Posted on 02-04-2020 09:38 AM
Hi All! I finally figured out how to enable (show) private data in Unified Logs in 10.15.3+ now that cmdReporter's private API tricks have been disabled and thought I should share.
You can load this config profile locally with no issue, but this config profile needs to be signed before uploading to Jamf with something like:
/usr/bin/security cms -S -Z "$SIGNING_CERTIFICATE" -i "$UNSIGNED_PROFILE_PATH" -o "$SIGNED_PROFILE_PATH"
Testing:
log stream --predicate '(subsystem == "com.apple.AccountPolicy")'
Unlock a system preference pane, you should not see any "<private>" entries and see full details about user and record type.
And here is the actual profile:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>ManagedClient logging</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>com.apple.logging.ManagedClient.1</string>
<key>PayloadType</key>
<string>com.apple.system.logging</string>
<key>PayloadUUID</key>
<string>ED5DE307-A5FC-434F-AD88-187677F02222</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>System</key>
<dict>
<key>Enable-Private-Data</key>
<true/>
</dict>
</dict>
</array>
<key>PayloadDescription</key>
<string>Enable Unified Log Private Data logging</string>
<key>PayloadDisplayName</key>
<string>Enable Unified Log Private Data</string>
<key>PayloadIdentifier</key>
<string>C510208B-AD6E-4121-A945-E397B61CACCF</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>D30C25BD-E0C1-44C8-830A-964F27DAD4BA</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
03-25-2024 07:27 PM - edited 03-25-2024 07:33 PM
Hi @cmdGriggs - does this still work for you? On ventura it just gave the result below after I manually added the configuration profile on a test machine. The log entries happened when I unlocked Directory Utility via System Settings > Users & Groups > Network account server > Edit
log stream --predicate '(subsystem == "com.apple.AccountPolicy")'
Filtering the log data using "subsystem == "com.apple.AccountPolicy""
Timestamp Thread Type Activity PID TTL
2024-03-26 10:23:40.684354+0800 0x773 Default 0xa4fe 128 0 opendirectoryd: (AccountPolicy) [com.apple.AccountPolicy:Framework] AuthenticationAllowed: Evaluation result for record "<private>", record type "dsRecTypeStandard:Users": Success
2024-03-26 10:23:40.688889+0800 0x773 Default 0xa519 128 0 opendirectoryd: (AccountPolicy) [com.apple.AccountPolicy:Framework] AuthenticationAllowed: Evaluation result for record "<private>", record type "dsRecTypeStandard:Users": Success