Help

TouchID and Watch unlocking

medeor
New Contributor

Posted on ‎12-31-2018 08:25 AM

Just want to hear additional comments as to why corporations prefer to disable within Jamf TouchID and Apple Watch to unlock Macs. I can understand the watch which prefers one to sign into iCloud, but why disable TouchID?

Thanks

0 Kudos
3 REPLIES 3

tomhastings
Contributor II

Posted on ‎12-31-2018 08:54 AM

I would also like to understand this. Where I am currently, Touch ID is allowed for Windows users but not Mac. Nobody can give me a reason why.

JustDeWon
Contributor III

Posted on ‎12-31-2018 08:59 AM

Mostly TouchID is disabled for AD Bound Macs, due to being able to bypass an expired/locked account with TouchID, and both the Apple Watch and TouchID sends 2 bad password attempts to their AD account.. For non-bound Macs, not sure I see the need to disable TouchID

dcgagne
Contributor

Posted on ‎01-02-2019 05:37 AM

We recently enabled TouchID in our HIPAA environment after some discussion with our compliance officer. In effect, since the data is kept in the secure enclave and the devices are not AD bound, we found little reason to not allow the feature. Watch unlocking is still blocked because watches are not MDM bound and effectively unsupported by IT.

We actually don't allow fingerprint readers on Windows devices because there is such a broad assortment of chipsets and implementations our SCCM/AD people can't spare the resources to keep up on maintaining their operation.