The Apple Touch ID Policy allows administrators to manage biometric authentication settings on macOS, iOS, and iPadOS devices.
This includes control over Touch ID, Face ID, and the ability to restrict biometric unlocking, prevent fingerprint or face data modifications, and enforce authentication for AutoFill actions.
This policy is especially valuable in high-security environments or organizations with strict compliance requirements where biometric usage must be restricted or standardized.
Overview
Apple devices support biometric authentication such as Touch ID and Face ID, enabling fast and secure access.
However, in managed environments, administrators may need to:
Disable biometric unlocking
Prevent users from adding or removing biometric data
Force authentication before AutoFill of passwords or credit card information
Enforce supervised-only restrictions on iOS/iPadOS
The Apple Touch ID Policy offers centralized control to enforce consistent, secure biometric behavior across all managed devices.
Requirements
macOS 10.12.4+
iOS 7.0+
iPadOS 7.0+
Some settings require supervised devices
Face ID settings follow the same restrictions as Touch ID
Configurable Settings
Below is a detailed explanation of all available settings.
Allow Fingerprint For Unlock
Controls whether Touch ID or Face ID can be used to unlock the device.
Setting | Description | Minimum Requirement |
True | Biometric unlocking is allowed. | macOS 10.12.4+, iOS 7+, iPadOS 7+ |
False | Prevents unlocking with Touch ID or Face ID. | macOS 10.12.4+, iOS 7+, iPadOS 7+ |
Note:
On iOS/iPadOS, this restriction requires a supervised device. It is deprecated on unsupervised devices.
Allow Fingerprint Modification
Controls whether users can add, delete, or modify stored fingerprint or Face ID data.
Setting | Description | Minimum Requirement |
True | Users may modify their biometric data. | macOS 10.14+, iOS 8.3+, iPadOS 8.3+ |
False | Prevents adding or removing fingerprints or Face ID profiles. | macOS 10.14+, iOS 8.3+ (supervised), iPadOS 8.3+ (supervised) |
Important:
Requires a supervised device on iOS/iPadOS.
Force Authentication Before AutoFill
Controls whether the user must authenticate with biometrics or passcode before AutoFill can fill passwords or credit card information.
Setting | Description | Minimum Requirement |
True | User must authenticate before AutoFill inserts credentials. | iOS 11+, iPadOS 11+ |
False | AutoFill may operate without authentication. | iOS 11+, iPadOS 11+ |
Null | No change — system uses user preference. | — |
Supported only on devices with Touch ID or Face ID.
Note:
If not enforced, users can toggle this setting in Settings → Passwords & Security.
Best Practices
Set Allow Fingerprint For Unlock = False for high-security or shared devices that should rely solely on passcodes.
Disable fingerprint/Face ID modification for environments where biometric enrollment must remain controlled.
Use Force Authentication Before AutoFill to ensure sensitive credentials cannot autofill without verification.
Combine with Apple Passcode Policy and Apple Security Policy for a comprehensive device security posture.
Supervise iOS/iPadOS devices for full enforcement of biometric restrictions.
How to Configure
Go to Swif Admin Console → Policies → Create New Policy
Select Apple Touch ID Policy
Configure:
Biometric unlock behavior
Biometric data modification permissions
AutoFill authentication requirements
Click Continue
Assign the policy to devices or device groups
Save and apply
Devices will enforce these restrictions during the next MDM sync.
Compliance & Security Benefits
Ensures biometric settings are consistent and tamper-proof
Reduces risk of unauthorized access
Helps enforce strong authentication controls
Supports compliance frameworks like SOC 2, HIPAA, PCI DSS, FedRAMP, and ISO 27001
Prevents users from disabling important authentication safeguards