Apple added the ability to use Touch ID for sudo on the command line interface back in 2017 with High Sierra.
Since that time there have been numerous scripts published to make enabling this feature easier.
So with apologies to the United States Marine Corps…
This is my script. There are many like it, but this one is mine.
Read on for the details.
/etc/pam.d/sudo
Originally, enabling this feature involved editing the /etc/pam.d/sudo file, requiring care to avoid unattended breakage.
This file also gets reset after each OS update, which meant reediting the file to reenable the feature several times a year.
/etc/pam.d/sudo_local
In macOS 14 Sonoma released late last year, Apple provided a clearer path with the new /etc/pam.d/sudo_local file. This file includes instructions for enabling Touch ID for sudo, survives OS updates and removes the risk of editing the sudo file directly.
My Script
Version 2 of my bash script is usable on current, past and likely future versions of macOS. It starts by checking the current macOS version and then edits the correct file automatically.
It includes options to query status as well as enable and disable Touch ID for sudo.
Jump over to my profile on GitHub to view the full script and let me know if you have any questions.
https://github.com/kevinmcox/macOS-Admin-Scripts/blob/main/TouchIDsudo.sh
Munki NoPkg
I have also adapted this script into a Munki NoPkg.
Utilizing this allows end users to enable and disable the feature in a self-service manner from within Managed Software Center. This is especially helpful for end users who are not local admins.
The full plist is also available on my GitHub:
https://github.com/kevinmcox/Munki-NoPkgs/blob/main/TouchIDsudo-2.0.plist