TouchID EA

Eskobar
Contributor

I would  like to know how many are using TouchID to unlock their macs.

My EA is working pretty good. However, i am not able to exclude who have the fingerprint set but not used.

Eskobar_1-1675241127084.png

 

Any idea please?

 

5 REPLIES 5

DBrowning
Valued Contributor II

So are you looking to determine who have a finger enrolled but have TouchID to unlock disabled?

Eskobar
Contributor

I like to know only people using Fingerprint to unlock their MacOS

DBrowning
Valued Contributor II

I don't think you can get that granular from looking at the status.  If you use bioutil -cs it will tell you what users have at least 1 finger enrolled.

$ sudo bioutil -cs
User 503: 2 fingerprint(s)
Operation performed successfully.

Jaykrishna1
Contributor II

Unfortunately, it is not possible to determine the number of users who have TouchID set up on their Macs, and whether they are using it to unlock their devices. This information is not typically stored in the configuration profiles or in management tools like Jamf.

However, you could potentially gather this information by conducting a survey or by collecting data manually. For example, you could ask users to indicate whether they have TouchID set up on their Macs and whether they are using it to unlock their devices. You could then compile this data to determine the number of users who are using TouchID to unlock their Macs.

Note: This is a manual process and the accuracy of the data collected will depend on the responses of the users.

SahilParmar
New Contributor
#!/bin/zsh
 
# This script will list all the users enrolled in Touch ID
# that have "unlock with fingerprint" enabled.
 
# First, check if the system even supports Touch ID
# If not, bail out and report unsupported.
 
touchIDfunctionality=$(/usr/bin/bioutil -rs | grep "Touch ID functionality")
 
if [[ -z $touchIDfunctionality ]]
then
echo "<result>Unsupported</result>"
exit 0
fi
 
# Next, list all the users over UID 500 and run 'bioutil' with sudo -u .
# Only capture users that have > 0 fingerprints registered,
# and finally confirm that they have enabled unlocking the Mac.
 
tidEnrolledUsers=($(for i in $(ls -lan /Users/ | awk '$3 > 500 { print $9 }'); do sudo -u $i /usr/bin/bioutil -c; done | awk '/User/ && !/0 fingerprint/ { print $0 }' | awk '{ print $2 }' | sed "s_:__g" ))
tidUsersArray=()
 
for i in ${tidEnrolledUsers[@]}
do
tidUser=$(ls -lan /Users/ | grep "$i" | awk 'BEGIN { RS="" ; FS="\n" } { print $1 }' | awk '{ print $9 }')
tidStatus=$(/usr/bin/sudo -u "$tidUser" /usr/bin/bioutil -r | awk '/unlock/ && !/Effective/ { print $5 }')
[[ $tidStatus == "1" ]] && tidUsersArray+=("$tidUser")
done
 
# Finally, print the results!
 
if [[ -n $tidUsersArray ]]
then
echo "<result>Active Users: $tidUsersArray</result>"
else
echo "<result>Not Enabled for Unlock</result>"
fi