Enabling Touch ID authentication for sudo using Blueprints in Jamf Pro

One of the capabilities Apple added in macOS Sonoma was a pluggable authentication module (PAM) configuration option to enable Touch ID authentication for the sudo tool which would persist and not be overwritten by software updates.

To enable this option, there is a /etc/pam.d/sudo_local.template file on macOS Sonoma and later which appears as shown below:

	# sudo_local: local config file which survives system update and is included for sudo
	# uncomment following line to enable Touch ID for sudo
	#auth sufficient pam_tid.so

view raw

gistfile1.txt

hosted with ❤ by GitHub

Copying the /etc/pam.d/sudo_local.template file to /etc/pam.d/sudo_local and uncommenting the indicated line allows Touch ID to work as authentication for the sudo tool.

	# sudo_local: local config file which survives system update and is included for sudo
	# uncomment following line to enable Touch ID for sudo
	auth sufficient pam_tid.so

view raw

gistfile1.txt

hosted with ❤ by GitHub

A number of Mac admins have written scripts to apply this PAM configuration to Macs, but there didn’t seem to be a good way to handle this without scripting. However, as part of Apple’s unveiling of Declarative Device Management (DDM) at WWDC 2023, Apple announced that DDM management included the ability to manage sets of tamper-resistant system configuration files for different system services. As of this date, the following services built into macOS can be managed this way:

• sshd
• sudo
• PAM
• CUPS
• Apache httpd
• bash
• zsh

Jamf Pro’s Blueprints supports managing these services via the Service configuration files component. Since enabling Touch ID authentication for sudo is managed using a PAM configuration file, that means that enabling Touch ID authentication for the sudo tool can be accomplished via Blueprints. For more details, please see below the jump.

Read more…