Skip to main content

Hi,

Has anyone yet figured a way to write an extension attribute to report whether a device is TouchID capable or not?

bioutil does not seem to give any indication of capability regardless whether it's run on a TouchID capable device or not. There doesn't seem to be anything returned by system_profiler to indicate. Struggling to find anything that could be leveraged...

Cheers
Dan

Here's a great reference that should do what you're looking for:

http://www.modtitan.com/2016/12/ea-for-detecting-if-mac-has-touch-bar.html


So I don't know the exact key for the touchid sensor... I could dig around and find it.

The above will work until apple decides they're releasing external touchbars..


That being said... You can apply policies that have touch id payloads to machines that don't and the machine won't do anything about it.


@dfarnworth_barc I know this is "a bit" old now, but you can use this one liner to detect if the Mac is Touch ID enabled.

/usr/libexec/PlistBuddy -c "print :$(sysctl -n hw.model):_LOCALIZABLE_:description" /System/Library/PrivateFrameworks/ServerInformation.framework/Versions/A/Resources/English.lproj/SIMachineAttributes.plist | grep -oc "Touch ID"

It will return 1 if touch id is available and 0 if not. So far it works on all mac models including MacBook Air with touch id.

Hope it helps.

Kamal


Good post @greatkemo I am going to try this one out

For anyone else another option is

Smart Group with Model Identifier > Is > #VALUE

VALUES

MacBookPro15,4
MacBookPro15,3
MacBookPro15,2
MacBookPro15,1
MacBookPro14,3
MacBookPro14,2
MacBookPro13,3
MacBookPro13,2


#!/bin/zsh

UnlockmymacStatus=`bioutil -rs | grep unlock | awk '{print $5}'`
if [[ "$UnlockmymacStatus" = "0" ]]; then
    result="Disabled"
elif [[ "$UnlockmymacStatus" = "1"  ]]; then
    result="Enabled"
else 
    result="Error"
fi
echo "<result>$result</result>"
#!/bin/zsh

TouchIDStatus=`bioutil -rs | grep functionality | awk '{print $4}'`
if [[ "$TouchIDStatus" = "0" ]]; then
    result="Disabled"
elif [[ "$TouchIDStatus" = "1"  ]]; then
    result="Enabled"
else 
    result="Error"
fi
echo "<result>$result</result>"

For anyone who comes across this post, I did some testing and I had the most success using @txhaflaire's solution. My only modification was changing the replies to include Yes/No responses in order to make some Smart Group searches easier so that I could both see whether it's running and then my query looks for "like" filter with a "yes" response.

#!/bin/zsh

TouchIDStatus=`bioutil -rs | grep functionality | awk '{print $4}'`
bioutil -rs | grep functionality | awk '{print $4}'
if [[ "$TouchIDStatus" = "0" ]]; then
    result="Yes - Disabled"
elif [[ "$TouchIDStatus" = "1"  ]]; then
    result="Yes - Enabled"
else 
    result="No TouchID found"
fi
echo "<result>$result</result>"
<result>No TouchID found</result>
exit 0

Here is what i setup for my org a few months ago, works nicely

#!/bin/zsh

TouchIDStatus=`bioutil -rs | grep functionality | awk '{print $4}'`
if [[ "$TouchIDStatus" = "0" ]]; then
    result="Disabled"
elif [[ "$TouchIDStatus" = "1"  ]]; then
    result="Enabled"
else 
    result="Error"
fi
echo "<result>$result</result>"
QuotedText

I took this a step further to identify not just whether Touch ID is available or enabled, but also who has enabled Touch ID on a given system. The script outputs to a bash array, since technically more than one user can enroll in it. First I check for who has >0 fingerprints enrolled and grab the UID. Then I translate UID to username for sudo -u. The reason we have to do this is because bioutil -rs gives system-wide status of Touch ID, and it may differ from the user-level status of Touch ID bioutil -r . For instance, if I uncheck the box to unlock my Mac, bioutil -rs will show "enabled: 1" but bioutil -r run as the specific user will show "enabled: 0" .

GitHub link: https://github.com/bradtchapman/uselessJamfScripts/blob/master/touch-id-enrolled-users-ea.sh

#!/bin/zsh

# This script will list all the users enrolled in Touch ID
# that have "unlock with fingerprint" enabled.

# First, check if the system even supports Touch ID
# If not, bail out and report unsupported.

touchIDfunctionality=$(/usr/bin/bioutil -rs | grep "Touch ID functionality")

if [[ -z $touchIDfunctionality ]]
then
    echo "<result>Unsupported</result>"
    exit 0
fi

# Next, list all the users over UID 500 and run 'bioutil' with sudo -u .
# Only capture users that have > 0 fingerprints registered,
# and finally confirm that they have enabled unlocking the Mac.

tidEnrolledUsers=($(for i in $(ls -lan /Users/ | awk '$3 > 500 { print $9 }'); do sudo -u $i /usr/bin/bioutil -c; done | awk '/User/ && !/0 fingerprint/ { print $0 }' | awk '{ print $2 }' | sed "s_:__g" ))
tidUsersArray=()

for i in ${tidEnrolledUsers[@]}
do
    tidUser=$(ls -lan /Users/ | grep "$i" | awk 'BEGIN { RS="" ; FS="
" } { print $1 }' | awk '{ print $9 }')
    tidStatus=$(/usr/bin/sudo -u "$tidUser" /usr/bin/bioutil -r | awk '/unlock/ && !/Effective/ { print $5 }')
    [[ $tidStatus == "1" ]] && tidUsersArray+=("$tidUser")
done

# Finally, print the results!

if [[ -n $tidUsersArray ]]
then
    echo "<result>Active Users: $tidUsersArray</result>"
else
    echo "<result>Not Enabled for Unlock</result>"
fi

Kudos to my wife (a fellow Mac admin) who simply asked the question and inspired me to make this.


Just a note for the above EA's... this will only show you the status of the TouchID configuration and not if a fingerprint is enrolled. Ex. If a user enrolls a fingerprint, sets the config (unlock, Apple Pay, etc.) then removes the fingerprint later the EA's above will still show as enabled. To show if a fingerprint is enrolled you will need the result from the  bioutil -c -s command as well.


I took this a step further to identify not just whether Touch ID is available or enabled, but also who has enabled Touch ID on a given system. The script outputs to a bash array, since technically more than one user can enroll in it. First I check for who has >0 fingerprints enrolled and grab the UID. Then I translate UID to username for sudo -u. The reason we have to do this is because bioutil -rs gives system-wide status of Touch ID, and it may differ from the user-level status of Touch ID bioutil -r . For instance, if I uncheck the box to unlock my Mac, bioutil -rs will show "enabled: 1" but bioutil -r run as the specific user will show "enabled: 0" .

GitHub link: https://github.com/bradtchapman/uselessJamfScripts/blob/master/touch-id-enrolled-users-ea.sh

#!/bin/zsh

# This script will list all the users enrolled in Touch ID
# that have "unlock with fingerprint" enabled.

# First, check if the system even supports Touch ID
# If not, bail out and report unsupported.

touchIDfunctionality=$(/usr/bin/bioutil -rs | grep "Touch ID functionality")

if [[ -z $touchIDfunctionality ]]
then
    echo "<result>Unsupported</result>"
    exit 0
fi

# Next, list all the users over UID 500 and run 'bioutil' with sudo -u .
# Only capture users that have > 0 fingerprints registered,
# and finally confirm that they have enabled unlocking the Mac.

tidEnrolledUsers=($(for i in $(ls -lan /Users/ | awk '$3 > 500 { print $9 }'); do sudo -u $i /usr/bin/bioutil -c; done | awk '/User/ && !/0 fingerprint/ { print $0 }' | awk '{ print $2 }' | sed "s_:__g" ))
tidUsersArray=()

for i in ${tidEnrolledUsers[@]}
do
    tidUser=$(ls -lan /Users/ | grep "$i" | awk 'BEGIN { RS="" ; FS="
" } { print $1 }' | awk '{ print $9 }')
    tidStatus=$(/usr/bin/sudo -u "$tidUser" /usr/bin/bioutil -r | awk '/unlock/ && !/Effective/ { print $5 }')
    [[ $tidStatus == "1" ]] && tidUsersArray+=("$tidUser")
done

# Finally, print the results!

if [[ -n $tidUsersArray ]]
then
    echo "<result>Active Users: $tidUsersArray</result>"
else
    echo "<result>Not Enabled for Unlock</result>"
fi

Kudos to my wife (a fellow Mac admin) who simply asked the question and inspired me to make this.


Thanks Brad! This is exactly what I was looking for. However, I am testing with a handful of machines where I know Touch ID has been enabled for at least one user to unlock the Mac, but it's still reporting "Not Enabled for Unlock". I'm trying to debug now, but I'm running into a wall.  Any ideas?


I took this a step further to identify not just whether Touch ID is available or enabled, but also who has enabled Touch ID on a given system. The script outputs to a bash array, since technically more than one user can enroll in it. First I check for who has >0 fingerprints enrolled and grab the UID. Then I translate UID to username for sudo -u. The reason we have to do this is because bioutil -rs gives system-wide status of Touch ID, and it may differ from the user-level status of Touch ID bioutil -r . For instance, if I uncheck the box to unlock my Mac, bioutil -rs will show "enabled: 1" but bioutil -r run as the specific user will show "enabled: 0" .

GitHub link: https://github.com/bradtchapman/uselessJamfScripts/blob/master/touch-id-enrolled-users-ea.sh

#!/bin/zsh

# This script will list all the users enrolled in Touch ID
# that have "unlock with fingerprint" enabled.

# First, check if the system even supports Touch ID
# If not, bail out and report unsupported.

touchIDfunctionality=$(/usr/bin/bioutil -rs | grep "Touch ID functionality")

if [[ -z $touchIDfunctionality ]]
then
    echo "<result>Unsupported</result>"
    exit 0
fi

# Next, list all the users over UID 500 and run 'bioutil' with sudo -u .
# Only capture users that have > 0 fingerprints registered,
# and finally confirm that they have enabled unlocking the Mac.

tidEnrolledUsers=($(for i in $(ls -lan /Users/ | awk '$3 > 500 { print $9 }'); do sudo -u $i /usr/bin/bioutil -c; done | awk '/User/ && !/0 fingerprint/ { print $0 }' | awk '{ print $2 }' | sed "s_:__g" ))
tidUsersArray=()

for i in ${tidEnrolledUsers[@]}
do
    tidUser=$(ls -lan /Users/ | grep "$i" | awk 'BEGIN { RS="" ; FS="
" } { print $1 }' | awk '{ print $9 }')
    tidStatus=$(/usr/bin/sudo -u "$tidUser" /usr/bin/bioutil -r | awk '/unlock/ && !/Effective/ { print $5 }')
    [[ $tidStatus == "1" ]] && tidUsersArray+=("$tidUser")
done

# Finally, print the results!

if [[ -n $tidUsersArray ]]
then
    echo "<result>Active Users: $tidUsersArray</result>"
else
    echo "<result>Not Enabled for Unlock</result>"
fi

Kudos to my wife (a fellow Mac admin) who simply asked the question and inspired me to make this.


Script now errors as the check is for "Touch ID functionality"
The grep shows this is now  Biometrics functionality


Hey All,.. long time viewer, first time poster ;P ... I modified bradtchapman's script as it was not working for me. So I had to ChatGPT a bit to tweak a few things. Below is what I came up with.

The 2 EDITS I made:

* Line 9, I changed the GREP to look for "Biometrics functionality" instead of "Touch ID functionality"

* Line 27 .. I had to change the awk filter after "Effective" from "print $5" to "print $4"

That seemed to get it to work on my M2 MacBook Pro on Sequoia 15.0. 

I suppose there's some other cosmetic and wording improvements I could make,. but "workable functionality" was 1st goal. 

#!/bin/zsh # This script will list all the users enrolled in Touch ID # that have "unlock with fingerprint" enabled. # First, check if the system even supports Touch ID # If not, bail out and report unsupported. touchIDfunctionality=$(/usr/bin/bioutil -rs | grep "Biometrics functionality") if [[ -z $touchIDfunctionality ]] then echo "<result>Unsupported</result>" exit 0 fi # Next, list all the users over UID 500 and run 'bioutil' with sudo -u . # Only capture users that have > 0 fingerprints registered, # and finally confirm that they have enabled unlocking the Mac. tidEnrolledUsers=($(for i in $(ls -lan /Users/ | awk '$3 > 500 { print $9 }'); do sudo -u $i /usr/bin/bioutil -c; done | awk '/User/ && !/0 fingerprint/ { print $0 }' | awk '{ print $2 }' | sed "s_:__g" )) tidUsersArray=() for i in ${tidEnrolledUsers[@]} do tidUser=$(ls -lan /Users/ | grep "$i" | awk 'BEGIN { RS="" ; FS="\\n" } { print $1 }' | awk '{ print $9 }') tidStatus=$(/usr/bin/sudo -u "$tidUser" /usr/bin/bioutil -r | awk '/unlock/ && !/Effective/ { print $4 }') [[ $tidStatus == "1" ]] && tidUsersArray+=("$tidUser") done # Finally, print the results! if [[ -n $tidUsersArray ]] then echo "<result>Active Users: $tidUsersArray</result>" else echo "<result>Not Enabled for Unlock</result>" fi

 


Hey All,.. long time viewer, first time poster ;P ... I modified bradtchapman's script as it was not working for me. So I had to ChatGPT a bit to tweak a few things. Below is what I came up with.

The 2 EDITS I made:

* Line 9, I changed the GREP to look for "Biometrics functionality" instead of "Touch ID functionality"

* Line 27 .. I had to change the awk filter after "Effective" from "print $5" to "print $4"

That seemed to get it to work on my M2 MacBook Pro on Sequoia 15.0. 

I suppose there's some other cosmetic and wording improvements I could make,. but "workable functionality" was 1st goal. 

#!/bin/zsh # This script will list all the users enrolled in Touch ID # that have "unlock with fingerprint" enabled. # First, check if the system even supports Touch ID # If not, bail out and report unsupported. touchIDfunctionality=$(/usr/bin/bioutil -rs | grep "Biometrics functionality") if [[ -z $touchIDfunctionality ]] then echo "<result>Unsupported</result>" exit 0 fi # Next, list all the users over UID 500 and run 'bioutil' with sudo -u . # Only capture users that have > 0 fingerprints registered, # and finally confirm that they have enabled unlocking the Mac. tidEnrolledUsers=($(for i in $(ls -lan /Users/ | awk '$3 > 500 { print $9 }'); do sudo -u $i /usr/bin/bioutil -c; done | awk '/User/ && !/0 fingerprint/ { print $0 }' | awk '{ print $2 }' | sed "s_:__g" )) tidUsersArray=() for i in ${tidEnrolledUsers[@]} do tidUser=$(ls -lan /Users/ | grep "$i" | awk 'BEGIN { RS="" ; FS="\\n" } { print $1 }' | awk '{ print $9 }') tidStatus=$(/usr/bin/sudo -u "$tidUser" /usr/bin/bioutil -r | awk '/unlock/ && !/Effective/ { print $4 }') [[ $tidStatus == "1" ]] && tidUsersArray+=("$tidUser") done # Finally, print the results! if [[ -n $tidUsersArray ]] then echo "<result>Active Users: $tidUsersArray</result>" else echo "<result>Not Enabled for Unlock</result>" fi

 


Hmmmm.. I see now that this code seems to result in just a list of all accounts on the machine,.. so that's really not what I want. I asked ChatGPT for some improvements and it suggested the below. But it still shows "Active Users with Touch ID Enabled for Unlock:".. and the data returned is just a list of all usernames on the machine. 

 


Hey All,.. long time viewer, first time poster ;P ... I modified bradtchapman's script as it was not working for me. So I had to ChatGPT a bit to tweak a few things. Below is what I came up with.

The 2 EDITS I made:

* Line 9, I changed the GREP to look for "Biometrics functionality" instead of "Touch ID functionality"

* Line 27 .. I had to change the awk filter after "Effective" from "print $5" to "print $4"

That seemed to get it to work on my M2 MacBook Pro on Sequoia 15.0. 

I suppose there's some other cosmetic and wording improvements I could make,. but "workable functionality" was 1st goal. 

#!/bin/zsh # This script will list all the users enrolled in Touch ID # that have "unlock with fingerprint" enabled. # First, check if the system even supports Touch ID # If not, bail out and report unsupported. touchIDfunctionality=$(/usr/bin/bioutil -rs | grep "Biometrics functionality") if [[ -z $touchIDfunctionality ]] then echo "<result>Unsupported</result>" exit 0 fi # Next, list all the users over UID 500 and run 'bioutil' with sudo -u . # Only capture users that have > 0 fingerprints registered, # and finally confirm that they have enabled unlocking the Mac. tidEnrolledUsers=($(for i in $(ls -lan /Users/ | awk '$3 > 500 { print $9 }'); do sudo -u $i /usr/bin/bioutil -c; done | awk '/User/ && !/0 fingerprint/ { print $0 }' | awk '{ print $2 }' | sed "s_:__g" )) tidUsersArray=() for i in ${tidEnrolledUsers[@]} do tidUser=$(ls -lan /Users/ | grep "$i" | awk 'BEGIN { RS="" ; FS="\\n" } { print $1 }' | awk '{ print $9 }') tidStatus=$(/usr/bin/sudo -u "$tidUser" /usr/bin/bioutil -r | awk '/unlock/ && !/Effective/ { print $4 }') [[ $tidStatus == "1" ]] && tidUsersArray+=("$tidUser") done # Finally, print the results! if [[ -n $tidUsersArray ]] then echo "<result>Active Users: $tidUsersArray</result>" else echo "<result>Not Enabled for Unlock</result>" fi

 


Update on this,. I do believe the following code is a good improvement. I've tested on a couple different machines now and it only seems to respond with accurate Username of only those who have TouchID enabled. 

 

#!/bin/zsh # This script will list all the users enrolled in Touch ID that have "unlock with fingerprint" enabled. # First, check if the system even supports Touch ID # If not, bail out and report unsupported. touchIDfunctionality=$(/usr/bin/bioutil -rs | grep "Biometrics functionality") if [[ -z $touchIDfunctionality ]] then echo "<result>Unsupported</result>" exit 0 fi # Next, list all users with UID > 500 (regular users, not system users) # Check if they have fingerprints enrolled using 'bioutil' tidEnrolledUsers=($(for i in $(ls -lan /Users/ | awk '$3 > 500 { print $9 }'); do # Check if the user has a fingerprint enrolled and has logged in before if [[ -d /Users/$i ]] && [[ -n $(last | grep "$i") ]]; then if sudo -u $i /usr/bin/bioutil -c 2>/dev/null | grep -q "User" && sudo -u $i /usr/bin/bioutil -c 2>/dev/null | grep -v "0 fingerprint"; then echo $i; fi fi done)) tidUsersArray=() # For each user, check if unlocking the Mac with Touch ID is enabled for i in ${tidEnrolledUsers[@]} do # Extract the output and check if the user has Touch ID enabled for unlocking tidStatus=$(sudo -u "$i" /usr/bin/bioutil -r 2>/dev/null | grep -q "Biometrics for unlock: 1") # If Touch ID is enabled for unlocking, add the user to the result array if [[ $? -eq 0 ]]; then tidUsersArray+=("$i") fi done # Finally, print the results! if [[ -n $tidUsersArray ]] then echo "<result>Active Users with Touch ID Enabled for Unlock: ${tidUsersArray[@]}</result>" else echo "<result>Not Enabled for Unlock</result>" fi

Posting the script from ​@jmnugent ‘s last post, which does work on macOS Sequoia, formatted for legibility:

#!/bin/zsh

# This script will list all the users enrolled in Touch ID that have "unlock with fingerprint" enabled.
# First, check if the system even supports Touch ID
# If not, bail out and report unsupported.
touchIDfunctionality=$(/usr/bin/bioutil -rs | grep "Biometrics functionality")

if [[ -z $touchIDfunctionality ]]
then
echo "<result>Unsupported</result>"
exit 0
fi

# Next, list all users with UID > 500 (regular users, not system users)
# Check if they have fingerprints enrolled using 'bioutil'
tidEnrolledUsers=($(
for i in $(ls -lan /Users/ | awk '$3 > 500 { print $9 }'); do
# Check if the user has a fingerprint enrolled and has logged in before
if [[ -d /Users/$i ]] && [[ -n $(last | grep "$i") ]]; then
if sudo -u $i /usr/bin/bioutil -c 2>/dev/null | grep -q "User" && sudo -u $i /usr/bin/bioutil -c 2>/dev/null | grep -v "0 fingerprint"; then
echo $i;
fi
fi
done
))

tidUsersArray=()
# For each user, check if unlocking the Mac with Touch ID is enabled
for i in ${tidEnrolledUsers[@]}
do
# Extract the output and check if the user has Touch ID enabled for unlocking
tidStatus=$(sudo -u "$i" /usr/bin/bioutil -r 2>/dev/null | grep -q "Biometrics for unlock: 1")
# If Touch ID is enabled for unlocking, add the user to the result array
if [[ $? -eq 0 ]]; then
tidUsersArray+=("$i")
fi
done

# Finally, print the results!
if [[ -n $tidUsersArray ]]
then
echo "<result>Active Users with Touch ID Enabled for Unlock: ${tidUsersArray[@]}</result>"
else
echo "<result>Not Enabled for Unlock</result>"
fi

 


This isn’t working properly for me. It lists some computers but not most. Need to spend time troubleshooting.


Since we started upgraded our Macs to Tahoe and resolve inventory issues, the script seems to be working.