Generate a randome EFI firmware password for each Mac and store in Jamf Pro. Note: This will be completely visible to all Jamf Pro users whose permissions allow access to Computers. Create an extension attritute with the first script.

Generate Random Firmware Password.bash

#!/bin/bash

function logresult()	{
    if [ $? = "0" ] ; then
        echo "$1"
    else
        echo "$2"
        exit 1
    fi
}

# verify whether a firmware password is set
echo "Checking for existing firmware password"
checkFirmwarePassword=$( /usr/sbin/firmwarepasswd -check )

# if a firmware password is already set, stop the script and report failure in Jamf Pro
if [ "$checkFirmwarePassword" != "Password Enabled: No" ] | [ -d /private/tmp/.fp ]; then
	echo "A firmware password is already set. Doing nothing."
	exit 0
else
	echo "No firmware password set"
fi


# create obscure directory
fpdirectory="/private/var/.fp"
/bin/mkdir -p "$fpdirectory"
logresult "Creating \"$fpdirectory\" directory" "Failed creating \"$fpdirectory\" directory"

# generate random password
randpassword=$( /usr/bin/openssl rand -hex 6 )
logresult "Generating 8-character firmware passcode: $randpassword" "Failed generating 8-character firmware passcode."

# write random password to temporary file
/usr/bin/touch "$fpdirectory/$randpassword"
logresult "Writing password to file \"$fpdirectory/$randpassword\"" "Failed writing password to file \"$fpdirectory/$randpassword\""

# update Jamf Pro computer record with firmware password and set only if inventory was updated
/usr/local/bin/jamf recon && /usr/local/bin/jamf setOFP -mode command -password "$randpassword"

# set the firmware password only after a successful inventory update to Jamf Pro
if [ $? = "0" ]; then
    echo "Updating Jamf Pro inventory to upload firmware password"
    echo "Setting firmware password"
    exit 0
else
    echo "Failed setting firmware password"
	exit 1
fi

Jamf Pro Extension Attribute

#!/bin/bash

echo "<result>$( ls /private/var/.fp )</result>"

exit 0

@talkingmoose
In the company I work, your solution has been implemented (before I joined) and works fine.
The only drawback I've just experienced is when you "startosinstall --eraseinstall" and re-enroll as pre-staged. The script worked as if no EFI password had been generated although there was one already. A new random key was created and uploaded in EA. But I have no trace of the original EFI password now.
Although there's a safety in the code to exit if it's Password Enabled, it does not seem to have worked for me. I've just earned the privilege of going to an AASP to have the computers reset.

@PascalAD if it's a t2 macbook, you should be able to revive the mac without data loss. But you're right, as said earlier this is a limitation of the script where jamf will delete it out if a machine is re-enrolled. If you use this, I would probably make use of a script that backs up your firmware passwords using api daily. Either that, or uploading it as an attachment

@dev-yeet thank you very much for the tip. I needed to go to the restore step. But now I don't EFI password anymore.

:/ you're right, I remembered wrong; dropping link in case it helps anyone else in the future.

https://mrmacintosh.com/how-to-remove-mac-firmware-password-new-way-if-you-have-a-2018-2020-t2-mac/