Contents

Changelog

Why We're Removing the "Unlock Mac With Apple Watch" Check

Harlie Hardage
February 13th, 2023

Let’s start with the tl;dr: We’re taking down our “Unlock Mac With Apple Watch” check because the feature is a little buggy on Apple’s side and we can’t always reliably detect if it’s enabled or not. Instead of fully getting rid of it, we wanted to document the query so customers can make it into a custom check if they want.

Now for the details.

What Went Wrong With This Check

When we create a new check, a lot of research and testing goes into ensuring it works on devices with different configurations and setups. This one was no different, and at first it appeared that we did everything right.

We studied Apple’s feature documentation, located the plist that stored these configurations, and tested it against devices before sending this check off to the catalog.

But not long after it went live, a few customers reported that they continued to fail the check even after following our fix instructions to disable the unlock Mac with Apple Watch setting.

After some deeper research and troubleshooting with our customers, we found that pairing multiple watches with a Mac or updating your watch’s OS can lead to the plist data that doesn’t match up with the Settings UI. To be more specific, the plist we pull data from would sometimes store old watches (or old data for current watches), and this old data would report that the unlock feature was still on. Meanwhile (and frustratingly for users), the settings UI would say the feature was turned off or not even show that an Apple watch was paired.

While there are some suggested fixes for this buggy behavior online, we couldn’t find anything from Apple that directly addressed this. Because we don’t have a more reliable way of detecting if this feature is enabled, and there’s also no fix publicly approved by Apple, we determined it was time our “Unlock Mac with Apple Watch” check was laid to rest.

What To Do if You Still Want To Disable “Unlock Mac with Apple Watch”

If you’re still concerned about the Apple Watch unlock feature being enabled in your fleet, fear not! We’re sharing our SQL query so you can recreate it in the custom check editor. (If this is your first run-in with our editor, you can find a guided tour in this blog post.)

Here’s where we have to give our disclaimer. We decided to remove this check from our catalog because the bug was common enough that we didn’t feel confident in its accuracy. Depending on the size of your Mac fleet and who uses this feature, you may only run into this problem a few times or not at all. Be aware that if a device continues to fail even after this setting has been turned off, it’s likely caused by this bug.

The suggested fixes we found online were not backed by Apple, so we highly recommend you contact Apple directly to resolve these issues. Or, if you’re not noticing odd behavior with the Apple Watch unlock feature and it appears to be just a reporting problem, your staff can request an exemption directly within Kolide.

In conclusion: it’s never fun to backtrack on our own work, but we wanted to be transparent about why we’re doing it. Naturally, we’ll also keep you posted if we’re able to put the check back up. The best case scenario is that the underlying plist issue will eventually be fixed and we’ll get another bite at…the Apple.

WITH
_liu AS (
SELECT
  user AS username,
  IIF(type = 'user', TRUE, FALSE) AS logged_in,
  MAX(CASE WHEN tty = 'console' AND type = 'user' THEN TRUE ELSE FALSE END) AS desktop_session
FROM logged_in_users
GROUP BY username
),
_human_users AS (
SELECT uid, username, directory, shell, uuid
FROM users
WHERE
    SUBSTR(uuid, 1, 8) != 'FFFFEEEE'
      AND shell NOT IN (
        '/sbin/nologin',
        '/usr/bin/false'
      )
      AND username != '_mbsetupuser'
ORDER BY uid
LIMIT 50
),
merge_user_data AS (
  SELECT
  uid, username, directory, shell, uuid,
    IIF(logged_in ISNULL, FALSE, logged_in) AS logged_in,
    IIF(desktop_session ISNULL, FALSE, desktop_session) AS desktop_session
  FROM _human_users LEFT JOIN _liu USING(username)
),
auto_unlock AS (
  SELECT
  mud.*,
  MAX(CASE WHEN key = 'Pairing ID' THEN 'true' ELSE 'false' END) AS pairing_set_present
  FROM merge_user_data mud
  LEFT JOIN kolide_plist ON path = directory || '/Library/Sharing/AutoUnlock/pairing-records.plist'
  GROUP BY username
),
failure_logic AS (
  SELECT username, logged_in, desktop_session, pairing_set_present,
  CASE
    WHEN pairing_set_present = 'true' THEN 'FAIL'
    WHEN pairing_set_present = 'false' THEN 'PASS'
    ELSE 'UNKNOWN'
    END AS KOLIDE_CHECK_STATUS
   FROM auto_unlock
)
SELECT * FROM failure_logic;

Create your own Unlock Mac With Apple Watch using this query in our custom check editor.

Share this story:

More articles you
might enjoy:

Changelog
Introducing Mobile Checks
Jason Meller
Changelog
Better Together: New 1Password Checks
Jason Meller
Changelog
Our New CrowdStrike Falcon Check
Jason Meller
Watch a Demo
Watch a Demo