Add recovery password doc

zentralopensource · Dec 12, 2024 · 355107a · 355107a
1 parent 410c501
commit 355107a
Showing 1 changed file with 57 additions and 0 deletions.
diff --git a/docs/apps/mdm.md b/docs/apps/mdm.md
@@ -343,6 +343,63 @@ A Software Update Enforcement configuration can only be deleted if it is no long
 1. Navigate to *MDM > Overview > Software Update Enforcements*.
 2. Click the configuration name to review its settings before deleting and use the *Delete button* next to the configuration. Alternatively, you see a delete button already in the list right to the name.
 
+## Recovery Password Configuration
+
+Recovery Password Configuration manages **recoveryOS password protection** for Apple Silicon Macs and **firmware password protection** for Intel-based Macs via MDM. This will prevent unauthorized access to Macs when started in recovery mode.
+
+Zentral applies configurations based on the device platform:
+
+- **Apple Silicon Macs:** Protect recoveryOS with a dynamic or static password. Supports optional password rotation 
+- **Intel-Based Macs:** Enable firmware password protection, with the option for automatic rotation.
+
+An overview of the options:
+
+| **Option**                  | **Description**                                                  |
+|-----------------------------|------------------------------------------------------------------|
+| **Dynamic Password**        | Generates unique device passwords.       |
+| **Static Password**         | Sets a single password for all devices.                         |
+| **Rotation Interval (days)**| For Dynamic Passwords: Sets automatic rotation interval (`0` = rotation off). |
+| **Rotate Firmware Password**| For Dynamic Passwords: Enables firmware password rotation.      |
+
+### Configuring a Recovery Password
+
+1. Navigate to *MDM > Recovery Password Configurations*.
+2. Click the *Add* button to create a new blueprint.
+3. Complete the following options:
+   - **Name**: Enter a display name for the configuration.
+   - **Dynamic Password**: When enabled, unique passwords are generated for each device.
+   - **Static Password**: Provide a static password for use across devices *(only when dymaic password is deactivated)*.
+   - **Rotation Interval (days)**: Specify the number of days for automatic password rotation. Enter `0` to disable automatic rotation.
+   - **Rotate Firmware Password**: Select when firmware passwords should be rotated *(only applicable to Intel-based Macs)*.
+4. Click **Save** to apply the configuration.
+
+### Linking a Recovery Password Configuration to a Blueprint
+
+1. Navigate to *MDM > Overview > Blueprints*.
+2. Select or create a Blueprint to edit.
+3. Add the recovery password configuration to the blueprint.
+4. Click *Save* to link the configuration to the Blueprint.
+
+A recovery password configuration can be applied to multiple blueprints.
+
+### Update a Recovery Password Configuration
+
+To update an existing configuration:
+
+1. Navigate to *MDM > Overview > Recovery Password Configurations*.  
+2. Locate the desired configuration and click the *Edit* button next to it.  
+3. Adjust the settings as needed (refer to the configuration steps for guidance).  
+4. Click *Save* to apply the changes.  
+
+### Remove a Recovery Password Configuration
+
+A Recovery Password Configuration can only be deleted if it is not linked to any Blueprint. If the *Delete* button is unavailable, check associated Blueprints and ensure the configuration is no longer in use.
+
+1. Navigate to *MDM > Overview > Recovery Password Configurations*.  
+2. Review the configuration by clicking its name.  
+3. Use the *Delete* button in the list view or on the configuration details page.  
+4. Confirm the deletion when prompted.  
+
 ## HTTP API
 
 ### `/api/mdm/dep/devices/`