Touch ID resetting to not unlock despite Policy saying otherwise

rohan_aghi
New Contributor II

Hey there! Probing this community to see if anyone else experienced this issue and how it was solved.

We've got a few computers, that for an unknown reason, appear to have their Touch ID undoing itself from allowing computer unlock. The Configuration Profile is currently set to allow Touch ID unlock. This is intermittent across our organization, with a large portion of people who are unaffected.

But those that are affected, the only step I've seen help is rebuilding the entire OS. Apple was unable to provide details on where this plist regarding TouchID is located, and I suspect an interference with SIP is why it's unable to reauthorize the new settings.

I've blasted away /Library/Managed Preferences/, and I would like to know a solution other than reinstalling the OS, if anyone here was able to solve it in a cleaner manner!

1 ACCEPTED SOLUTION

DBrowning
Valued Contributor II

@rohan.aghi Try running bioutil -w -s -u 1 in terminal or via jamf.

It will clear out any enrolled fingers, but then will allow you to reenroll and unlock will stay active.

Had the same issue.

View solution in original post

12 REPLIES 12

DBrowning
Valued Contributor II

@rohan.aghi , If I understand correctly, what you are seeing is the following: User enrolls finger printer, enables unlock Mac. You close out of the System Prefs window, and open back up unlock Mac is now disabled?

kiwillia
New Contributor II

@rohan.aghi I am also experiencing this issue. Touch ID has worked in the past but stopped. In "System Preference" -> "Touch ID", the option for "Unlocking your Mac" is greyed out. The configuration profile is set to allow Touch ID to unlock.

Did you find a resolution?

rpcuenco
New Contributor II

Also experiencing this issue with a majority of our Touch Bar machines. We started experiencing symptoms after recovering from an unrelated issue when making a minor change to a configuration profile which inadvertently locked down most functions, including the ability to unlock using Touch ID. Our current configuration profile confirms that Touch ID unlock is allowed.

Short list of attempted resolutions:
- SMC reset
- PRAM reset
- Remove /Library/Managed Preferences/
- Remove Profiles
- Remove JAMF
- In-place upgrade (re-install macOS over existing install using USB)

3d0253ea7b924217ba0ea05cc6ce2ad4

rohan_aghi
New Contributor II

@ddcdennisb, correct. It will allow the option to select it, and then undo when the screen for Touch ID is left.

@kiwillia, Currently, I have not. The case I had with JAMF Support suggested updating to 10.3.1 and attempt again. I suspect the error will not be resolved from updating the JSS. I will be reopening a new case for assistance to determine a resolution other than re-imaging.

@rplendup, I too have tried all these steps as well, to no avail.

DBrowning
Valued Contributor II

@rohan.aghi Try running bioutil -w -s -u 1 in terminal or via jamf.

It will clear out any enrolled fingers, but then will allow you to reenroll and unlock will stay active.

Had the same issue.

rohan_aghi
New Contributor II

@ddcdennisb, I will try this on a computer shortly and let you know the results.

rohan_aghi
New Contributor II

Result!

Uninstallation of the MDM profile needs to be done first, then running bioutil -w -s -u 1, and then reinstallation of MDM. It will work like a charm. Thank you so much @ddcdennisb and everyone who assisted!

rpcuenco
New Contributor II

Confirmed working fix! Thanks @ddcdennisb!

ooshnoo
Valued Contributor

Thanks for this. Does anyone know if this is a Jamf issue or an Apple / OS issue?

rohan_aghi
New Contributor II

@ooshnoo, What I believe it is is a permissions issue with SIP and JAMF's binary. It basically allows it to change it's status to not allowing Touch ID and then it no longer has the permissions to adjust it back.

ooshnoo
Valued Contributor

never mind

CasperSally
Valued Contributor II

JAMF PI-005832 for anyone following along. Doesn't sound like they're actively working on it, so if you're bothered by issue, might want to report it to add impact.