So I don't know the exact key for the touchid sensor... I could dig around and find it.

The above will work until apple decides they're releasing external touchbars..

That being said... You can apply policies that have touch id payloads to machines that don't and the machine won't do anything about it.

@dfarnworth_barc I know this is "a bit" old now, but you can use this one liner to detect if the Mac is Touch ID enabled.

/usr/libexec/PlistBuddy -c "print :$(sysctl -n hw.model):_LOCALIZABLE_:description" /System/Library/PrivateFrameworks/ServerInformation.framework/Versions/A/Resources/English.lproj/SIMachineAttributes.plist | grep -oc "Touch ID"

It will return 1 if touch id is available and 0 if not. So far it works on all mac models including MacBook Air with touch id.

Hope it helps.

Kamal

Good post @greatkemo I am going to try this one out

For anyone else another option is

Smart Group with Model Identifier > Is > #VALUE

VALUES

MacBookPro15,4
MacBookPro15,3
MacBookPro15,2
MacBookPro15,1
MacBookPro14,3
MacBookPro14,2
MacBookPro13,3
MacBookPro13,2

#!/bin/zsh

UnlockmymacStatus=`bioutil -rs | grep unlock | awk '{print $5}'`
if [[ "$UnlockmymacStatus" = "0" ]]; then
    result="Disabled"
elif [[ "$UnlockmymacStatus" = "1"  ]]; then
    result="Enabled"
else 
    result="Error"
fi
echo "<result>$result</result>"

#!/bin/zsh

TouchIDStatus=`bioutil -rs | grep functionality | awk '{print $4}'`
if [[ "$TouchIDStatus" = "0" ]]; then
    result="Disabled"
elif [[ "$TouchIDStatus" = "1"  ]]; then
    result="Enabled"
else 
    result="Error"
fi
echo "<result>$result</result>"

For anyone who comes across this post, I did some testing and I had the most success using @txhaflaire's solution. My only modification was changing the replies to include Yes/No responses in order to make some Smart Group searches easier so that I could both see whether it's running and then my query looks for "like" filter with a "yes" response.

#!/bin/zsh

TouchIDStatus=`bioutil -rs | grep functionality | awk '{print $4}'`
bioutil -rs | grep functionality | awk '{print $4}'
if [[ "$TouchIDStatus" = "0" ]]; then
    result="Yes - Disabled"
elif [[ "$TouchIDStatus" = "1"  ]]; then
    result="Yes - Enabled"
else 
    result="No TouchID found"
fi
echo "<result>$result</result>"
<result>No TouchID found</result>
exit 0

Here is what i setup for my org a few months ago, works nicely

#!/bin/zsh

TouchIDStatus=`bioutil -rs | grep functionality | awk '{print $4}'`
if [[ "$TouchIDStatus" = "0" ]]; then
    result="Disabled"
elif [[ "$TouchIDStatus" = "1"  ]]; then
    result="Enabled"
else 
    result="Error"
fi
echo "<result>$result</result>"

QuotedText

I took this a step further to identify not just whether Touch ID is available or enabled, but also who has enabled Touch ID on a given system. The script outputs to a bash array, since technically more than one user can enroll in it. First I check for who has >0 fingerprints enrolled and grab the UID. Then I translate UID to username for sudo -u. The reason we have to do this is because bioutil -rs gives system-wide status of Touch ID, and it may differ from the user-level status of Touch ID bioutil -r . For instance, if I uncheck the box to unlock my Mac, bioutil -rs will show "enabled: 1" but bioutil -r run as the specific user will show "enabled: 0" .

GitHub link: https://github.com/bradtchapman/uselessJamfScripts/blob/master/touch-id-enrolled-users-ea.sh

#!/bin/zsh

# This script will list all the users enrolled in Touch ID
# that have "unlock with fingerprint" enabled.

# First, check if the system even supports Touch ID
# If not, bail out and report unsupported.

touchIDfunctionality=$(/usr/bin/bioutil -rs | grep "Touch ID functionality")

if [[ -z $touchIDfunctionality ]]
then
    echo "<result>Unsupported</result>"
    exit 0
fi

# Next, list all the users over UID 500 and run 'bioutil' with sudo -u .
# Only capture users that have > 0 fingerprints registered,
# and finally confirm that they have enabled unlocking the Mac.

tidEnrolledUsers=($(for i in $(ls -lan /Users/ | awk '$3 > 500 { print $9 }'); do sudo -u $i /usr/bin/bioutil -c; done | awk '/User/ && !/0 fingerprint/ { print $0 }' | awk '{ print $2 }' | sed "s_:__g" ))
tidUsersArray=()

for i in ${tidEnrolledUsers[@]}
do
    tidUser=$(ls -lan /Users/ | grep "$i" | awk 'BEGIN { RS="" ; FS="
" } { print $1 }' | awk '{ print $9 }')
    tidStatus=$(/usr/bin/sudo -u "$tidUser" /usr/bin/bioutil -r | awk '/unlock/ && !/Effective/ { print $5 }')
    [[ $tidStatus == "1" ]] && tidUsersArray+=("$tidUser")
done

# Finally, print the results!

if [[ -n $tidUsersArray ]]
then
    echo "<result>Active Users: $tidUsersArray</result>"
else
    echo "<result>Not Enabled for Unlock</result>"
fi

Kudos to my wife (a fellow Mac admin) who simply asked the question and inspired me to make this.

Just a note for the above EA's... this will only show you the status of the TouchID configuration and not if a fingerprint is enrolled. Ex. If a user enrolls a fingerprint, sets the config (unlock, Apple Pay, etc.) then removes the fingerprint later the EA's above will still show as enabled. To show if a fingerprint is enrolled you will need the result from the  bioutil -c -s command as well.

Hey All,.. long time viewer, first time poster ;P ... I modified bradtchapman's script as it was not working for me. So I had to ChatGPT a bit to tweak a few things. Below is what I came up with.

The 2 EDITS I made:

* Line 9, I changed the GREP to look for "Biometrics functionality" instead of "Touch ID functionality"

* Line 27 .. I had to change the awk filter after "Effective" from "print $5" to "print $4"

That seemed to get it to work on my M2 MacBook Pro on Sequoia 15.0. 

I suppose there's some other cosmetic and wording improvements I could make,. but "workable functionality" was 1st goal. 

#!/bin/zsh

# This script will list all the users enrolled in Touch ID
# that have "unlock with fingerprint" enabled.

# First, check if the system even supports Touch ID
# If not, bail out and report unsupported.

touchIDfunctionality=$(/usr/bin/bioutil -rs | grep "Biometrics functionality")

if [[ -z $touchIDfunctionality ]]
then
	echo "<result>Unsupported</result>"
	exit 0
fi

# Next, list all the users over UID 500 and run 'bioutil' with sudo -u .
# Only capture users that have > 0 fingerprints registered,
# and finally confirm that they have enabled unlocking the Mac.

tidEnrolledUsers=($(for i in $(ls -lan /Users/ | awk '$3 > 500 { print $9 }'); do sudo -u $i /usr/bin/bioutil -c; done | awk '/User/ && !/0 fingerprint/ { print $0 }' | awk '{ print $2 }' | sed "s_:__g" ))
tidUsersArray=()

for i in ${tidEnrolledUsers[@]}
do
	tidUser=$(ls -lan /Users/ | grep "$i" | awk 'BEGIN { RS="" ; FS="\n" } { print $1 }' | awk '{ print $9 }')
	tidStatus=$(/usr/bin/sudo -u "$tidUser" /usr/bin/bioutil -r | awk '/unlock/ && !/Effective/ { print $4 }')
	[[ $tidStatus == "1" ]] && tidUsersArray+=("$tidUser")
done

# Finally, print the results!

if [[ -n $tidUsersArray ]]
then
	echo "<result>Active Users: $tidUsersArray</result>"
else
	echo "<result>Not Enabled for Unlock</result>"
fi