Disable new user account fingerprint prompt

bbarciz
Contributor

I am looking for suggestions on the best way to disable the touch ID / fingerprint prompts that come up when a new user logs into a Mac for the first time.  This is specifically on an iMac with the new keyboards with the fingerprint reader, I'm not sure if this differs from the MacBook Pro so I thought I would mention that.

1 ACCEPTED SOLUTION
23 REPLIES 23

Tribruin
Valued Contributor II

I have never tried it with iMac with TouchID keybaord, but have you disabled the TouchID/FaceID setup pane in the PreStage enrollment?

sdagley
Esteemed Contributor II

Fluffy
Contributor III

It confuses me why Jamf School has a feature that Jamf Pro is lacking...

If you use iMazing Profile Editor, there is a Setup Assistant payload that has an option for skipping Touch ID. You could create a profile with that and upload it to use.

bbarciz
Contributor

Thank you everyone for the suggestions!

@Tribruin  - Yes, the prestage is set to skip the screen.  And I believe that is working fine for the initial setup of a new device.  It is after we join the machine to our active directory environment that users get prompted when they log in for the first time on a machine.

@sdagley- I had seen that post before but wasn't sure the validity given the age of the post.  Do you have any personal experience with it?  If so, did you use one of the script links mentioned or what did you do?

@Fluffy  - That is really crazy if Jamf School has the ability to disable it easily and pro does not lol.  Thanks for the profile editor suggestion, I had not seen anything about the program while investigating other Mac items and may look into it.

sdagley
Esteemed Contributor II

@bbarciz I use a Configuration Profile (not the same one Rich posted in the article, but the setting is still the same)

It does seem to be working nicely for us as a configuration profile as well. 

Just curious - how to you normally create your config profiles?  Just looking for general suggestions to see if you have a better method than searching the internet for something that looks to do what I want.

Thanks for all your help!

bbarciz, can I ask what you ended up using for a config? I have been wrestling with this with new M1s on Monterey and rtrouton's config doesn't seem to be doing it for me. 

Well...... Your reply made me go back and do a dive into this setup.  I really thought that it had been addressed in my environment for new users, but apparently I was wrong lol.  I believe that my comment above was only actually meant for when a new computer was going through pre-stage enrollment, and not actually when a new user logs in.  I verified that I did receive the prompt as a new user on a machine.  Sorry for my previous mis-leading reply :-( 

What has been your experience trying the config from rtrouton?

drioux
Contributor

The same. I am prompted upon each new user. I have been working with JAMF and currently have it turned off in Prestage as well as in a the Configs applied. According to JAMF that should be all I need... but that doesn't seem to be the case right now

Gotcha.  I went and did find a previous task that I had closed out where I said I have a configuration profile setup for this and it was working.  I can't find it in Jamf though so maybe I accidentally deleted it.  I will try to setup the profile and see if I have any luck and give you an update.

Thanks

I had a chance this morning to re-setup the configuration profile and deploy it to a classroom that has M1 Macs in it.  This seems to be working properly for me.  On a computer where I do not have a user account already created, the setup touch ID step is skipped.  One thing that I did notice, is that the window tries to load for just a couple of seconds on the screen, but it never actually loads the contents of the window.  It just displays an empty rectangle where it would have the start of the steps and then disappears with no further interaction. 

For creating this profile, I used the iMazing Profile Editor software.  The option is in the interface, you enable it and then give it the other info and save it out.  Then you import this into Jamf.  I'm sure you could do this by hand though since it is a short profile.

This is the mobileconfig profile when opened in BBEdit:

Screen Shot 2022-05-12 at 11.01.13 AM.png

This is what is shown in System Preferences - Profiles:

Screen Shot 2022-05-12 at 11.03.56 AM.png

 Hopefully that helps!

I think I am missing something. I don't normally use iMazing and am having trouble going from it into JAMF with any success. Are you able to export the actual mobileconfig?

I also just recently found out about iMazing.  Yes, once you configure the setting(s), you do a file - save (as) and that will give you a file that you will import into Jamf's Configuration Profile area using the upload option (instead of the new option).

I don't think I have missed anything based on your description, but it still won't work. What are you using for the Preference Domain? I was using 'com.apple.SetupAssistant'

That is what I have put in the "Identifier" field in iMazing.  In the .mobileconfig file, it is listed in the "PayloadIdentifier" string value field.

I will also look at this as well. Thanks for the reply.

drioux
Contributor

Are you loading the Config onto your laptops via JAMF? Or another method?

So, I never put any thought into this at all until this reply.  I wonder if it is a difference in laptops vs desktops?  The M1 iMacs that we got in have the keyboard with Touch ID capability and that is what are in the lab that I was trying to have it disabled in.  I have not tried to do anything with this on MacBooks though.  Maybe that is why the results are different.

I was out for a couple days, so when I got back I read everything you replied with (thanks for taking the time), and when you wrote this I had "ahhhhhhh crap!" moment. I bet you that has a lot to do with it. It's like when you plug an external display into a Mac. Only then do your "Arrangement" choices show up under Display Prefs. This seems like the same sort of selective menu acknowledgment that the OS likes to do.

Yes I agree, only show options when the hardware is connect that supports it has both advantages and disadvantages!  Good luck, hopefully you can figure something out for your environment!

Thank you

Clo_9967
New Contributor

Hi @drioux - did you end up finding a solution for deployment via JAMF? I have gone down the iMazing config profile creation to no success. Appreciate any input :)