This content is brought to you exclusively by Mosyle, the sole Unified Platform for Apple. We specialize in making Apple devices enterprise-ready and secure. Our integrated management and security approach offers advanced Apple-specific solutions for full automation of Hardening & Compliance, Next Generation EDR, AI-driven Zero Trust, and unique Privilege Management, all combined with the most effective Apple MDM available. As a result, over 45,000 organizations trust us to make millions of Apple devices ready to work effortlessly and affordably. Request your EXTENDED TRIAL today and discover why Mosyle is what you need to work with Apple.
One significant advantage of Touch ID on Mac is the reduced need to enter your password for purchases, logging into applications, and unlocking the device. Although this technology might seem old-fashioned for the iPhone, it’s still a luxury feature on Mac. For users who frequently access Terminal, it’s comforting to know that you can authenticate as an administrator using Touch ID with just a single tap for all your sudo tasks.
The option to utilize Touch ID for sudo has existed for several years. It requires just 60 seconds to set up and involves a few minor edits to the system configuration files on macOS. Unfortunately, until the release of Sonoma, Apple would reset these changes with each new macOS update, forcing users to re-enter their sudo password. I will guide you through the process of enabling Touch ID for sudo in a way that will not be overridden.
As a reminder, Apple retains Touch ID data similar to Face ID: stored locally on the device with AES-256 encryption and processed by the Secure Enclave only when needed. This data is never transmitted to Apple’s servers or backed up to iCloud and is entirely inaccessible to the operating system itself. The Secure Enclave returns a simple “yes” or “no” regarding the success of the authentication.
How to Enable Touch ID for sudo
I’m using macOS Sequoia 15.4, but these instructions will apply to any version of macOS after 10.15 Catalina for Macs equipped with that fantastic fingerprint sensor located at the top right of the keyboard. I’m utilizing Terminal, but this should also function in any emulator compatible with the Pluggable Authentication Module (PAM).
1. Duplicate and Create a New Configuration File
First, copy the default template configuration file provided by Apple and create a new file named sudo_local. We choose to copy the template rather than modify it directly to avoid it being overwritten when a new macOS version is released.
sudo cp /etc/pam.d/sudo_local.template /etc/pam.d/sudo_local
2. Modify the sudo_local File
Next, open the newly created sudo_local file with your chosen text editor. I prefer Nano (:
sudo nano /etc/pam.d/sudo_local
In this file, uncomment the line that contains pam_tid.so by removing the #. Press “Allow” on any system prompts that may arise.
4. Touch and Verify
That’s all! Now, let’s confirm it’s working. Start a new Terminal session and execute a sudo command to check your setup. You’ll receive a prompt to authenticate using Touch ID rather than typing your system password. If you wish to revert to entering your password, simply comment out the auth line that we uncommented in step 3.
Enjoy! 😌
Follow Arin: Twitter/X, LinkedIn, Threads
