Touch ID Stopped Working after Enrollment

clearyma
New Contributor III

I enrolled a MacBook Air in our Jamf Pro instance, and prior to enrollment, the user unlocked the laptop with touch ID. Now, touch ID won't work. In my config profile, the "unlock with touch ID" box is checked. I even excluded the LT from the profile, but it still doesn't work. The user is able to create a new fingerprint through the touch ID panel in system preferences, but at the login screen isn't prompted to use it. This is a 2018 MacBook Air, 10.14.5, and is bound in AD. I know there are other posts about AD bindings breaking the touch ID, but the LT was bound before the Jamf enrollment and touch ID was working. Has anyone else experienced anything like this, or know of a way to fix it?

1 ACCEPTED SOLUTION

larry_barrett
Valued Contributor

Try this one

Fingerprint is stored on the T2 chip, need to clear it out.

Remove MDM profile.
bioutil -w -s -u 1 Re-add MDM profile

After that you should be able to add the fingerprint back and it should work.

I've never tested this but I'm interested in the answer.

View solution in original post

10 REPLIES 10

larry_barrett
Valued Contributor

After each reboot you are required to use the actual password. The Touch ID will work after first login (and then up until the next reboot).

Are you saying the Touch ID doesn't work at all, or just on the login screen?

clearyma
New Contributor III

@larry_barrett It doesn't work at the login screen. The user has logged out/in multiple times with their AD username/password, and even though touch ID is setup in system preferences, they aren't able to use it.

larry_barrett
Valued Contributor

What does your Touch ID settings look like? (system preferences -> Touch ID)b4b689a2eb9f41c5930f077f0d7dfb47

clearyma
New Contributor III

@larry_barrett The box is checked for unlocking your Mac, but when the Mac goes to sleep, the user has to use their password every time. And after signing in, he'll go back to system preferences > touch ID, and the box is now unchecked. I don't have any policies or profiles scoped out to this machine that would be repeatedly unchecking the box and not allowing touch ID sign-in, so I'm stumped.

larry_barrett
Valued Contributor

ff8b9b089e0c4c7585e6fe6e1a29d874

How about any configuration profiles (see photo) that restrict Allow Touch ID to unlock device? Even if you have 5 configurations that allow it, but one that does not, it would defer to the harshest restriction.

clearyma
New Contributor III

@larry_barrett I have one config profile scoped out to all devices. I had forgotten to check the "allow touch ID to unlock this device" box at first, so I went back and checked it. Had user retry, it still didn't work. So I excluded his LT from the profile completely, and he is able to create the fingerprint in system preferences, it just doesn't let him use it.

larry_barrett
Valued Contributor

What version of Jamf are you running?

clearyma
New Contributor III

@larry_barrett Version 10.14.0

larry_barrett
Valued Contributor

Try this one

Fingerprint is stored on the T2 chip, need to clear it out.

Remove MDM profile.
bioutil -w -s -u 1 Re-add MDM profile

After that you should be able to add the fingerprint back and it should work.

I've never tested this but I'm interested in the answer.

clearyma
New Contributor III

@larry_barrett That did the trick, thanks!