Skip to main content

Hi !



We are going to pilot TouchID in our environment icm with Managed Mobile Accounts, so currently all our macOS devices have an configuration profile where TouchID pane is disabled and also the features to unlock the mac.



On my own machine i have removed that profile, and allowed TouchID.
What happens is, the syspref pane got accessible again and all checkboxes also.
When i configure a vingerprint and check the box and i am leaving the syspref pane and went back to TouchID the "Unlocking your mac" got unchecked again.



Already done all basics like;
- rebooting
- re-enrolling into JSS
- Verified the correct configuration profiles are deployed and no other one is also disallowing.



Configured TouchID



Went back to TouchID Syspref pane, and box unchecked



Anyone ran into the same issue?

BUMP

same here. 10.13.6 ?

We tried deleting all the finger prints so we could try to reenable and got this weird message:

At some point thought that maybe it was Kaspersky, so we disabled it, but we keep getting this odd error.

same as above - also on 10.13.6

Well, we made the Touch ID work again by deleting the Keychains.



Afterwards, it was necessary to repeat the fingerprinting process (and of course start capturing back all the passwords) but now the machine can be unlocked with Touch ID.

sudo bioutil -w -s -u 1

Perfect - that worked ! thanks @Rememberfarley



Even though a config profile was deployed with a Restrictions payload which enabled use of touch id to Unlock your Mac, the below error was displayed when attempting to run the above bioutil command.
"Unlock with Touch ID is managed via a config profile. You have to uninstall the config profile first.".
So you need to de-scope the config profile to exclude any effected devices, then run the sudo bioutil -w -s -u 1 to enable, then if required re-scope the config profile with the setting enabled - to the required device(s).
Potentially could run the command fleet-wide via policy first, then deploy config profile. Additionally you could also use an EA to determine devices that are encountering this issue using bioutil -r to read in the ""Effective Touch ID for unlock value" which shows as 0 for devices you would want to change.
We are fortunate that we are only just introducing macs with touch-bars, so no remediation required :)

Had this issue with machines on my estate as when they were enrolled, the JSS was on v9.x. When I upgraded it to 10.4.1, the users could not unlock the machine using Touch ID and it kept resetting if it was enabled but they could use TouchID with Apple pay, etc.



After a bit of poking around, I found that I had to:




  1. Exclude their machine from the MDM profile

  2. Run the bioutil commands [see below]

  3. Re-apply the MDM

  4. Re-add their fingerprints.



bioutil -s -w -u 1


The full man page for bioutil:



Usage:

bioutil {-r | -w [-f { 0 | 1 }] [-u { 0 | 1 }] [-a { 0 | 1 }]} | [-c] | [-p] | [-d <uid>] [-s]



Options:

    -r, --read                      Read current Touch ID settings

    -w, --write                     Write new Touch ID settings

    -s, --system                    Flag to read/write systemwide Touch ID settings or perform systemwide operations

    -f, --function                  Enable (1) or disable (0) Touch ID functionality in general (system settings only)

    -u, --unlock $value             Enable (1) or disable (0) Touch ID for unlock

    -a, --applepay $value           Enable (1) or disable (0) Touch ID for ApplePay (user settings only)

    -c, --count                     Print number of enrolled fingerprints of the current user or of all users (-s, administrator only)

    -p, --purge                     Delete all enrolled fingerprints of the current user or of all users (-s, administrator only)

    -d, --delete $uid               Delete all enrolled fingerprints of the given user (administrator only)

Hi,



So i had this issue with many clients. if anyone would like to know how i solved it let me know!

Can we all take a second and appreciate @Rememberfarley profile picture.

Thank you @ssrussell

Is there any reason why bioutil -s -w -u 1 cannot work with self service. If I type it manually on a client in terminal it reset the touch ID
But using a policy with exact same it does not remove the touch ID. And in logs there is no error just complete successfully

Probably because, through policy, it runs as root, not as user.

Is there a way to build this into the script with current user ?

Below some EA's you can use to scope the removal of some profiles if TouchID is Enabled/Disabled or Unlock my Mac is active etc.



TouchID Status



#!/bin/sh



TouchIDStatus=`bioutil -rs | grep functionality | awk '{print $4}'`

if [[ "$TouchIDStatus" = "0" ]]; then

    result="Disabled"

elif [[ "$TouchIDStatus" = "1"  ]]; then

    result="Enabled"

else 

    result="Error"

fi

echo "<result>$result</result>"


TouchID Unlock my Mac



#!/bin/bash



UnlockmymacStatus=`bioutil -rs | grep unlock | awk '{print $5}'`

if [[ "$UnlockmymacStatus" = "0" ]]; then

    result="Disabled"

elif [[ "$UnlockmymacStatus" = "1"  ]]; then

    result="Enabled"

else 

    result="Error"

fi

echo "<result>$result</result>"


You can script the bioutil -s -w -u 1 command and this will reset the whole TouchID settings, no specific user required.
This command works best if there are no config profiles pushing settings about TouchID.

$ sudo bioutil -s -w -u 1

Unable to perform the operation. Make sure that the configuration you want to set is valid.

Error occured, err = 0x10000003.


Any ideas ?

Hi,



So i had this issue with many clients. if anyone would like to know how i solved it let me know!



It has been a couple of years this topic was hot, but am interested on how you solved it?

Reply


Terms & ConditionsCookie settings