TouchID Extension Attribute

dfarnworth_b
New Contributor III

Hi,

Has anyone yet figured a way to write an extension attribute to report whether a device is TouchID capable or not?

bioutil does not seem to give any indication of capability regardless whether it's run on a TouchID capable device or not. There doesn't seem to be anything returned by system_profiler to indicate. Struggling to find anything that could be leveraged...

Cheers
Dan

11 REPLIES 11

KrisMallory
New Contributor III

Here's a great reference that should do what you're looking for:

http://www.modtitan.com/2016/12/ea-for-detecting-if-mac-has-touch-bar.html

rderewianko
Valued Contributor II

So I don't know the exact key for the touchid sensor... I could dig around and find it.

The above will work until apple decides they're releasing external touchbars..

rderewianko
Valued Contributor II

That being said... You can apply policies that have touch id payloads to machines that don't and the machine won't do anything about it.

greatkemo
Contributor II

@dfarnworth_barc I know this is "a bit" old now, but you can use this one liner to detect if the Mac is Touch ID enabled.

/usr/libexec/PlistBuddy -c "print :$(sysctl -n hw.model):_LOCALIZABLE_:description" /System/Library/PrivateFrameworks/ServerInformation.framework/Versions/A/Resources/English.lproj/SIMachineAttributes.plist | grep -oc "Touch ID"

It will return 1 if touch id is available and 0 if not. So far it works on all mac models including MacBook Air with touch id.

Hope it helps.

Kamal

sbirdsley
Contributor

Good post @greatkemo I am going to try this one out

For anyone else another option is

Smart Group with Model Identifier > Is > #VALUE

VALUES

MacBookPro15,4
MacBookPro15,3
MacBookPro15,2
MacBookPro15,1
MacBookPro14,3
MacBookPro14,2
MacBookPro13,3
MacBookPro13,2

ThijsX
Valued Contributor
Valued Contributor
#!/bin/zsh

UnlockmymacStatus=`bioutil -rs | grep unlock | awk '{print $5}'`
if [[ "$UnlockmymacStatus" = "0" ]]; then
    result="Disabled"
elif [[ "$UnlockmymacStatus" = "1"  ]]; then
    result="Enabled"
else 
    result="Error"
fi
echo "<result>$result</result>"
#!/bin/zsh

TouchIDStatus=`bioutil -rs | grep functionality | awk '{print $4}'`
if [[ "$TouchIDStatus" = "0" ]]; then
    result="Disabled"
elif [[ "$TouchIDStatus" = "1"  ]]; then
    result="Enabled"
else 
    result="Error"
fi
echo "<result>$result</result>"

easyedc
Valued Contributor II

For anyone who comes across this post, I did some testing and I had the most success using @txhaflaire's solution. My only modification was changing the replies to include Yes/No responses in order to make some Smart Group searches easier so that I could both see whether it's running and then my query looks for "like" filter with a "yes" response.

#!/bin/zsh

TouchIDStatus=`bioutil -rs | grep functionality | awk '{print $4}'`
bioutil -rs | grep functionality | awk '{print $4}'
if [[ "$TouchIDStatus" = "0" ]]; then
    result="Yes - Disabled"
elif [[ "$TouchIDStatus" = "1"  ]]; then
    result="Yes - Enabled"
else 
    result="No TouchID found"
fi
echo "<result>$result</result>"
<result>No TouchID found</result>
exit 0

bilal_habib
New Contributor III

Here is what i setup for my org a few months ago, works nicely

#!/bin/zsh

TouchIDStatus=`bioutil -rs | grep functionality | awk '{print $4}'`
if [[ "$TouchIDStatus" = "0" ]]; then
    result="Disabled"
elif [[ "$TouchIDStatus" = "1"  ]]; then
    result="Enabled"
else 
    result="Error"
fi
echo "<result>$result</result>"
QuotedText

bradtchapman
Valued Contributor II

I took this a step further to identify not just whether Touch ID is available or enabled, but also who has enabled Touch ID on a given system. The script outputs to a bash array, since technically more than one user can enroll in it. First I check for who has >0 fingerprints enrolled and grab the UID. Then I translate UID to username for sudo -u. The reason we have to do this is because bioutil -rs gives system-wide status of Touch ID, and it may differ from the user-level status of Touch ID bioutil -r . For instance, if I uncheck the box to unlock my Mac, bioutil -rs will show "enabled: 1" but bioutil -r run as the specific user will show "enabled: 0" .

GitHub link: https://github.com/bradtchapman/uselessJamfScripts/blob/master/touch-id-enrolled-users-ea.sh

#!/bin/zsh

# This script will list all the users enrolled in Touch ID
# that have "unlock with fingerprint" enabled.

# First, check if the system even supports Touch ID
# If not, bail out and report unsupported.

touchIDfunctionality=$(/usr/bin/bioutil -rs | grep "Touch ID functionality")

if [[ -z $touchIDfunctionality ]]
then
    echo "<result>Unsupported</result>"
    exit 0
fi

# Next, list all the users over UID 500 and run 'bioutil' with sudo -u .
# Only capture users that have > 0 fingerprints registered,
# and finally confirm that they have enabled unlocking the Mac.

tidEnrolledUsers=($(for i in $(ls -lan /Users/ | awk '$3 > 500 { print $9 }'); do sudo -u $i /usr/bin/bioutil -c; done | awk '/User/ && !/0 fingerprint/ { print $0 }' | awk '{ print $2 }' | sed "s_:__g" ))
tidUsersArray=()

for i in ${tidEnrolledUsers[@]}
do
    tidUser=$(ls -lan /Users/ | grep "$i" | awk 'BEGIN { RS="" ; FS="
" } { print $1 }' | awk '{ print $9 }')
    tidStatus=$(/usr/bin/sudo -u "$tidUser" /usr/bin/bioutil -r | awk '/unlock/ && !/Effective/ { print $5 }')
    [[ $tidStatus == "1" ]] && tidUsersArray+=("$tidUser")
done

# Finally, print the results!

if [[ -n $tidUsersArray ]]
then
    echo "<result>Active Users: $tidUsersArray</result>"
else
    echo "<result>Not Enabled for Unlock</result>"
fi

Kudos to my wife (a fellow Mac admin) who simply asked the question and inspired me to make this.

Thanks Brad! This is exactly what I was looking for. However, I am testing with a handful of machines where I know Touch ID has been enabled for at least one user to unlock the Mac, but it's still reporting "Not Enabled for Unlock". I'm trying to debug now, but I'm running into a wall.  Any ideas?

Joyrex
New Contributor III

Just a note for the above EA's... this will only show you the status of the TouchID configuration and not if a fingerprint is enrolled. Ex. If a user enrolls a fingerprint, sets the config (unlock, Apple Pay, etc.) then removes the fingerprint later the EA's above will still show as enabled. To show if a fingerprint is enrolled you will need the result from the  bioutil -c -s command as well.