Configuration Profile; TouchID - Unlock your Mac

ThijsX
Valued Contributor
Valued Contributor

Hi !

We are going to pilot TouchID in our environment icm with Managed Mobile Accounts, so currently all our macOS devices have an configuration profile where TouchID pane is disabled and also the features to unlock the mac.

On my own machine i have removed that profile, and allowed TouchID.
What happens is, the syspref pane got accessible again and all checkboxes also.
When i configure a vingerprint and check the box and i am leaving the syspref pane and went back to TouchID the "Unlocking your mac" got unchecked again.

Already done all basics like;
- rebooting
- re-enrolling into JSS
- Verified the correct configuration profiles are deployed and no other one is also disallowing.

Configured TouchID
57845347c3524ceaa97f2f538098df3f

Went back to TouchID Syspref pane, and box unchecked
118e326ba1ee44eeaf88fd2233b43b2c

Anyone ran into the same issue?

16 REPLIES 16

ThijsX
Valued Contributor
Valued Contributor

BUMP

spotmac
New Contributor III

same here. 10.13.6 ?

bearzooka
Contributor

We tried deleting all the finger prints so we could try to reenable and got this weird message:
f0e5ae006a9b4f9584644e735fbe2d45
At some point thought that maybe it was Kaspersky, so we disabled it, but we keep getting this odd error.

RJH
Contributor

same as above - also on 10.13.6

bearzooka
Contributor

Well, we made the Touch ID work again by deleting the Keychains.

Afterwards, it was necessary to repeat the fingerprinting process (and of course start capturing back all the passwords) but now the machine can be unlocked with Touch ID.

Rememberfarley
New Contributor III

sudo bioutil -w -s -u 1

RJH
Contributor

Perfect - that worked ! thanks @Rememberfarley

Even though a config profile was deployed with a Restrictions payload which enabled use of touch id to Unlock your Mac, the below error was displayed when attempting to run the above bioutil command.
"Unlock with Touch ID is managed via a config profile. You have to uninstall the config profile first.".
So you need to de-scope the config profile to exclude any effected devices, then run the sudo bioutil -w -s -u 1 to enable, then if required re-scope the config profile with the setting enabled - to the required device(s). Potentially could run the command fleet-wide via policy first, then deploy config profile. Additionally you could also use an EA to determine devices that are encountering this issue using bioutil -r to read in the ""Effective Touch ID for unlock value" which shows as 0 for devices you would want to change. We are fortunate that we are only just introducing macs with touch-bars, so no remediation required :)

Tangentism
Contributor II

Had this issue with machines on my estate as when they were enrolled, the JSS was on v9.x. When I upgraded it to 10.4.1, the users could not unlock the machine using Touch ID and it kept resetting if it was enabled but they could use TouchID with Apple pay, etc.

After a bit of poking around, I found that I had to:

  1. Exclude their machine from the MDM profile
  2. Run the bioutil commands [see below]
  3. Re-apply the MDM
  4. Re-add their fingerprints.
bioutil -s -w -u 1

The full man page for bioutil:

Usage:
bioutil {-r | -w [-f { 0 | 1 }] [-u { 0 | 1 }] [-a { 0 | 1 }]} | [-c] | [-p] | [-d <uid>] [-s]

Options:
    -r, --read                      Read current Touch ID settings
    -w, --write                     Write new Touch ID settings
    -s, --system                    Flag to read/write systemwide Touch ID settings or perform systemwide operations
    -f, --function                  Enable (1) or disable (0) Touch ID functionality in general (system settings only)
    -u, --unlock $value             Enable (1) or disable (0) Touch ID for unlock
    -a, --applepay $value           Enable (1) or disable (0) Touch ID for ApplePay (user settings only)
    -c, --count                     Print number of enrolled fingerprints of the current user or of all users (-s, administrator only)
    -p, --purge                     Delete all enrolled fingerprints of the current user or of all users (-s, administrator only)
    -d, --delete $uid               Delete all enrolled fingerprints of the given user (administrator only)

ThijsX
Valued Contributor
Valued Contributor

Hi,

So i had this issue with many clients. if anyone would like to know how i solved it let me know!

russeller
Contributor III

Can we all take a second and appreciate @Rememberfarley profile picture.

Rememberfarley
New Contributor III

Thank you @ssrussell

jameson
Contributor II

Is there any reason why bioutil -s -w -u 1 cannot work with self service. If I type it manually on a client in terminal it reset the touch ID
But using a policy with exact same it does not remove the touch ID. And in logs there is no error just complete successfully

sbennett1980
New Contributor

Probably because, through policy, it runs as root, not as user.

jameson
Contributor II

Is there a way to build this into the script with current user ?

ThijsX
Valued Contributor
Valued Contributor

Below some EA's you can use to scope the removal of some profiles if TouchID is Enabled/Disabled or Unlock my Mac is active etc.

TouchID Status

#!/bin/sh

TouchIDStatus=`bioutil -rs | grep functionality | awk '{print $4}'`
if [[ "$TouchIDStatus" = "0" ]]; then
    result="Disabled"
elif [[ "$TouchIDStatus" = "1"  ]]; then
    result="Enabled"
else 
    result="Error"
fi
echo "<result>$result</result>"

TouchID Unlock my Mac

#!/bin/bash

UnlockmymacStatus=`bioutil -rs | grep unlock | awk '{print $5}'`
if [[ "$UnlockmymacStatus" = "0" ]]; then
    result="Disabled"
elif [[ "$UnlockmymacStatus" = "1"  ]]; then
    result="Enabled"
else 
    result="Error"
fi
echo "<result>$result</result>"

You can script the bioutil -s -w -u 1 command and this will reset the whole TouchID settings, no specific user required.
This command works best if there are no config profiles pushing settings about TouchID.

user-bxSJLotiNw
New Contributor
$ sudo bioutil -s -w -u 1
Unable to perform the operation. Make sure that the configuration you want to set is valid.
Error occured, err = 0x10000003.

Any ideas ?