Newer Macintosh systems can be protected with an Open Firmware password. This is a critical part of any Macintosh security scheme, because it prevents:
- Mounting the computer's hard disk on another computer via Target disk mode
- Changing the startup disk (to use a CD, DVD, or external disk of any sort) at boot time (using either the C or Option keys)
- Starting up the computer in Mac OS X single user mode
- … and more.
The complete list of capabilities blocked by the Open Firmware password is available in Apple Knowledgebase article 106482. This article should be considered authoritative for the Open Firmware password feature.
If you need to create an Open Firmware password, you should make it as strong as possible to resist attack; see "Mac os x password tips".
To reset the Open Firmware password once it has been enabled, you must have unfettered access to the interior of the computer. This means that if you want to prevent unauthorized people from disabling the Open Firmware password, you must lock the computer's case. All of Apple's desktop and laptop computer lines provide ways to lock the case.
If you request service from ITS and your computer is protected with an Open Firmware password, you must disable the password first or provide it to ITS staff. Otherwise, we cannot perform many kinds of service -- including steps that may be necessary to resolve your request -- on your system. If you do not provide it before service is attempted, ITS staff retain the right to reset your Open Firmware password (if possible) to complete the service.