I enrolled a MacBook Air in our Jamf Pro instance, and prior to enrollment, the user unlocked the laptop with touch ID. Now, touch ID won't work. In my config profile, the "unlock with touch ID" box is checked. I even excluded the LT from the profile, but it still doesn't work. The user is able to create a new fingerprint through the touch ID panel in system preferences, but at the login screen isn't prompted to use it. This is a 2018 MacBook Air, 10.14.5, and is bound in AD. I know there are other posts about AD bindings breaking the touch ID, but the LT was bound before the Jamf enrollment and touch ID was working. Has anyone else experienced anything like this, or know of a way to fix it?
Solved
Touch ID Stopped Working after Enrollment
+5Best answer by larry_barrett
Fingerprint is stored on the T2 chip, need to clear it out.
Remove MDM profile.
bioutil -w -s -u 1
Re-add MDM profile
After that you should be able to add the fingerprint back and it should work.
I've never tested this but I'm interested in the answer.
+13After each reboot you are required to use the actual password. The Touch ID will work after first login (and then up until the next reboot).
Are you saying the Touch ID doesn't work at all, or just on the login screen?
+5@larry_barrett It doesn't work at the login screen. The user has logged out/in multiple times with their AD username/password, and even though touch ID is setup in system preferences, they aren't able to use it.
+5@larry_barrett The box is checked for unlocking your Mac, but when the Mac goes to sleep, the user has to use their password every time. And after signing in, he'll go back to system preferences > touch ID, and the box is now unchecked. I don't have any policies or profiles scoped out to this machine that would be repeatedly unchecking the box and not allowing touch ID sign-in, so I'm stumped.
+13
How about any configuration profiles (see photo) that restrict Allow Touch ID to unlock device? Even if you have 5 configurations that allow it, but one that does not, it would defer to the harshest restriction.
+5@larry_barrett I have one config profile scoped out to all devices. I had forgotten to check the "allow touch ID to unlock this device" box at first, so I went back and checked it. Had user retry, it still didn't work. So I excluded his LT from the profile completely, and he is able to create the fingerprint in system preferences, it just doesn't let him use it.
+13Fingerprint is stored on the T2 chip, need to clear it out.
Remove MDM profile.
bioutil -w -s -u 1
Re-add MDM profile
After that you should be able to add the fingerprint back and it should work.
I've never tested this but I'm interested in the answer.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.