Back in the beginning of September, I was reading Arek Dreyer’s book on Lion Server’s new Profile Manager, and testing it out with my own devices to see how things work. I tried the lock function on my Mid 2011 MacBook Air, and much to my surprise, the passcode I used to lock the machine wouldn’t unlock it.
After a lot of time on the phone with Apple Enterprise Support, it was determined that the only way to fix the issue was to clear out the firmware password. Of course, on this particular model, the firmware can only be cleared out with a hash obtainable by an Apple Retail store or an AASP (http://support.apple.com/kb/TS3554).
This means that when locking a computer using Profile Manager, the lock takes place at the firmware level. This is good for security, but bad if/when things go wrong on models that are only able to be unlocked by service providers.
I took the computer to my local AASP, and explained the problem to them, and they were able to clear out the firmware password and unlock my machine. While they were working on the issue, I did some thinking and realized that I had previously set a firmware password on this machine, and that the cause of the issue could be the 2 firmware passwords conflicting.
With the AASP promising to clear out the firmware password if I bricked the machine again, I did some testing right there in their shop. I was able to prove consistently that without a firmware password already in place, I was able to lock and unlock the machine as expected. As soon as a firmware password was put in place, the unlock code failed every time.
I went back to Apple Enterprise Support with my findings, and they forwarded me to Engineering who confirmed that they were able to replicate my results.
Fast forward to mid October, and Apple Enterprise Support has informed me that the 10.7.2 updates (client: http://support.apple.com/kb/DL1458 and server: http://support.apple.com/kb/DL1460) as well as the Recovery Partition update (http://support.apple.com/kb/DL1464) have resolved the issue. My testing has confirmed that this bug is fixed.
Special thanks to Zarin at MacSpecialist in Chicago for helping me troubleshoot the issue, and Steve and Peter at Apple Enterprise Support for helping me report the bug to Apple Engineering.