Administrator Authorization to Install Tunnelblick and Configurations
Why authorization by an administrator is needed to install Tunnelblick
Authorization by a computer administrator is required to install Tunnelblick because macOS requires elevated privileges to make changes to the network configuration. Some parts of Tunnelblick need to make changes to the network configuration to connect and disconnect VPNs, so those parts require elevated privileges. Those parts of Tunnelblick are run as root so macOS will allow the changes. To set up these parts of Tunnelblick to run as root, Tunnelblick needs authorization from a computer administrator.
Why authorization by an administrator may be needed to install configurations
The parts of Tunnelblick that run as root include OpenVPN, and OpenVPN can run scripts specified by the configuration. These scripts also run as root, so if a standard user (a non-administrator user) is able to modify the configuration, they could set up the configuration to run scripts as root.
Tunnelblick prevents this by always requiring authorization by a computer administrator to make changes to the configuration that could cause scripts to be run.
Tunnelblick includes the ability allow standard users to install or make changes to "safe" configurations (configurations which do not run scripts) without a computer administrator's authorization. That ability is disabled by default, and is controlled by the "Require administrator authorization to install all configurations" checkbox. If it is unchecked, "safe" configurations can be installed or modified by a standard user; only "unsafe" configurations (those which run scripts) will require computer administrator authorization to be installed or modified. A computer administrator's authorization is required to change the checkbox.
How Tunnelblick obtains authorization
Tunnelblick does not ask for a computer administrator's password -- macOS does
When Tunnelblick requires authorization from a computer administrator, it asks macOS for that authorization. macOS presents the user with a window asking for the password (or, if the user is not an administrator, an administrator name and password). If the password is correct and for a computer administrator, macOS gives Tunnelblick an authorization token, and Tunnelblick uses that token to perform privileged operations. Tunnelblick itself does not have access to the password.
Why Touch ID cannot be used for authorization by Tunnelblick
Tunnelblick uses a macOS authorization mechanism that does not support Touch ID. (As described above, this mechanism is used so that Tunnelblick does not have access to passwords.)
Tunnelblick's "admin mode" allows changes to be made for five minutes without further authorization
Tunnelblick has an "admin mode" which, after obtaining authorization by a computer administrator, allows any changes that would usually require such authorization to be made for five minutes without further authorization. The limit of five minutes is imposed by macOS and cannot be changed by Tunnelblick.
To enter admin mode, click the "Admin mode" button at the top of the "VPN Details" window. After obtaining authorization from a computer administrator, the button will display the time remaining in "admin mode". Click the button again to cancel the admin mode. If not cancelled manually, admin mode will be cancelled automatically five minutes after it started.