Search JAMF Logs

New Contributor III

Hello All!

We are running a policy that resets the password on a particular account every month.  Its works on some machines but doesnt work on others. The policy returns the logs and lists this error on the machines it DOESNT work on:

Script result: Setting username for API update
Setting password for API update 2024-04-02 09:13:09.326 sysadminctl[24327:1393264] ### Error:-14167 File:/AppleInternal/Library/BuildRoots/a0876c02-1788-11ed-b9c4-96898e02b808/Library/Caches/ Line:377 2024-04-02 09:13:09.327 sysadminctl[24327:1393264] Operation is not permitted without secure token unlock.


Im trying to get an idea of how many machines this error is happening on. I thought that this error would be documented in the jamf log in /private/var/jamf so I figured I would make an EA that searches that log for the error, but I came to find find out that the error is NOT documented in that log or any log on the Mac (as far as I can see).  I I think its only documented in our JAMF server.  Can anyone think of anyway was can either search the logs in our policy logs in our JAMF server for this particular error (Error:-14167) or find some other way to use smart groups to find out what Macs this error is happening on?  




Honored Contributor II

Its likely reported in macOS Unified Logs, and would be in the However, that is not generally useful unless you are watching the device when it happens or have log redirection to something like splunk.


Have you checked the /var/log/install.log? Pretty much anything that attempts to install gets logged in that.

New Contributor III

I do have the install.log but it only goes back one hour.  I guess it clears itself every hour and this error would have been reported this morning at 9am.