[macOS] Checking admin privileges with Touch ID???

I'm trying to figure out whether it's possible to authenticate a user as an admin using Touch ID on macOS. And Using _public_ APIs (*)


Basically, what I'm trying to achieve is:


1. User clicks on a button to perform a task that can only performed by a user who is allowed to administer the computer.

2. A standard security authentication dialog appears and allows to authenticate using Touch ID.

3. A AuthenticationRef is retrieved.


When I look at the Local Authentication API, I see multiple limitations (by design or not):


- it lets you prove you are the current user. But it does not check that you are an admin user.


- the dialog does not work as the one in Installer.app for instance:

. if you move the authentication dialog to a screen corner and then click the User Password… button, the Password window is displayed on the center of the screen.


- it does not seem possible to retrieve a AuthorizationRef.


Question


Are there public API or services that allows to check for admin privileges which support Touch ID?






* I know it's possible using private frameworks since this for instance what the Startup Disk preference pane does.

Replies

Are there public API or services that allows to check for admin privileges which support Touch ID?

Not in the way that you’re looking for. See this thread for the details.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"
Hi tartempion, hope you're doing well!! I know this thread is old, but I too find myself wanting this functionality: use Touch ID to authenticate an administrator to spawn a privileged process as root.

You mentioned that the Startup Disk pane in System Preferences accomplishes this using private API. Were you able to replicate that, even if it meant using private API? If so, how?

My use-case is a locally-run personal project, so using private API is acceptable for my purposes. Thanks a bunch!!

You mentioned that the Startup Disk pane in System Preferences
accomplishes this using private API.

This is keyed off the code signature of the ‘client’ app, that is, the security agent presents the Touch ID option is the requesting app is signed by Apple.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"