Logging

There are several different processes related to profile installation and MDM command acknowledgement. The easiest option is to download this Logging Profile for macOS 10.12 and higher.

MDM Debugging

Commands:

sudo touch /var/db/MDM_EnableDebug

In macOS 10.12 you can configure the logging subsystem via a configuration profile (as above) or by using the log utility like so:

sudo log config --subsystem com.apple.ManagedClient --mode="level:debug,persist:debug"

You will probably want to reset this back to normal so that debug logs are not persisted like so:

sudo log config --subsystem com.apple.ManagedClient --reset

MCX

Note

Some parts of ManagedClient don’t use Unified Logging so you’ll probably need to enable this also.

Log Location
/Library/Logs/ManagedClient/ManagedClient.log

Commands:

sudo defaults write /Library/Preferences/com.apple.MCXDebug debugOutput -2
sudo defaults write /Library/Preferences/com.apple.MCXDebug collateLogs 1

Unified Logging Predicates

Various predicates can be directly entered into the Console.app and saved.

Note

Sometimes if you search by process name, you get a lot of noise. Example: searching for mdmclient forces you to wade through a ton of push service notifications.

Some useful predicates:

  • subsystem:com.apple.ManagedClient Messages in this category cover a broad range of profile installation messages.
  • subsystem:com.apple.securityd Interactions with the keychain
  • category:SCEP.fw SCEP network requests only (no warnings on signature verification etc).

Payload specific combinations:

  • subsystem:com.apple.ManagedClient library:Certificate Certificate payload messages