing!). Apple was smart enough there not to be too verbose.