Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Macbook Pro 2016 (with TouchBar) - Disabling TouchID for "Unlocking your Mac":

Hi All,

Just seeing out there if anyone's found a way to successfully disable just the TouchID option for "Unlocking your Mac", need to figure out a way to not tie a user's fingerprint to something like their AD password.

Picture for reference:

optional image ALT text

Like Comment
Order by:
SOLVED Posted: 12/21/16 at 7:18 PM by donmontalvo

If there is a concern about AD lock-outs related to iPhone/AppleWatch/TouchBar, the issue appears to have been resolved in Public/Developer seed <redacted>

Like
SOLVED Posted: 12/22/16 at 9:15 AM by bwiessner

You can do a configuration profile that blocks all system preference buttons that you do not specify.

The down side of this it will grey out or lock any 3rd party system preferences it doesn't know about.

The other way to do this without blocking other prefs is to change the permissions to just TouchID.prefpane file to no access and then when or if a user clicks it they will be denied.

/System/Library/PreferencePanes/TouchID.prefPane

You will need to run script or command as root - chmod this to something like 6 0 0 - owner has read and right but group and everyone has no access

Like
SOLVED Posted: 12/22/16 at 9:55 AM by Sachin_Parmar

Hi @bwiessner, it seems like the TouchID isn't available as a System Preferences restriction even in JSS 9.97. I don't particularly want to disable the preference pane entirely as I don't want to block Apple Pay and iTunes and App Store for Users just specifically "Unlocking your Mac". Guess it's just a waiting game for now?

Like
SOLVED Posted: 12/22/16 at 9:58 AM by Sachin_Parmar

Just had a thought, I could potentially write a script that replaces the allowUnlockComputer key back to false periodically for now located in /System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/UserDefaults.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>allowStorePurchases</key>
    <false/>
    <key>allowUnlockComputer</key>
    <false/>
    <key>allowApplePay</key>
    <false/>
</dict>
</plist>
Like
SOLVED Posted: 12/22/16 at 11:49 AM by bwiessner

This is how the configuration profile looks when blocking all but ones you select -

Like I said changing the permissions to just the touch ID pane has worked for me with no issues

Change the permissions to just TouchID.prefpane file to no access and then when or if a user clicks it they will be denied.

chmod 600 /System/Library/PreferencePanes/TouchID.prefPane
You will need to run script or command as root - chmod this to something like 6 0 0 - owner has read and right but group and everyone has no access

Like
SOLVED Posted: 2/13/17 at 11:23 AM by perrycj

There is a binary Apple built-in to control touchID called bioutil. Here is a read out from the help page:

Options:
    -r, --read                      Read current Touch ID settings
    -w, --write                     Write new Touch ID settings
    -s, --system                    Flag to read/write systemwide Touch ID settings or perform systemwide operations
    -f, --function                  Enable (1) or disable (0) Touch ID functionality in general (system settings only)
    -u, --unlock $value             Enable (1) or disable (0) Touch ID for unlock
    -a, --applepay $value           Enable (1) or disable (0) Touch ID for ApplePay (user settings only)
    -c, --count                     Print number of enrolled fingerprints of the current user or of all users (-s, administrator only)
    -p, --purge                     Delete all enrolled fingerprints of the current user or of all users (-s, administrator only)
    -d, --delete $uid               Delete all enrolled fingerprints of the given user (administrator only)

Could probably use this to help disable it system wide or on demand.

Like
SOLVED Posted: 2/13/17 at 4:02 PM by madscripter

Looks like this will be part of a Configuration Profile in 10.12.4
Of course Jamf server will need to be updated once 10.12.4 is out.

allowFingerprintForUnlock Boolean Optional. If false, prevents Touch ID from unlocking a device.
Availability: Available in iOS 7 and later and in macOS 10.12.4 and later.

Like
SOLVED Posted: 2/19/17 at 12:12 PM by donmontalvo

@perrycj this is hugely helpful, thanks!

man bioutil | col -bx > /path/to/manpage_bioutil.txt

bioutil(1)                BSD General Commands Manual               bioutil(1)

NAME
     bioutil -- tool for viewing/changing Touch ID configuration and list-
     ing/deleting enrolled fingerprints

SYNOPSIS
     bioutil {-r | -w [-f { 0 | 1 }] [-u { 0 | 1 }] [-a { 0 | 1 }]} | [-c] |
             [-p] | [-d <uid>] [-s]

DESCRIPTION
     bioutil provides the possibility of viewing and changing Touch ID config-
     uration, both system-wide and user-specific. It also allows listing and
     deleting enrolled fingerprints.

OPTIONS
     -r, --read
              Read Touch ID configuration.

     -w, --write
              Write Touch ID configuration.

     -s, --system
              Indicates that system-wide configuration is to be read/written
              (user-specific configuration is the default) or that a system-
              wide list/delete operation is to be performed.

     -f, --function
              Enables (1) or disables (0) overall Touch ID functionality (sys-
              tem-wide configuration only).

     -u, --unlock
              Enables (1) or disables (0) Touch ID for unlock.

     -a, --applepay
              Enables (1) or disables (0) Touch ID for ApplePay (user-specific
              configuration only).

     -c, --count
              Provides number of enrolled fingerprints of the current user or
              of all users (when run with -s as an administrator)

     -p, --purge
              Deletes all enrolled fingerprints of the current user or of all
              users (when run with -s as an administrator)

     -d, --delete
              Deletes all enrolled fingerprints of the user with given user ID
              (must be run as an administrator)

EXAMPLES
     bioutil -r
              Reads Touch ID configuration for the current user.

     bioutil -r -s
              Reads system-wide Touch ID configuration.

     bioutil -w -u 1
              Enables Touch ID for unlock for the current user.

     sudo bioutil -w -s -u 0
              Disables Touch ID for unlock for the whole system.

     bioutil -c
              Prints the number of enrolled fingerprints of the current user.

     bioutil -p
              Deletes all enrolled fingerprints of the current user.

     sudo bioutil -c -s
              Prints numbers of enrolled fingerprints of all enrolled users.

     sudo bioutil -p -s
              Deletes all fingerprints from the system.

     sudo bioutil -s -d 501
              Deletes all fingerprints of user 501.

Darwin                         February 19, 2017                        Darwin

@madscripter nice that it'll be manageable via Configuration Profiles too.

Like
SOLVED Posted: 2/20/17 at 7:48 AM by perrycj

@donmontalvo No problem! Glad it helped you out.

Like
SOLVED Posted: 4/18/17 at 4:50 PM by troy.rowe

after trying a bunch of different things, i ended up going up to the spotlight search and typed touch id. Touch id prefs open up and is now back in system prefs. It was to easy, but worked. Hope it helps.

Like
SOLVED Posted: 5/3/17 at 7:22 PM by Cornoir

Just tried the following on a 10.12.4 system as root:

sudo bioutil -w -s -u 0

And received the following error:

Unable to perform the operation. Make sure that the configuration you want to set is valid.
Error occurred, err = 0x1

MacBook Pro 13" no MCX or other settings that would have affected it. I can get around it by hiding the Prefpane if need be or locking it with a mobileconfig. Used to work in 10.12.1 last I checked. Has anyone else experienced this error?

Like
SOLVED Posted: 5/3/17 at 7:23 PM by Cornoir

Just tried the following on a 10.12.4 system as root:

sudo bioutil -w -s -u 0

And received the following error:

Unable to perform the operation. Make sure that the configuration you want to set is valid.
Error occurred, err = 0x1

MacBook Pro 13" no MCX or other settings that would have affected it. I can get around it by hiding the Prefpane if need be or locking it with a mobileconfig. Used to work in 10.12.1 last I checked. Has anyone else experienced this error?

Like
SOLVED Posted: 6/8/17 at 10:38 AM by dalleyne

You should be able to restrict TouchID authentication with a configuration profile and a restrictions payload.

added in JAMF Pro 9.98

Like
SOLVED Posted: 6/15/17 at 9:12 AM by cgolebio

While not ideal, until JAMF builds this into the preference restrictions, I was able to take all my disabled preferences and create a custom payload. Problem is that you cannot do a custom payload AND the System preferences payload through restrictions at the same time. So I just have Restrict items in System Preferences disabled in my restrictions payload in favor of this custom payload.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>DisabledPreferencePanes</key>
<array>
...
<string>com.apple.preferences.password</string>
...
</array>
</dict>
</plist>

Obviously don't include the ...; this is just where I have other items defined.

I was able to get the bundle ID from /System/Library/PreferencePanes/TouchID.prefPane/Contents/Info.plist and look for the CFBundleIdentifier.

Oh and if anyone is looking for the Wallet and Apple Pay and Siri bundle IDs, same method to finding applies.
com.apple.preferences.wallet
com.apple.preference.speech

Hope this helps someone.

Like