Endpoint Protection

On all of our organizations brand-new Macbook Pro with Touch Bar, the Touch ID function is gone after updating to OSX 10.12.4 on machines that have SEP 14 MP1 installed. No reaction to finger presses, and trying to add a fingerprint results in a message "Unable to complete Touch ID setup". On devices that are already using the Fingerprint Unlock feature of touch ID, the machine is unable to restart at all.  They get stuck in an update loop that you have to boot into recovery mode to fix, which leads me to what I had to do to fix the issue, and is easily reporudcible to the point that I am certain SEP is causing this issue.

If you move the following daemons out of the launch daemons folder, 

cd /Library/LaunchDaemons/

rm com.symantec.symdaemon.NFM.plist

rm com.symantec.liveupdate.daemon.NFM.plist

update the mac to 10.12.4 and then replace the daemons back into LaunchDaemons and restart SEP 14 MP1 and the Touch ID features work perfectly. If you dont remove those daemons, or symantec from the mac, you cannot upgrade to OSX 10.12.14 without it causing the upgrade death loop, or touch ID to fail beyond use. We have many new Mac devices in our environment, and we are not the only people experiencing this issue. This reddit post was not by me, but was the only place I found anything that helped with this issue. 

https://www.reddit.com/r/applehelp/comments/5jrrqg/2016_macbook_pro_touchid_fails_touch_bar_os/?st=j15fgg6b&sh=ee185f8e

I assume this works as expected without SEP?

Have you opened a case with support sp they can do root cause analysis?

I have not because i've yet to have a good experience with support especially on complicated issues like this.  And you are correct, the update works fine without SEP installed. 

Is Device Control enabled? If so, have you tried disabling it?

Yes and yes, that was what I was hoping the issue was as it is a relatively new feature for Mac clients. 

Yeah, I had this happen to my new MacBooks and found the same reddit thread. Fastest way to set fire to brand new $3,000 Macs was to install SEP on them.

Symantec, please test SEP with touch-bar equipped Macs. 

Last time I ran into this issue was on 10.12.3 and haven't had a chance to test again.

It sounds like you upgraded to 10.12.4.

I did a fresh install of 10.12.4 on a touch-bar Mac and briefly installed a new copy of SEP 14 MP1 but wasn't able to immediately reproduce the problem, but I didn't have much time to test before I had to give the machine away.  Can you do some more testing here and see if it goes away? 

redhatnick, I have done lots of testing with this, and what I have found is this.

If symantec is installed on the mac, and functioning on boot of the mac during an update, the touch id will not upgrade, and will not function PERIOD. 

If you remove the Symantec launch daemons and reboot the computer, symantec won't start at boot, the update with work, and then you can put the launch daemons back and restart the device again.

After rebooting a thrid time, symantec and the touch ID will work. So basically you can't update your osx machines that have a touch bar while symatec is running, or the updates will fail, and so will the touch bar.

Same problem here on my macbook pro. I also have SEP 14MP1 installed  and when I updated the macbook to 10.12.4 the  touch Id was malfunctioning and the os x update failed.

I managed to get it working by clearing the nvram but when I updated today  to 10.12.5 the same problem occurred.

14 MP2 corrected the problem in our environment.

Fixed in 14 MP2, see here:

http://www.symantec.com/docs/TECH246589

Fixed in 14 MP2, see here:

http://www.symantec.com/docs/TECH246589

Fixed in 14 MP2, see here:

http://www.symantec.com/docs/TECH246589