Posted on 03-22-2018 04:13 AM
Hi,
Has anyone yet figured a way to write an extension attribute to report whether a device is TouchID capable or not?
bioutil
does not seem to give any indication of capability regardless whether it's run on a TouchID capable device or not. There doesn't seem to be anything returned by system_profiler
to indicate. Struggling to find anything that could be leveraged...
Cheers
Dan
Posted on 03-22-2018 06:35 AM
Here's a great reference that should do what you're looking for:
http://www.modtitan.com/2016/12/ea-for-detecting-if-mac-has-touch-bar.html
Posted on 03-22-2018 09:04 AM
So I don't know the exact key for the touchid sensor... I could dig around and find it.
The above will work until apple decides they're releasing external touchbars..
Posted on 03-22-2018 01:39 PM
That being said... You can apply policies that have touch id payloads to machines that don't and the machine won't do anything about it.
Posted on 06-09-2019 04:59 AM
@dfarnworth_barc I know this is "a bit" old now, but you can use this one liner to detect if the Mac is Touch ID enabled.
/usr/libexec/PlistBuddy -c "print :$(sysctl -n hw.model):_LOCALIZABLE_:description" /System/Library/PrivateFrameworks/ServerInformation.framework/Versions/A/Resources/English.lproj/SIMachineAttributes.plist | grep -oc "Touch ID"
It will return 1 if touch id is available and 0 if not. So far it works on all mac models including MacBook Air with touch id.
Hope it helps.
Kamal
Posted on 09-19-2019 09:21 AM
Good post @greatkemo I am going to try this one out
For anyone else another option is
Smart Group with Model Identifier > Is > #VALUE
MacBookPro15,4
MacBookPro15,3
MacBookPro15,2
MacBookPro15,1
MacBookPro14,3
MacBookPro14,2
MacBookPro13,3
MacBookPro13,2
Posted on 09-22-2019 04:22 AM
#!/bin/zsh
UnlockmymacStatus=`bioutil -rs | grep unlock | awk '{print $5}'`
if [[ "$UnlockmymacStatus" = "0" ]]; then
result="Disabled"
elif [[ "$UnlockmymacStatus" = "1" ]]; then
result="Enabled"
else
result="Error"
fi
echo "<result>$result</result>"
#!/bin/zsh
TouchIDStatus=`bioutil -rs | grep functionality | awk '{print $4}'`
if [[ "$TouchIDStatus" = "0" ]]; then
result="Disabled"
elif [[ "$TouchIDStatus" = "1" ]]; then
result="Enabled"
else
result="Error"
fi
echo "<result>$result</result>"
Posted on 05-28-2020 08:11 AM
For anyone who comes across this post, I did some testing and I had the most success using @txhaflaire's solution. My only modification was changing the replies to include Yes/No responses in order to make some Smart Group searches easier so that I could both see whether it's running and then my query looks for "like" filter with a "yes" response.
#!/bin/zsh
TouchIDStatus=`bioutil -rs | grep functionality | awk '{print $4}'`
bioutil -rs | grep functionality | awk '{print $4}'
if [[ "$TouchIDStatus" = "0" ]]; then
result="Yes - Disabled"
elif [[ "$TouchIDStatus" = "1" ]]; then
result="Yes - Enabled"
else
result="No TouchID found"
fi
echo "<result>$result</result>"
<result>No TouchID found</result>
exit 0
Posted on 05-28-2020 08:55 AM
Here is what i setup for my org a few months ago, works nicely
#!/bin/zsh
TouchIDStatus=`bioutil -rs | grep functionality | awk '{print $4}'`
if [[ "$TouchIDStatus" = "0" ]]; then
result="Disabled"
elif [[ "$TouchIDStatus" = "1" ]]; then
result="Enabled"
else
result="Error"
fi
echo "<result>$result</result>"
QuotedText
Posted on 05-08-2021 10:21 PM
I took this a step further to identify not just whether Touch ID is available or enabled, but also who has enabled Touch ID on a given system. The script outputs to a bash array, since technically more than one user can enroll in it. First I check for who has >0 fingerprints enrolled and grab the UID. Then I translate UID to username for sudo -u
. The reason we have to do this is because bioutil -rs
gives system-wide status of Touch ID, and it may differ from the user-level status of Touch ID bioutil -r
. For instance, if I uncheck the box to unlock my Mac, bioutil -rs
will show "enabled: 1" but bioutil -r
run as the specific user will show "enabled: 0" .
GitHub link: https://github.com/bradtchapman/uselessJamfScripts/blob/master/touch-id-enrolled-users-ea.sh
#!/bin/zsh
# This script will list all the users enrolled in Touch ID
# that have "unlock with fingerprint" enabled.
# First, check if the system even supports Touch ID
# If not, bail out and report unsupported.
touchIDfunctionality=$(/usr/bin/bioutil -rs | grep "Touch ID functionality")
if [[ -z $touchIDfunctionality ]]
then
echo "<result>Unsupported</result>"
exit 0
fi
# Next, list all the users over UID 500 and run 'bioutil' with sudo -u .
# Only capture users that have > 0 fingerprints registered,
# and finally confirm that they have enabled unlocking the Mac.
tidEnrolledUsers=($(for i in $(ls -lan /Users/ | awk '$3 > 500 { print $9 }'); do sudo -u $i /usr/bin/bioutil -c; done | awk '/User/ && !/0 fingerprint/ { print $0 }' | awk '{ print $2 }' | sed "s_:__g" ))
tidUsersArray=()
for i in ${tidEnrolledUsers[@]}
do
tidUser=$(ls -lan /Users/ | grep "$i" | awk 'BEGIN { RS="" ; FS="
" } { print $1 }' | awk '{ print $9 }')
tidStatus=$(/usr/bin/sudo -u "$tidUser" /usr/bin/bioutil -r | awk '/unlock/ && !/Effective/ { print $5 }')
[[ $tidStatus == "1" ]] && tidUsersArray+=("$tidUser")
done
# Finally, print the results!
if [[ -n $tidUsersArray ]]
then
echo "<result>Active Users: $tidUsersArray</result>"
else
echo "<result>Not Enabled for Unlock</result>"
fi
Kudos to my wife (a fellow Mac admin) who simply asked the question and inspired me to make this.
Posted on 04-11-2023 09:26 AM
Thanks Brad! This is exactly what I was looking for. However, I am testing with a handful of machines where I know Touch ID has been enabled for at least one user to unlock the Mac, but it's still reporting "Not Enabled for Unlock". I'm trying to debug now, but I'm running into a wall. Any ideas?
12-22-2022 06:05 AM - edited 12-22-2022 08:41 AM
Just a note for the above EA's... this will only show you the status of the TouchID configuration and not if a fingerprint is enrolled. Ex. If a user enrolls a fingerprint, sets the config (unlock, Apple Pay, etc.) then removes the fingerprint later the EA's above will still show as enabled. To show if a fingerprint is enrolled you will need the result from the bioutil -c -s command as well.