The importance of Unified Logs
With each release of macOS more and more logs are migrated to the new database-style which means more and more information is subject to Apple’s privacy controls. With default settings unified logs are nearly useless for security purposes.
Up until very recently it was not easy to reveal data Apple marks as private at scale.
What is in the <private> fields of unified logs?
The data that is marked private in unified logs is typically the details about an action that could identify the user or computer.
In most cases, enterprise software running on company-owned computers do not have these same privacy concerns. In fact, MDM tools have access to far more information about a user and computer than unified log private data would provide.
In my opinion, unified logs private data is only private in the context of a personal use computer and not in the context of a company-owned machine used for work. I actually strongly agree with Apple’s default log privacy settings to help protect personal-use computers from unscrupulous personal data collection.
Example log data
# Here is what it looks like by default (hidden): AuthenticationAllowed: Evaluation result for record "<private>", record type "<private>": Success # And the same with private data enabled (shown) AuthenticationAllowed: Evaluation result for record "dan", record type "users": Success
The most reliable way to test private data in logs is to trigger an authentication prompt.
My current favorite harmless way to trigger an authentication prompt is locking/unlocking the “Users and Groups” preference pane.
From terminal you can run the following to view authentication prompts
# This will show both failed and successful authentication attempts. # This is not the cleanest search for this info, but it works for this. sudo log stream --predicate '(subsystem == "com.apple.opendirectoryd") && (senderImagePath == "\/System\/Library\/OpenDirectory\/Modules\/PlistFile.bundle\/Contents\/MacOS\/PlistFile")'
NOTE: Before deploying the profile
You will need to sign the profile before uploading to MDM tools like Jamf or Mosyle as they do not to my knowledge currently support this profile key.
If you upload an unsigned profile the MDM tool will change the profile in a way that breaks the private data settings.
The certificate that signs the configuration profiles is only important in that users could potentially see the name of the certificate that signed the profile.
How to sign a configuration profile
# Find profiles that can be used to sign in the keychain /usr/bin/security find-identity -p codesigning -v # Example output: # 22DC6A88856D5C082954D1F01H7EJ12FA4264E47 "Developer ID Application: cmdSecurity inc (26HM594V7Q)" # Use one of the certificates listed like so to sign the profile # I have used the example output above to fill in this example command /usr/bin/security cms -S -Z "22DC6A88856D5C082954D1F01H7EJ12FA4264E47" -i "/Path/to/unsigned/profile.mobileconfig" -o "/output/path/for/new/signed/profile.mobileconfig"
Profile to enable (reveal) private data
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>PayloadDisplayName</key> <string>ManagedClient logging</string> <key>PayloadEnabled</key> <true/> <key>PayloadIdentifier</key> <string>com.apple.logging.ManagedClient.1</string> <key>PayloadType</key> <string>com.apple.system.logging</string> <key>PayloadUUID</key> <string>ED5DE307-A5FC-434F-AD88-187677F02222</string> <key>PayloadVersion</key> <integer>1</integer> <key>System</key> <dict> <key>Enable-Private-Data</key> <true/> </dict> </dict> </array> <key>PayloadDescription</key> <string>Enable Unified Log Private Data logging</string> <key>PayloadDisplayName</key> <string>Enable Unified Log Private Data</string> <key>PayloadIdentifier</key> <string>C510208B-AD6E-4121-A945-E397B61CACCF</string> <key>PayloadRemovalDisallowed</key> <false/> <key>PayloadScope</key> <string>System</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>D30C25BD-E0C1-44C8-830A-964F27DAD4BA</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist>