As you may be aware, it is possible to use a fingerprint on any TouchID enabled Mac (or Magic Keyboard with TouchID) to authenticate
sudo at the command line.
This possibility has been discussed many times by many MacAdmins, and Mac enthusiasts over the years. The earliest mention I could find is from 2017. Cabel Sasser tweeted:
Pro MacBook Pro Tip: have a Touch Bar with Touch ID? If you edit /etc/pam.d/sudo and add the following line to the top…(@cabel) November 16, 2017
auth sufficient pam_tid.so
…you can now use your fingerprint to sudo!— Cabel
sudo on the command-line is great. It enforces security and separation by running under your own user, and it logs actions taken using
sudo. But it can be a pain to type longer passwords and passphrases repeatedly. By using TouchID to authenticate, we can keep all the security, while reducing long password entries.
All we have to do is edit the file
/etc/pam.d/sudo and add the following line at the top:
auth sufficient pam_tid.so
Save and you’re done. However, there are a few caveats. For one, the sudo file gets overwritten with default values each time macOS is updated. That is where our Self Service policy comes in. The script below can be placed in Self Service, allowing users to re-enable the feature with the click of a button after each update.
The script will check if TouchID is already enabled for
sudo, and only enable it if needed. The original sudo file gets backed up to
Another caveat is that this feature does not work in iTerm2 unless a specific setting is changed. The script handles that too. If iTerm is installed, it will check if the required setting is enabled to allow TouchID. If the setting needs to be changed, a Jamf Helper message will let the user know what to do. Note this is a one time only change, once the setting is correct, users will not see the following message.
If you do not use Jamf, the Jamf Helper section could easily be replaced with something more appropriate for your environment, or removed altogether.
Without further ado, here is our script:
I would advise adding the above script to Jamf Pro, then setting up a Self Service policy like so:
- Name: Enable TouchID for sudo
- Trigger: Self Service
- Frequency: Ongoing
- Select script uploaded previously.
- Targets: Computers with TouchID enabled
Unfortunately, scoping to only computers with TouchID enabled requires an extension attribute (and a smart group). I have included the extension attribute I use below:
I would also add something to the description in Self Service indicating that the user needs to return and run the policy again after each macOS update, and check the box to ensure that users view the description.
Should you ever need to undo this action, it is as simple as restoring the original sudo file from the one we backed up. The following command can be run with a Jamf policy to restore the original settings:
mv /etc/pam.d/sudo.bak /etc/pam.d/sudo