Apple recently introduced a laptop with the same fingerprint technology found in an iPhone as well as a T-1 chip to take the sapphire Touch ID sensor information and store it securely, non-reversibly(ish), on the machine. OS X 10.12 now comes with a tool that can manage the fingerprints, stored as keys, on the device. The bioutil
command is simple to use, with a few options that are mostly useful for enabling different features of the new technology.
Let’s get started by enabling the unlock option, using the -r option to see if Touch ID is enabled for the current user and -s to check the system as well:
bioutil -r -s
Now let’s enable Touch ID to be able to unlock the system, with -u (provided it’s not already enabled):
If you’ll be using ApplePay, also use -a (on a per-user basis):
Next, let’s enables Touch ID to unlock the system for the current user:
bioutil -w -u 1
This user will obviously need to provide their fingerprint in order to use Touch ID. Once done, let’s see how many fingerprints they’ve registered using the -c option (which checks for the number of fingerprints registered by the currently enrolled user):
Now let’s delete all fingerprints for the current user (note that they’re not reversible so you can’t actually look at the contents):
Next, we’ll use sudo to remove all fingerprints for all users (since we’re crossing from user land, we’ll need to provide a password):
sudo bioutil -p -s
Instead, we could have targeted just deleting the fingerprints that had been registered for user 1024, using -s and -d together, followed by the actual UID (which also requires sudo – as with all -s option combos):
sudo bioutil -s -d 1024
Now let’s disable Touch ID for the computer, using -w to write a config, and that -u from earlier, setting it to 0 for off:
sudo bioutil -w -s -u 0
And viola, you’re managing the thing. Throw these in an Extension Attribute or in Munki and you’re managing/checking/knowing/reporting/all the thingsings! Enjoy!
krypted December 16th, 2016
Posted In: Mac OS X, Mac OS X Server, Mac Security
10.12, bioutil, macos, manage, manage with a script, script, touch id
One of the things that Apple Configurator 2, or an MDM solution
, can do to make large-scale iOS deployments easier is to disable some of the screens displayed to users during the initial setup of an iOS device. This is critical when trying to get to a zero-touch deployment. On a DEP-based device, most of these steps would be disabled by your MDM solution. However, on a non-DEP-based device, these options would be disabled on the iOS device directly.
To disable the initial configuration screens during activation on an iPhone or iPad and therefore require less steps during the setup of devices, first plug a device into Apple Configurator. Then, right-click on the device and choose the Prepare… option.
From the prepare wizard, first choose whether the configuration will be automatic or assist during the initial configuration of DEP-based devices. Because there’s no MDM in this scenario, we’ll select Manual.
As mentioned, there’s no MDM for this deployment, so at the MDM server screen, we’ll elect not to use an MDM and then click on the Next button.
At the Supervise Device screen, we’ll go ahead and enable supervision, so that we can make use of some other options, such as disabling features in profiles that are only allowed to be disabled using a supervised device. Click Next.
Finally, we’re at that Apple Configurator 2 screen where we can disable activation screens. Here, choose the following that you’d like to disable:
- Language: Disables the screen to set the language. The language will default to English, but can be configured after the setup process is complete if English is not the preferred language.
- Region: Disables the screen to set the region during setup.
- Location Services: Disables the screen to disable Location Services at setup. Location Services can still be disabled once setup is complete.
- Set Up: Disables the Set Up screen.
- Apple ID: Disables the screen to configure an Apple ID during setup. An Apple ID will still be required to install apps manually and can be configured during an app purchase. Apple IDs will not be required for Volume Purchase Program (VPP) purchases using the device-based deployment options via MDM.
- Zoom: Disables the screen to enable the zoom options.
- Siri: Disables the screen to disable Siri, the voice recognition options on the iPhone.
- Diagnostics: Disables the prompt to send Diagnostic information to Apple.
- Passcode: Disables the prompt to configure a passcode. Passcodes can still be configured by users once the device has been setup.
- Touch ID: Disables the prompt to make a fingerprint your passcode. You an still setup Touch ID at a later time. Touch ID will be required in order to use Apple Pay.
- Apple Pay: Disables the prompt to set up Apple Pay during the activation process. You can still setup Apple Pay manually at a later time.
Once you click on the Prepare button, you will run the Activation process on the iOS device; albeit without all the extra screens. Note that you can configure this for blueprints and so do this on devices en masse.
krypted November 7th, 2015
Posted In: Apple Configurator, iPhone
Apple Configurator, apple pay, suppress screens, touch id