Configuration Profile; TouchID - Unlock your Mac

BUMP

same here. 10.13.6 ?

We tried deleting all the finger prints so we could try to reenable and got this weird message:

At some point thought that maybe it was Kaspersky, so we disabled it, but we keep getting this odd error.

same as above - also on 10.13.6

Well, we made the Touch ID work again by deleting the Keychains.

Afterwards, it was necessary to repeat the fingerprinting process (and of course start capturing back all the passwords) but now the machine can be unlocked with Touch ID.

sudo bioutil -w -s -u 1

Perfect - that worked ! thanks @Rememberfarley

Even though a config profile was deployed with a Restrictions payload which enabled use of touch id to Unlock your Mac, the below error was displayed when attempting to run the above bioutil command.
"Unlock with Touch ID is managed via a config profile. You have to uninstall the config profile first.".
So you need to de-scope the config profile to exclude any effected devices, then run the sudo bioutil -w -s -u 1 to enable, then if required re-scope the config profile with the setting enabled - to the required device(s). Potentially could run the command fleet-wide via policy first, then deploy config profile. Additionally you could also use an EA to determine devices that are encountering this issue using bioutil -r to read in the ""Effective Touch ID for unlock value" which shows as 0 for devices you would want to change. We are fortunate that we are only just introducing macs with touch-bars, so no remediation required :)

Had this issue with machines on my estate as when they were enrolled, the JSS was on v9.x. When I upgraded it to 10.4.1, the users could not unlock the machine using Touch ID and it kept resetting if it was enabled but they could use TouchID with Apple pay, etc.

After a bit of poking around, I found that I had to:

1. Exclude their machine from the MDM profile
2. Run the bioutil commands [see below]
3. Re-apply the MDM
4. Re-add their fingerprints.

bioutil -s -w -u 1

The full man page for bioutil:

Usage:
bioutil {-r | -w [-f { 0 | 1 }] [-u { 0 | 1 }] [-a { 0 | 1 }]} | [-c] | [-p] | [-d <uid>] [-s]

Options:
    -r, --read                      Read current Touch ID settings
    -w, --write                     Write new Touch ID settings
    -s, --system                    Flag to read/write systemwide Touch ID settings or perform systemwide operations
    -f, --function                  Enable (1) or disable (0) Touch ID functionality in general (system settings only)
    -u, --unlock $value             Enable (1) or disable (0) Touch ID for unlock
    -a, --applepay $value           Enable (1) or disable (0) Touch ID for ApplePay (user settings only)
    -c, --count                     Print number of enrolled fingerprints of the current user or of all users (-s, administrator only)
    -p, --purge                     Delete all enrolled fingerprints of the current user or of all users (-s, administrator only)
    -d, --delete $uid               Delete all enrolled fingerprints of the given user (administrator only)

Hi,

So i had this issue with many clients. if anyone would like to know how i solved it let me know!

Can we all take a second and appreciate @Rememberfarley profile picture.

Thank you @ssrussell

Is there any reason why bioutil -s -w -u 1 cannot work with self service. If I type it manually on a client in terminal it reset the touch ID
But using a policy with exact same it does not remove the touch ID. And in logs there is no error just complete successfully

Probably because, through policy, it runs as root, not as user.

Is there a way to build this into the script with current user ?

Below some EA's you can use to scope the removal of some profiles if TouchID is Enabled/Disabled or Unlock my Mac is active etc.

TouchID Status

#!/bin/sh

TouchIDStatus=`bioutil -rs | grep functionality | awk '{print $4}'`
if [[ "$TouchIDStatus" = "0" ]]; then
    result="Disabled"
elif [[ "$TouchIDStatus" = "1"  ]]; then
    result="Enabled"
else 
    result="Error"
fi
echo "<result>$result</result>"

TouchID Unlock my Mac

#!/bin/bash

UnlockmymacStatus=`bioutil -rs | grep unlock | awk '{print $5}'`
if [[ "$UnlockmymacStatus" = "0" ]]; then
    result="Disabled"
elif [[ "$UnlockmymacStatus" = "1"  ]]; then
    result="Enabled"
else 
    result="Error"
fi
echo "<result>$result</result>"

You can script the bioutil -s -w -u 1 command and this will reset the whole TouchID settings, no specific user required.
This command works best if there are no config profiles pushing settings about TouchID.

$ sudo bioutil -s -w -u 1
Unable to perform the operation. Make sure that the configuration you want to set is valid.
Error occured, err = 0x10000003.

Any ideas ?

It has been a couple of years this topic was hot, but am interested on how you solved it?