Following a twit by Richard Trouton, I thought it would be good to implement sudo in Touch ID authentication for our developers as one of the benefits to Sonoma, since Sonoma makes the change persistent even when updates are made.
If you are interested follow the link to Richard Trouton's Wordpress site (https://derflounder.wordpress.com/2023/10/14/enabling-touch-id-authentication-for-sudo-on-macos-sono...)
However, upon implementation I needed an EA to check if the authentication had been enabled or not since I implemented two self service policies; one to enable and the other to disable.
Since the policies are ongoing, I needed smart computer groups to exclude enabled computers when the policy was enabled and only present the disable policy and vice versa.
this is the EA that I used which reports if Touch ID has been enabled or not
-------------------
#!/bin/bash
# Check if the file exists
if [ -e /etc/pam.d/sudo_local ]; then
# Check if the specific line exists and is uncommented
if grep -qE '^[^#]*auth\s+sufficient\s+pam_tid.so' /etc/pam.d/sudo_local; then
result="Yes"
else
result="No"
fi
else
result="No"
fi
echo "<result>$result</result>"
-------------------------------
The EA reports fine. However, I then realised that I also needed another EA which can be used to determine if a computer has a Touch ID sensor or not since it would be pointless providing the policy to devices without the sensor.
Here is the EA I used to determine the Touch ID sensor.
-----------------------------
#!/bin/bash
# Check if the Touch ID sensor is present
if [[ -e "/usr/bin/bioutil" ]]; then
# Touch ID sensor is present
result="Yes"
else
# Touch ID sensor is not present
result="No"
fi
echo "<result>$result</result>"
--------------------------------------------------
So far they are both working fine.
