Monday, 9 July 2018

JAMF JSS and checking Mac firmware versions

JAMF's JSS has a built-in capability to show what version of firmware a Mac has but this as of itself does not tell you if the firmware is too old, the correct version or even a newer than expected version.

With support for APFS boot drives in High Sierra and later requiring some Macs to have their firmware updated this is more of an issue than it used to be. Sadly Apple no longer provide standalone firmware updaters meaning there is no official Apple source of information to check what firmware version a Mac should be running.

Historically you in theory used to be able to ensure your Macs firmware was up-to-date simply by regularly running Apple's Software Update check and if there was a firmware update you would be informed and could run it.

Worryingly as per this article many Macs even if supposedly covered by Apple firmware updates via the Software Update mechanism still failed to get installed the correct version.

Duo-Labs therefore wrote their own tool to check whether a Mac has the correct firmware version. See - both a GUI version you can run locally and a command line version are available.

The purpose of this article is to describe how you can use the command line version of the EFIgy tool with JAMF to audit all your Macs and thereby find out whether any of your Macs has an out-of-date version of firmware.

Note: Since Apple no longer provide standalone firmware updaters the only official way to get newer firmware versions installed now is to either install the latest High Sierra version or the (at the time of writing) Mojave beta version. (Yes Mojave has for at least the Mac Pro 2010/2012 models even newer firmware than that included with the High Sierra installer.)

In order to get a result from EFIgy we need to use the command line version and have the result returned as an extension attribute to JSS. The following issues needed to be solved in order to achieve this.

  1. as its name suggests is a python script, it is more typical to use shell scripts to populate Extension Attributes but I suspect it would in theory be possible with a python script as it obeys the same shebang mechanism as a shell script. However as it turns out I needed to front-end it with a standard shell script so the fact it is a python script became immaterial.
  2. either needs the python certifi module to be installed or a cacert.pem file to be in the same location as the python script.
  3. as standard requires human interaction to answer a question with a yes or no answer.
  4. The result from is rather verbose, my current solution condenses this significantly down to a single line but it could in theory be further abbreviated down to one of 'up2date', 'outofdate', 'newer', 'model_unknown' or 'build_unknown'.

In order of what needs to be done, here is how I solved these issues.

  1. I modified the standard script to add an additional command line parameter -a which when used will automate the running of the script - in other words if you include this parameter it will not ask you the Y/N question but will run as if you said Y. (Fixes issue 3)
  2. I used my previously discussed solution on how to use the shell script CAT EOF feature to include multiple files, via this I encoded both the and the cacert.pem files inside my shell script and my script will then automatically 'restore' them in to a temporary folder. My script will then run the python script from that temporary folder.  (Fixes issues 1 & 2)
  3. My shell script then takes the result returned by the python script and extracts just the single line that contains the desired result. (Fixes issue 4)

Note: This means you cannot use the (current) standard version of you must you my modified version. I have however submitted an enhancement request to the original authors and provided them with details of the change I made to achieve this.

Note: As an aside, whilst creating this solution I discovered that JSS runs shell scripts on client machines from working directory of /private/var/<nameofjamfaccount>/

Here is how you need to configure the Extension Attribute in JSS.

Here is the script - including the encoded and cacert.pem files. If your being paranoid - and you always should, you should either run this first on a test Mac or otherwise decode the encoded files and examine their content to reassure yourself they are not malicious.

For the more adventurous amongst you, some people have found a way to extract the firmware installers from a High Sierra installer app to produce a standalone firmware installer package file. I have used this approach myself on a few Macs. See

No comments:

Post a Comment