TouchID preference pane does not load under High Sierra 10.13 with Active Directory mobile accounts

Originator:alexander.kaltsas
Number:rdar://34617535 Date Originated:28-Sep-2017 09:38 AM
Status:Open Resolved:
Product:macOS + SDK Product Version:10.13.0 17A365
Classification:Serious Bug Reproducible:Always
 
Summary:
This is a duplicate of radar #34617535

The TouchID preference pane is unable to load on High Sierra GM (10.13.0 17A362a) on any TouchBar MacBook Pro that is bound to ActiveDirectory and uses mobile accounts (which is a supported configuration for Active Directory for macOS High Sierra - this is mobile accounts, not portable home directories we're talking about).

Steps to Reproduce:
- Install macOS High Sierra GM on a TouchBar MacBook Pro
- Bind machine to Active Directory
- Either force, under AD bind configuration, that accounts create mobile home directories, or login with an Active Directory account and choose to make a mobile home
- Attempt to open the TouchID preference pane

Expected Results:
The TouchID preference pane should open and allow configuring TouchID on the device

Actual Results:
The TouchID preference pane is not present.

Attempts to open it manually at the location: /System/Library/PreferencePanes/TouchID.prefPane

result in a dialog with the text:

You can’t open the “Touch ID” preferences pane because it is not available to you at this time.
To see this preferences pane, you may need to connect a device to your computer.

TouchID is functional on the device. A local user account on the same machine, not connected to AD can log in as that account and the pane is present and opens.

The root cause of this bug is a change in the logic inside the binary located at /System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref

The AllowPasswordPref pane executable is marked by the TouchID.prefpane as the executable to run for hardware compatibility for this preference pane, via this key in the Info.plist for the TouchID.prefpane:
 NSPrefPaneHardwareTest 
 AllowPasswordPref 

The AllowPasswordPref is executed and if the return result is 0, then the OS considers the preference pane compatible and will load/display it.

My guess as to what logic is _attempting_ to happen here is that you're attempting to look for users that might have their home directory stored on an external thumb drive, which I can understand may not be compatible with TouchID biometric storage.

2 things:

There is no reason that TouchID should be incompatible with mobile accounts locally stored on the device. This is definitely a bug.

2nd, if it's no longer compatible with accounts that are stored on external media, then that information needs to be publicly documented somewhere - and it is not.

Number of devices affected: 2000
Impact of bug: Reduced/delayed adoption of 10.13 until this bug is corrected.

Version:
10.13.0 17A365

Comments

Fixed in 10.13.1 beta 2 17B35a

By frogor.fb.openradar at Oct. 11, 2017, 8:13 p.m. (reply...)

Still persists in 17A405

By arjun.krishna at Oct. 9, 2017, 9:41 p.m. (reply...)

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!