Hello,
I’m working on a security agent plugin for Mac. The plugin provides a mechanism with custom UI via SFAuthorizationPluginView and a privileged mechanism with the business logic. The plugin needs to support unlocking the device, so I changed the authorize right to invoke my agent:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>created</key>
<real>731355374.33196402</real>
<key>mechanisms</key>
<array>
<string>FooBar:loginUI</string>
<string>builtin:reset-password,privileged</string>
<string>FooBar:authenticate,privileged</string>
<string>builtin:authenticate,privileged</string>
</array>
<key>modified</key>
<real>795624943.31730103</real>
<key>shared</key>
<true/>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>1</integer>
</dict>
</plist>
I also changed the system.login.screensaver right to use authorize-session-owner:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>The owner or any administrator can unlock the screensaver, set rule to "authenticate-session-owner-or-admin" to enable SecurityAgent.</string>
<key>created</key>
<real>731355374.33196402</real>
<key>modified</key>
<real>795624943.32567298</real>
<key>rule</key>
<array>
<string>authenticate-session-owner</string>
</array>
<key>version</key>
<integer>1</integer>
</dict>
</plist>
I also set screenUnlockMode to 2, as was suggested in this thread: macOS Sonoma Lock Screen with SFAutorizationPluginView is not hiding the macOS desktop.
In the Display Authorization plugin at screensaver unlock thread, Quinn said that authorization plugins are not able to use Touch ID. However, on a MacBook with at touch bar, when I lock the screen, close the lid, and then open it, the touch bar invites me to unlock with Touch ID. If I choose to do so, the screen unlocks and I can interact with the computer, but the plugin UI stays on screen and never goes away, and after about 30 seconds the screen locks back. I can reliably reproduce it on a MacBook Pro with M1 chip running Tahoe 26.1.
Is this a known macOS bug? What can I do about it? Ideally, I would like to be able to integrate Touch ID into my plugin, but since that seems to be impossible, the next best thing would be to reliably turn it off completely.
Thanks in advance.
Is this a known macOS bug?
I’m pretty sure I’ve seen this before. IIRC the problem was reported by a third-party developer and I found it super hard to reproduce, and thus I’m not sure if a bug got filed. Sorry to be vague about the details; I searched my records but was unable to track down the conversation.
Anyway, it sounds like you can easily reproduce this. Given that, I think it make sense for you to file your own bug about it.
Please post your bug number, just for the record.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"