Using EFI password "full" security isn't working
Hi,
I'm trying to use the EFI Password Utility to prohibit any attempt to boot my MacBook Pro without the correct password. I used the utility available on the MacBook Pro's supplied install DVD, and so far have successfully prevented the use of any keystrokes on boot without the correct password (ie. "command" mode). However, I am unable to set the EFI to prohibit any attempt to boot.
Apple documents in its, "Mac OS X: Security Configuration - For Mac OS X Version 10.6 Snow Leopard" PDF manual that,
You can also configure EFI from the command line by using the nvram tool. […]
You can set the security mode to one of the following values:
[…]
Full: This value requires a password to start up or restart your computer. It also requires a password to make changes to EFI.
For example, to set the security-mode to full you would use the following command:
$ sudo nvram security-mode=full
I applied this setting, but it doesn't appear to be working. The redacted output of "nvram -x -p" is as follows:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>EFICapsule_Result</key>
<data>
REDACTED
</data>
<key>SmcFlasherResult</key>
<data>
REDACTED
</data>
<key>SystemAudioVolume</key>
<data>
REDACTED
</data>
<key>boot-image</key>
<data>
REDACTED
</data>
<key>efi-apple-payload0</key>
<data>
REDACTED
</data>
<key>efi-apple-payload0-data</key>
<data>
REDACTED
</data>
<key>efi-apple-recovery</key>
<data>
REDACTED
</data>
<key>efi-boot-device</key>
<data>
REDACTED
</data>
<key>efi-boot-device-data</key>
<data>
REDACTED
</data>
<key>gpu-policy</key>
<data>
REDACTED
</data>
<key>prev-lang:kbd</key>
<data>
REDACTED
</data>
<key>security-mode</key>
<string>full</string>
</dict>
</plist>
What makes it confusing is that Apple specifies later on the same page (56) that the the term passed to the "security-mode" option should be encased in quotes:
# Secure startup by setting security-mode. Replace $mode-value with # "command" or "full."
sudo nvram security-mode="$mode-value"
So, assuming that I may have used the wrong version of the command, and thereby not applied the setting correctly, I deleted the "security-mode" key using:
sudo nvram -d security-mode
I then re-applied the setting using:
sudo nvram security-mode=full
because I was confident that, initially, I had used the version with quotes. However, it's made no difference - booting the machine does not require entry of an EFI password.
Oddly, the EFI still prevents the use of keystrokes (ie. "command" mode), so it's definitely functional; I just can't tell it to use "full" mode. Also, I note that "security-mode" is the only key to have a "string" child not a "data" child - is this indicative of a problem?
Any advice?
MacBook Pro, Mac OS X (10.6.8), Early-2011 model, 4GB RAM, SSD