This segment is proudly sponsored by Mosyle, the sole Apple Unified Platform. Our mission is to make Apple devices enterprise-ready and secure. Our distinct integrated management and security strategy combines advanced Apple-focused security solutions for fully automated Hardening & Compliance, Next Generation EDR, AI-driven Zero Trust, and exclusive Privilege Management with the most robust Apple MDM on the market. The result? A fully automated Apple Unified Platform that over 45,000 organizations trust to prepare millions of Apple devices effortlessly and affordably. Claim your EXTENDED TRIAL today to discover why Mosyle is your ultimate solution for working with Apple.
One of the most notable features of Touch ID on Macs is the convenience it offers by eliminating the need to repeatedly enter your password for purchases, app logins, and unlocking your device. While this technology may be considered dated on iPhones, it remains a standard luxury on Macs. For those who often use Terminal, here’s some good news: you can also use Touch ID to authenticate as an administrator for all your sudo tasks with just a single tap.
Using Touch ID for sudo has been a possibility for several years. The setup takes only a minute and requires just one small adjustment to a system configuration file on macOS. Unfortunately, prior to the release of Sonoma, each new version of macOS would overwrite these changes, forcing users to re-enter their sudo passwords for authentication. This guide will demonstrate how to set up Touch ID for sudo in a manner that remains intact through updates.
It’s important to note that Apple stores Touch ID data similarly to Face ID: locally on the device, encrypted with AES-256, and processed by the Secure Enclave only when necessary. This data is never transmitted to Apple servers or saved in iCloud. In fact, it’s completely inaccessible to the operating system. The Secure Enclave merely provides a “yes” or “no” response to indicate whether authentication was successful.
Enabling Touch ID for sudo
I’m utilizing macOS Sequoia 15.4, but these instructions are applicable to any version of macOS from 10.15 Catalina onwards for Macs equipped with that convenient fingerprint sensor in the top-right corner of the keyboard. I will be using Terminal, but this also applies to any emulator that supports the Pluggable Authentication Module (PAM).
1. Copy and create a new configuration file
Start by copying Apple’s default template configuration file and create a new file named sudo_local. We copy the template instead of modifying it directly to prevent it from being overwritten with future macOS updates.
sudo cp /etc/pam.d/sudo_local.template /etc/pam.d/sudo_local
2. Edit the sudo_local file
Next, open the newly generated sudo_local file using your preferred text editor—my personal favorite is Nano (:
sudo nano /etc/pam.d/sudo_local
In this file, uncomment the line with pam_tid.so by removing the #. Accept any system prompts that may appear.
4. Verify Touch ID Setup
That’s it! Now, let’s check if it works. Open a new Terminal session and execute a sudo command to confirm that the setup is correct. You should now see a prompt asking you to use Touch ID for authentication instead of entering your system password. If you wish to revert back to typing your password, just comment out the auth line we uncommented in step 2.
Enjoy your improved experience! 😌
Follow Arin: Twitter/X, LinkedIn, Threads
