Macbook Pro 2016 (with TouchBar) - Disabling TouchID for "Unlocking your Mac":

Sachin_Parmar
Contributor

Hi All,

Just seeing out there if anyone's found a way to successfully disable just the TouchID option for "Unlocking your Mac", need to figure out a way to not tie a user's fingerprint to something like their AD password.

Picture for reference:

optional image ALT text

20 REPLIES 20

donmontalvo
Esteemed Contributor III

If there is a concern about AD lock-outs related to iPhone/AppleWatch/TouchBar, the issue appears to have been resolved in Public/Developer seed <redacted>

--
https://donmontalvo.com

bwiessner
Contributor II

You can do a configuration profile that blocks all system preference buttons that you do not specify. ac083249c33942499553f0e06c01fcc6

The down side of this it will grey out or lock any 3rd party system preferences it doesn't know about.

The other way to do this without blocking other prefs is to change the permissions to just TouchID.prefpane file to no access and then when or if a user clicks it they will be denied.

/System/Library/PreferencePanes/TouchID.prefPane

You will need to run script or command as root - chmod this to something like 6 0 0 - owner has read and right but group and everyone has no access

Sachin_Parmar
Contributor

Hi @bwiessner, it seems like the TouchID isn't available as a System Preferences restriction even in JSS 9.97. I don't particularly want to disable the preference pane entirely as I don't want to block Apple Pay and iTunes and App Store for Users just specifically "Unlocking your Mac". Guess it's just a waiting game for now?

Sachin_Parmar
Contributor

Just had a thought, I could potentially write a script that replaces the allowUnlockComputer key back to false periodically for now located in /System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/UserDefaults.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>allowStorePurchases</key>
    <false/>
    <key>allowUnlockComputer</key>
    <false/>
    <key>allowApplePay</key>
    <false/>
</dict>
</plist>

bwiessner
Contributor II

This is how the configuration profile looks when blocking all but ones you select - d201e2b001aa4b4ba3b50aab2ec2e1c1

Like I said changing the permissions to just the touch ID pane has worked for me with no issues

Change the permissions to just TouchID.prefpane file to no access and then when or if a user clicks it they will be denied.

chmod 600 /System/Library/PreferencePanes/TouchID.prefPane
You will need to run script or command as root - chmod this to something like 6 0 0 - owner has read and right but group and everyone has no access

perrycj
Contributor III

There is a binary Apple built-in to control touchID called bioutil. Here is a read out from the help page:

Options:
    -r, --read                      Read current Touch ID settings
    -w, --write                     Write new Touch ID settings
    -s, --system                    Flag to read/write systemwide Touch ID settings or perform systemwide operations
    -f, --function                  Enable (1) or disable (0) Touch ID functionality in general (system settings only)
    -u, --unlock $value             Enable (1) or disable (0) Touch ID for unlock
    -a, --applepay $value           Enable (1) or disable (0) Touch ID for ApplePay (user settings only)
    -c, --count                     Print number of enrolled fingerprints of the current user or of all users (-s, administrator only)
    -p, --purge                     Delete all enrolled fingerprints of the current user or of all users (-s, administrator only)
    -d, --delete $uid               Delete all enrolled fingerprints of the given user (administrator only)

Could probably use this to help disable it system wide or on demand.

madscripter
New Contributor II

Looks like this will be part of a Configuration Profile in 10.12.4
Of course Jamf server will need to be updated once 10.12.4 is out.

allowFingerprintForUnlock Boolean Optional. If false, prevents Touch ID from unlocking a device.
Availability: Available in iOS 7 and later and in macOS 10.12.4 and later.

donmontalvo
Esteemed Contributor III

@perrycj this is hugely helpful, thanks!

man bioutil | col -bx > /path/to/manpage_bioutil.txt

bioutil(1)                BSD General Commands Manual               bioutil(1)

NAME
     bioutil -- tool for viewing/changing Touch ID configuration and list-
     ing/deleting enrolled fingerprints

SYNOPSIS
     bioutil {-r | -w [-f { 0 | 1 }] [-u { 0 | 1 }] [-a { 0 | 1 }]} | [-c] |
             [-p] | [-d <uid>] [-s]

DESCRIPTION
     bioutil provides the possibility of viewing and changing Touch ID config-
     uration, both system-wide and user-specific. It also allows listing and
     deleting enrolled fingerprints.

OPTIONS
     -r, --read
              Read Touch ID configuration.

     -w, --write
              Write Touch ID configuration.

     -s, --system
              Indicates that system-wide configuration is to be read/written
              (user-specific configuration is the default) or that a system-
              wide list/delete operation is to be performed.

     -f, --function
              Enables (1) or disables (0) overall Touch ID functionality (sys-
              tem-wide configuration only).

     -u, --unlock
              Enables (1) or disables (0) Touch ID for unlock.

     -a, --applepay
              Enables (1) or disables (0) Touch ID for ApplePay (user-specific
              configuration only).

     -c, --count
              Provides number of enrolled fingerprints of the current user or
              of all users (when run with -s as an administrator)

     -p, --purge
              Deletes all enrolled fingerprints of the current user or of all
              users (when run with -s as an administrator)

     -d, --delete
              Deletes all enrolled fingerprints of the user with given user ID
              (must be run as an administrator)

EXAMPLES
     bioutil -r
              Reads Touch ID configuration for the current user.

     bioutil -r -s
              Reads system-wide Touch ID configuration.

     bioutil -w -u 1
              Enables Touch ID for unlock for the current user.

     sudo bioutil -w -s -u 0
              Disables Touch ID for unlock for the whole system.

     bioutil -c
              Prints the number of enrolled fingerprints of the current user.

     bioutil -p
              Deletes all enrolled fingerprints of the current user.

     sudo bioutil -c -s
              Prints numbers of enrolled fingerprints of all enrolled users.

     sudo bioutil -p -s
              Deletes all fingerprints from the system.

     sudo bioutil -s -d 501
              Deletes all fingerprints of user 501.

Darwin                         February 19, 2017                        Darwin

@madscripter nice that it'll be manageable via Configuration Profiles too.

--
https://donmontalvo.com

perrycj
Contributor III

@donmontalvo No problem! Glad it helped you out.

troy_rowe
New Contributor

after trying a bunch of different things, i ended up going up to the spotlight search and typed touch id. Touch id prefs open up and is now back in system prefs. It was to easy, but worked. Hope it helps.

Cornoir
Contributor II

Just tried the following on a 10.12.4 system as root:

sudo bioutil -w -s -u 0

And received the following error:

Unable to perform the operation. Make sure that the configuration you want to set is valid.
Error occurred, err = 0x1

MacBook Pro 13" no MCX or other settings that would have affected it. I can get around it by hiding the Prefpane if need be or locking it with a mobileconfig. Used to work in 10.12.1 last I checked. Has anyone else experienced this error?

Cornoir
Contributor II

Just tried the following on a 10.12.4 system as root:

sudo bioutil -w -s -u 0

And received the following error:

Unable to perform the operation. Make sure that the configuration you want to set is valid.
Error occurred, err = 0x1

MacBook Pro 13" no MCX or other settings that would have affected it. I can get around it by hiding the Prefpane if need be or locking it with a mobileconfig. Used to work in 10.12.1 last I checked. Has anyone else experienced this error?

dalleyne
New Contributor

You should be able to restrict TouchID authentication with a configuration profile and a restrictions payload.e0d0c5250cec43aeadbf163fba6a758a

added in JAMF Pro 9.98

cgolebio
New Contributor III

While not ideal, until JAMF builds this into the preference restrictions, I was able to take all my disabled preferences and create a custom payload. Problem is that you cannot do a custom payload AND the System preferences payload through restrictions at the same time. So I just have Restrict items in System Preferences disabled in my restrictions payload in favor of this custom payload.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>DisabledPreferencePanes</key>
<array>
...
<string>com.apple.preferences.password</string>
...
</array>
</dict>
</plist>

Obviously don't include the ...; this is just where I have other items defined.

I was able to get the bundle ID from /System/Library/PreferencePanes/TouchID.prefPane/Contents/Info.plist and look for the CFBundleIdentifier.

Oh and if anyone is looking for the Wallet and Apple Pay and Siri bundle IDs, same method to finding applies.
com.apple.preferences.wallet
com.apple.preference.speech

Hope this helps someone.

SGill
Contributor III

I was able to disable TouchID storing fingerprints with the Configuration Profile checkbox shown above fine, but I'm still not able to kill off the new user setup dialog that asks a new AD profile user to attempt to add a fingerprint (which they won't be able to store).

Any ideas on disabling the login dialog for TouchID?

perrycj
Contributor III

@SGill Are you referring to the display dialog when you login for the first time?

cdev
Contributor III

@SGill You likely have other settings in your imaging/setup script that affect com.apple.SetupAssistant. Just add this:

/usr/bin/defaults write "${USER_HOME}"/Library/Preferences/com.apple.SetupAssistant DidSeeTouchIDSetup -bool YES

You can add that to existing users or the user template. If you have DEP enabled, there's an option to disable that screen there as well.

SGill
Contributor III

Thank you @cdev ...much appreciated!

vao
New Contributor III

Our team has not been able to suppress the Touch ID display dialogue/splash screen in Setup Assistant with DEP. We have selected the option in Pre-Enrollment within Casper but it seemingly does not do anything.

almonte32
New Contributor III

this works for all users to prevent the setup assistant, need to send as root:

defaults write "/System/Library/User Template/English.lproj/Library/Preferences/com.apple.SetupAssistant.plist" DidSeeTouchIDSetup -bool YES

to disable the touch ID on the system it is:

bioutil -w -s -u 0;
bioutil -w -s -f 0;