Jamf Nation Community

ThijsX · ‎07-22-2018

Hi !

We are going to pilot TouchID in our environment icm with Managed Mobile Accounts, so currently all our macOS devices have an configuration profile where TouchID pane is disabled and also the features to unlock the mac.

On my own machine i have removed that profile, and allowed TouchID.
What happens is, the syspref pane got accessible again and all checkboxes also.
When i configure a vingerprint and check the box and i am leaving the syspref pane and went back to TouchID the "Unlocking your mac" got unchecked again.

Already done all basics like;
- rebooting
- re-enrolling into JSS
- Verified the correct configuration profiles are deployed and no other one is also disallowing.

Configured TouchID

Went back to TouchID Syspref pane, and box unchecked

Anyone ran into the same issue?

ThijsX · ‎07-27-2018

BUMP

spotmac · ‎08-20-2018

same here. 10.13.6 ?

bearzooka · ‎08-20-2018

We tried deleting all the finger prints so we could try to reenable and got this weird message:

At some point thought that maybe it was Kaspersky, so we disabled it, but we keep getting this odd error.

RJH · ‎09-03-2018

same as above - also on 10.13.6

bearzooka · ‎09-04-2018

Well, we made the Touch ID work again by deleting the Keychains.

Afterwards, it was necessary to repeat the fingerprinting process (and of course start capturing back all the passwords) but now the machine can be unlocked with Touch ID.

Rememberfarley · ‎09-04-2018

sudo bioutil -w -s -u 1

RJH · ‎09-04-2018

Perfect - that worked ! thanks @Rememberfarley

Even though a config profile was deployed with a Restrictions payload which enabled use of touch id to Unlock your Mac, the below error was displayed when attempting to run the above bioutil command.
"Unlock with Touch ID is managed via a config profile. You have to uninstall the config profile first.".
So you need to de-scope the config profile to exclude any effected devices, then run the sudo bioutil -w -s -u 1 to enable, then if required re-scope the config profile with the setting enabled - to the required device(s). Potentially could run the command fleet-wide via policy first, then deploy config profile. Additionally you could also use an EA to determine devices that are encountering this issue using bioutil -r to read in the ""Effective Touch ID for unlock value" which shows as 0 for devices you would want to change. We are fortunate that we are only just introducing macs with touch-bars, so no remediation required :)

Tangentism · ‎09-05-2018

Had this issue with machines on my estate as when they were enrolled, the JSS was on v9.x. When I upgraded it to 10.4.1, the users could not unlock the machine using Touch ID and it kept resetting if it was enabled but they could use TouchID with Apple pay, etc.

After a bit of poking around, I found that I had to:

Exclude their machine from the MDM profile
Run the bioutil commands [see below]
Re-apply the MDM
Re-add their fingerprints.

bioutil -s -w -u 1

The full man page for bioutil:

Usage:
bioutil {-r | -w [-f { 0 | 1 }] [-u { 0 | 1 }] [-a { 0 | 1 }]} | [-c] | [-p] | [-d <uid>] [-s]

Options:
    -r, --read                      Read current Touch ID settings
    -w, --write                     Write new Touch ID settings
    -s, --system                    Flag to read/write systemwide Touch ID settings or perform systemwide operations
    -f, --function                  Enable (1) or disable (0) Touch ID functionality in general (system settings only)
    -u, --unlock $value             Enable (1) or disable (0) Touch ID for unlock
    -a, --applepay $value           Enable (1) or disable (0) Touch ID for ApplePay (user settings only)
    -c, --count                     Print number of enrolled fingerprints of the current user or of all users (-s, administrator only)
    -p, --purge                     Delete all enrolled fingerprints of the current user or of all users (-s, administrator only)
    -d, --delete $uid               Delete all enrolled fingerprints of the given user (administrator only)

ThijsX · ‎09-07-2018

Hi,

So i had this issue with many clients. if anyone would like to know how i solved it let me know!

russeller · ‎09-07-2018

Can we all take a second and appreciate @Rememberfarley profile picture.

Rememberfarley · ‎09-19-2018

Thank you @ssrussell

jameson · ‎05-02-2019

Is there any reason why bioutil -s -w -u 1 cannot work with self service. If I type it manually on a client in terminal it reset the touch ID
But using a policy with exact same it does not remove the touch ID. And in logs there is no error just complete successfully

sbennett1980 · ‎05-02-2019

Probably because, through policy, it runs as root, not as user.

jameson · ‎05-03-2019

Is there a way to build this into the script with current user ?

ThijsX · ‎05-03-2019

Below some EA's you can use to scope the removal of some profiles if TouchID is Enabled/Disabled or Unlock my Mac is active etc.

TouchID Status

#!/bin/sh

TouchIDStatus=`bioutil -rs | grep functionality | awk '{print $4}'`
if [[ "$TouchIDStatus" = "0" ]]; then
    result="Disabled"
elif [[ "$TouchIDStatus" = "1"  ]]; then
    result="Enabled"
else 
    result="Error"
fi
echo "<result>$result</result>"

TouchID Unlock my Mac

#!/bin/bash

UnlockmymacStatus=`bioutil -rs | grep unlock | awk '{print $5}'`
if [[ "$UnlockmymacStatus" = "0" ]]; then
    result="Disabled"
elif [[ "$UnlockmymacStatus" = "1"  ]]; then
    result="Enabled"
else 
    result="Error"
fi
echo "<result>$result</result>"

You can script the bioutil -s -w -u 1 command and this will reset the whole TouchID settings, no specific user required.
This command works best if there are no config profiles pushing settings about TouchID.

user-bxSJLotiNw · ‎02-22-2021

$ sudo bioutil -s -w -u 1
Unable to perform the operation. Make sure that the configuration you want to set is valid.
Error occured, err = 0x10000003.

Any ideas ?

Jamf Nation Community

Configuration Profile; TouchID - Unlock your Mac