Apple recently introduced a laptop with the same fingerprint technology found in an iPhone as well as a T-1 chip to take the sapphire Touch ID sensor information and store it securely, non-reversibly(ish), on the machine. OS X 10.12 now comes with a tool that can manage the fingerprints, stored as keys, on the device. The bioutil command is simple to use, with a few options that are mostly useful for enabling different features of the new technology.
Let’s get started by enabling the unlock option, using the -r option to see if Touch ID is enabled for the current user and -s to check the system as well:
bioutil -r -s
Now let’s enable Touch ID to be able to unlock the system, with -u (provided it’s not already enabled):
If you’ll be using ApplePay, also use -a (on a per-user basis):
Next, let’s enables Touch ID to unlock the system for the current user:
bioutil -w -u 1
This user will obviously need to provide their fingerprint in order to use Touch ID. Once done, let’s see how many fingerprints they’ve registered using the -c option (which checks for the number of fingerprints registered by the currently enrolled user):
Now let’s delete all fingerprints for the current user (note that they’re not reversible so you can’t actually look at the contents):
Next, we’ll use sudo to remove all fingerprints for all users (since we’re crossing from user land, we’ll need to provide a password):
sudo bioutil -p -s
Instead, we could have targeted just deleting the fingerprints that had been registered for user 1024, using -s and -d together, followed by the actual UID (which also requires sudo – as with all -s option combos):
sudo bioutil -s -d 1024
Now let’s disable Touch ID for the computer, using -w to write a config, and that -u from earlier, setting it to 0 for off:
sudo bioutil -w -s -u 0
And viola, you’re managing the thing. Throw these in an Extension Attribute or in Munki and you’re managing/checking/knowing/reporting/all the thingsings! Enjoy!
krypted December 16th, 2016
One of the things that Apple Configurator 2, or an MDM solution, can do to make large-scale iOS deployments easier is to disable some of the screens displayed to users during the initial setup of an iOS device. This is critical when trying to get to a zero-touch deployment. On a DEP-based device, most of these steps would be disabled by your MDM solution. However, on a non-DEP-based device, these options would be disabled on the iOS device directly.
To disable the initial configuration screens during activation on an iPhone or iPad and therefore require less steps during the setup of devices, first plug a device into Apple Configurator. Then, right-click on the device and choose the Prepare… option.
From the prepare wizard, first choose whether the configuration will be automatic or assist during the initial configuration of DEP-based devices. Because there’s no MDM in this scenario, we’ll select Manual.
As mentioned, there’s no MDM for this deployment, so at the MDM server screen, we’ll elect not to use an MDM and then click on the Next button.
At the Supervise Device screen, we’ll go ahead and enable supervision, so that we can make use of some other options, such as disabling features in profiles that are only allowed to be disabled using a supervised device. Click Next.
Finally, we’re at that Apple Configurator 2 screen where we can disable activation screens. Here, choose the following that you’d like to disable:
Once you click on the Prepare button, you will run the Activation process on the iOS device; albeit without all the extra screens. Note that you can configure this for blueprints and so do this on devices en masse.
krypted November 7th, 2015