Jamf Nation Community

rohan_aghi · ‎04-20-2018

Hey there! Probing this community to see if anyone else experienced this issue and how it was solved.

We've got a few computers, that for an unknown reason, appear to have their Touch ID undoing itself from allowing computer unlock. The Configuration Profile is currently set to allow Touch ID unlock. This is intermittent across our organization, with a large portion of people who are unaffected.

But those that are affected, the only step I've seen help is rebuilding the entire OS. Apple was unable to provide details on where this plist regarding TouchID is located, and I suspect an interference with SIP is why it's unable to reauthorize the new settings.

I've blasted away /Library/Managed Preferences/, and I would like to know a solution other than reinstalling the OS, if anyone here was able to solve it in a cleaner manner!

DBrowning · ‎04-27-2018

@rohan.aghi Try running bioutil -w -s -u 1 in terminal or via jamf.

It will clear out any enrolled fingers, but then will allow you to reenroll and unlock will stay active.

Had the same issue.

View solution in original post

DBrowning · ‎04-23-2018

@rohan.aghi , If I understand correctly, what you are seeing is the following: User enrolls finger printer, enables unlock Mac. You close out of the System Prefs window, and open back up unlock Mac is now disabled?

kiwillia · ‎04-25-2018

@rohan.aghi I am also experiencing this issue. Touch ID has worked in the past but stopped. In "System Preference" -> "Touch ID", the option for "Unlocking your Mac" is greyed out. The configuration profile is set to allow Touch ID to unlock.

Did you find a resolution?

rpcuenco · ‎04-26-2018

Also experiencing this issue with a majority of our Touch Bar machines. We started experiencing symptoms after recovering from an unrelated issue when making a minor change to a configuration profile which inadvertently locked down most functions, including the ability to unlock using Touch ID. Our current configuration profile confirms that Touch ID unlock is allowed.

Short list of attempted resolutions:
- SMC reset
- PRAM reset
- Remove /Library/Managed Preferences/
- Remove Profiles
- Remove JAMF
- In-place upgrade (re-install macOS over existing install using USB)

rohan_aghi · ‎04-27-2018

@ddcdennisb, correct. It will allow the option to select it, and then undo when the screen for Touch ID is left.

@kiwillia, Currently, I have not. The case I had with JAMF Support suggested updating to 10.3.1 and attempt again. I suspect the error will not be resolved from updating the JSS. I will be reopening a new case for assistance to determine a resolution other than re-imaging.

@rplendup, I too have tried all these steps as well, to no avail.

DBrowning · ‎04-27-2018

@rohan.aghi Try running bioutil -w -s -u 1 in terminal or via jamf.

It will clear out any enrolled fingers, but then will allow you to reenroll and unlock will stay active.

Had the same issue.

rohan_aghi · ‎04-27-2018

@ddcdennisb, I will try this on a computer shortly and let you know the results.

rohan_aghi · ‎04-27-2018

Result!

Uninstallation of the MDM profile needs to be done first, then running bioutil -w -s -u 1, and then reinstallation of MDM. It will work like a charm. Thank you so much @ddcdennisb and everyone who assisted!

rpcuenco · ‎04-30-2018

Confirmed working fix! Thanks @ddcdennisb!

ooshnoo · ‎06-07-2018

Thanks for this. Does anyone know if this is a Jamf issue or an Apple / OS issue?

rohan_aghi · ‎06-18-2018

@ooshnoo, What I believe it is is a permissions issue with SIP and JAMF's binary. It basically allows it to change it's status to not allowing Touch ID and then it no longer has the permissions to adjust it back.

ooshnoo · ‎07-14-2018

never mind

CasperSally · ‎10-29-2019

JAMF PI-005832 for anyone following along. Doesn't sound like they're actively working on it, so if you're bothered by issue, might want to report it to add impact.

Jamf Nation Community

Touch ID resetting to not unlock despite Policy saying otherwise