Help

Touch ID login - Disabled and now we want to enable it

Captainamerica
Contributor II

Posted on ‎04-29-2019 05:30 AM

We had a config profile for touch ID that disabled it.
Now as login for this is approved and I try to enable it it does not work. Users can make their finger print, but when trying to log in their is not finger print login option available, so seems that it is still disabled

If I try to run a bioutil -w -s -u 1 it say that the profile must first be removed.

Is there someway this can be made more sneaky, without I have to remove the user from the configuration profile then afterwards run bioutil -w -s -u 1 and then afterwards again enable the configuration profile

0 Kudos
5 REPLIES 5

sshort
Valued Contributor

Posted on ‎04-29-2019 07:10 AM

So the goal is to enable Touch ID, yes? If your configuration profile is targeted to just disable Touch ID, then just remove the profile from the Mac by removing it from scope in Jamf. Once the profile is removed, then your users can enable Touch ID for unlocking the Mac in System Preferences (or you can create a policy using bioutil to enable this for your users).

If your Touch ID setting is bundled as part of a larger profile with additional security settings, then you should consider splitting apart that profile so that all of your other preferred settings remain, with just Touch ID removed.

From your description I'm not sure why you would re-install the profile after you run bioutil because if disabling Touch ID is part of the profile, it will just disable it again if you reinstall that same profile on your Macs.

0 Kudos

jameson
Contributor II

Posted on ‎04-29-2019 10:09 AM

I just used the “Restriction” policy in Configuration profile where there is one Allow touch id for login.

I actually have made more profiles with different settings adjustet to different Scope.

So even one config profile has not checked allow Touch id then if another config profile has is allowed which one of Them Will “win”
If some users are in scope for both config profiles

0 Kudos

jameson
Contributor II

Posted on ‎04-29-2019 10:10 AM

Sorry hijacking the thread a bit

0 Kudos

sshort
Valued Contributor

Posted on ‎04-29-2019 12:03 PM

@jameson The more restrictive setting will always "win." So if you have 1 profile with it allowed, and another set to disable, it will be disabled.

0 Kudos

Captainamerica
Contributor II

Posted on ‎04-29-2019 10:09 PM

Actually that is a good question Jameson

In configuration profiles under the restriction payload I have different settings for different user scope. Is it possible to make a custom config profile for each setting inside the restriction, so I don´t have to use the restriction at all but instead use my own default settings

0 Kudos