Dan K. SnelsonA quick-fix during Platform Single Sign-on testing for when users can’t unlock their Macs via Touch ID
Background
We’ve been testing multiple vendors’ implementation of Apple’s Platform Single Sign-on for the past few months.
During our testing, we inadvertently discovered that users can’t unlock their Macs via Touch ID when transitioning from one Platform SSO vendor to another.
The following quick-fix should get your users back to normal.
The Band-Aid Adhesive Bandage
First, check the output of security authorizationdb read system.login.screensaver pre- and post-Platform SSO configuration.
Pre-Platform SSO
% security authorizationdb read system.login.screensaver <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>class</key> <string>rule</string> <key>comment</key> <string>The owner or any administrator can unlock the screensaver, set rule to "authenticate-session-owner-or-admin" to enable SecurityAgent.</string> <key>created</key> <real>782562015.96879303</real> <key>modified</key> <real>782562015.96879303</real> <key>rule</key> <array> <string>use-login-window-ui</string> </array> <key>version</key> <integer>1</integer> </dict> </plist> YES (0)
Post-Platform SSO
❯ security authorizationdb read system.login.screensaver <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>class</key> <string>rule</string> <key>comment</key> <string>Platform SSO is used to unlock the screen.</string> <key>created</key> <real>764547811.22102904</real> <key>modified</key> <real>780884142.38050401</real> <key>rule</key> <array> <string>psso-screensaver</string> </array> <key>version</key> <integer>0</integer> </dict> </plist> YES (0)
One-liner
Now, when users opt-out of our internal Beta Test program, we execute the following one-liner:
/usr/bin/security authorizationdb write system.login.screensaver "use-login-window-ui"
Script
Additionally, the following script may prove helpful:
PSSO Screen Saver Rule Reset (0.0.1).zsh
#!/bin/zsh --no-rcs
# shellcheck shell=bash
####################################################################################################
#
# PSSO Screen Saver Rule Reset
#
# Resets the screen saver rule to the organization's standard
#
# https://snelson.us
#
####################################################################################################
#
# HISTORY
#
# Version 0.0.1, 08-Sep-2025, Dan K. Snelson (@dan-snelson)
# - Original version
#
####################################################################################################
####################################################################################################
#
# Global Variables
#
####################################################################################################
export PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin/
# Script Version
scriptVersion="0.0.1"
# Client-side Log
scriptLog="/var/log/org.churchofjesuschrist.log"
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Organization Variables
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Script Human-readable Name
humanReadableScriptName="PSSO Screen Saver Rule Reset"
# Organization's Script Name
organizationScriptName="SSRR"
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Screen SaverRule
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
screensaverRule=$( security authorizationdb read system.login.screensaver 2>/dev/null | sed -n '/<?xml/,/<\/plist>/p' | xmllint --xpath '//dict/key[text()="rule"]/following-sibling::array/string/text()' - 2>/dev/null )
####################################################################################################
#
# Functions
#
####################################################################################################
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Client-side Logging
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
function updateScriptLog() {
echo "${organizationScriptName} ($scriptVersion): $( date +%Y-%m-%d\ %H:%M:%S ) - ${1}" | tee -a "${scriptLog}"
}
function preFlight() { updateScriptLog "[PRE-FLIGHT] ${1}"; }
function logComment() { updateScriptLog " ${1}"; }
function notice() { updateScriptLog "[NOTICE] ${1}"; }
function info() { updateScriptLog "[INFO] ${1}"; }
function errorOut() { updateScriptLog "[ERROR] ${1}"; }
function error() { updateScriptLog "[ERROR] ${1}"; let errorCount++; }
function warning() { updateScriptLog "[WARNING] ${1}"; let errorCount++; }
function fatal() { updateScriptLog "[FATAL ERROR] ${1}"; exit 1; }
function quitOut() { updateScriptLog "[QUIT] ${1}"; }
####################################################################################################
#
# Pre-flight Checks
#
####################################################################################################
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Pre-flight Check: Client-side Logging
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
if [[ ! -f "${scriptLog}" ]]; then
touch "${scriptLog}"
if [[ -f "${scriptLog}" ]]; then
preFlight "Created specified scriptLog: ${scriptLog}"
else
fatal "Unable to create specified scriptLog '${scriptLog}'; exiting.\n\n(Is this script running as 'root' ?)"
fi
else
# preFlight "Specified scriptLog '${scriptLog}' exists; writing log entries to it"
fi
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Pre-flight Check: Logging Preamble
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
preFlight "\n\n###\n# $humanReadableScriptName (${scriptVersion})\n# https://snelson.us/mhc\n###\n"
preFlight "Initiating …"
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Pre-flight Check: Confirm script is running as root
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
if [[ $(id -u) -ne 0 ]]; then
fatal "This script must be run as root; exiting."
fi
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Pre-flight Check: Complete
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
preFlight "Complete"
####################################################################################################
#
# Program
#
####################################################################################################
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Reset Screensaver Rule
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
case "$screensaverRule" in
*"psso-screensaver"* | "" )
notice "Screensaver rule is set to: $screensaverRule"
security authorizationdb write system.login.screensaver "use-login-window-ui"
screensaverRule=$( security authorizationdb read system.login.screensaver 2>/dev/null | sed -n '/<?xml/,/<\/plist>/p' | xmllint --xpath '//dict/key[text()="rule"]/following-sibling::array/string/text()' - 2>/dev/null )
if [[ "$screensaverRule" == *"use-login-window-ui"* ]]; then
notice "Screensaver rule successfully reset to use-login-window-ui."
quitOut "Complete"
exit 0
else
errorOut "Failed to reset screensaver rule to use-login-window-ui."
exit 1
fi
;;
*"use-login-window-ui"* )
notice "Screensaver rule is already set to: $screensaverRule"
;;
*"Error"* )
fatal "Error reading screensaver rule: $screensaverRule"
;;
* )
fatal "Screensaver rule is set to an unknown value: $screensaverRule"
;;
esac
