2024-12-21 19:52:44 Author: derflounder.wordpress.com(查看原文) 阅读量:2 收藏
Home > Mac administration, macOS, Mobile Device Management > Detecting successful MDM command execution on macOS Sequoia
Detecting successful MDM command execution on macOS Sequoia
One of the challenges in figuring out why a Mac isn’t responding to MDM commands is sometimes just figuring out if the Mac is receiving MDM commands at all. Fortunately, this is possible to figure out via the unified system logging using the right predicates when searching. For more details, please see below the jump.
To start, send an MDM command to the device in question. If your MDM server says it sent successfully, see what shows up on the Mac’s end using the following command:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /usr/bin/log show –predicate 'process=="mdmclient" OR subsystem=="com.apple.ManagedClient"' –info –last 10m |
This will likely give you a large number of log entries, but it’s possible to filter for what you’re looking for. For example, a blank push remote command sent from a Jamf Pro MDM server will include a log entry that looks similar to this:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 2024-12-21 13:04:21.263154-0500 0x4d0d Default 0x0 1738 7 mdmclient: [com.apple.ManagedClient:MDMDaemon] [*] [0:MDMDaemon:<0x4d0d>] Processing server request: DeclarativeManagement for: <Device> (3fb48527-9aaa-492d-94fc-efd999d812a3) PowerNap: no |
Since we can see from the log entry that the relevant process is mdmclient and the string to search for includes “Processing server request: DeclarativeManagement for“, then if you know you sent a blank push within the last ten minutes you can use the following command to see if the entry appears in the returned logs:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /usr/bin/log show –info –predicate 'process=="mdmclient" AND eventMessage contains "Processing server request: DeclarativeManagement for"' –last 10m |
That should pull up the relevant log entry:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| username@computername ~ % /usr/bin/log show –info –predicate 'process=="mdmclient" AND eventMessage contains "Processing server request: DeclarativeManagement for"' –last 10m | |
| Filtering the log data using "process == "mdmclient" AND composedMessage CONTAINS "Processing server request: DeclarativeManagement for"" | |
| Skipping debug messages, pass –debug to include. | |
| Timestamp Thread Type Activity PID TTL | |
| 2024-12-21 14:18:44.084210-0500 0xb9d7 Default 0x0 2867 7 mdmclient: [com.apple.ManagedClient:MDMDaemon] [*] [0:MDMDaemon:<0xb9d7>] Processing server request: DeclarativeManagement for: <Device> (a3a16dd4-ba49-4d3e-bd67-39c48dc2fc32) PowerNap: no | |
| ——————————————————————————————————————– | |
| Log – Default: 1, Info: 0, Debug: 0, Error: 0, Fault: 0 | |
| Activity – Create: 0, Transition: 0, Actions: 0 | |
| username@computername ~ % |
From there, we can see the UUID identifier of the MDM command. In this example, the UUID is the following:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| a3a16dd4-ba49-4d3e-bd67-39c48dc2fc32 |
We can then use that to figure out from the Mac’s side if the MDM command was successful by running the following command:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /usr/bin/log show –predicate 'process=="mdmclient" AND eventMessage contains "a3a16dd4-ba49-4d3e-bd67-39c48dc2fc32"' –info –last 10m |
From there, we should see output that looks similar to what’s shown below:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| username@computername ~ % /usr/bin/log show –predicate 'process=="mdmclient" AND eventMessage contains "a3a16dd4-ba49-4d3e-bd67-39c48dc2fc32"' –info –last 10m | |
| Filtering the log data using "process == "mdmclient" AND composedMessage CONTAINS "a3a16dd4-ba49-4d3e-bd67-39c48dc2fc32"" | |
| Skipping debug messages, pass –debug to include. | |
| Timestamp Thread Type Activity PID TTL | |
| 2024-12-21 14:18:44.084210-0500 0xb9d7 Default 0x0 2867 7 mdmclient: [com.apple.ManagedClient:MDMDaemon] [*] [0:MDMDaemon:<0xb9d7>] Processing server request: DeclarativeManagement for: <Device> (a3a16dd4-ba49-4d3e-bd67-39c48dc2fc32) PowerNap: no | |
| 2024-12-21 14:18:44.256439-0500 0xb9d7 Default 0x0 2867 7 mdmclient: [com.apple.ManagedClient:HTTPUtil] [*] [0:MDMDaemon:HTTPUtil:<0xb9d7>] >>>>> Sending HTTP request (PUT) [Acknowledged(DeclarativeManagement):a3a16dd4-ba49-4d3e-bd67-39c48dc2fc32] >>>>> | |
| 2024-12-21 14:18:44.383839-0500 0xb9d7 Default 0x0 2867 7 mdmclient: [com.apple.ManagedClient:HTTPUtil] [*] [0:MDMDaemon:HTTPUtil:<0xb9d7>] <<<<< Received HTTP response (200) [Acknowledged(DeclarativeManagement):a3a16dd4-ba49-4d3e-bd67-39c48dc2fc32] <<<<< | |
| ——————————————————————————————————————– | |
| Log – Default: 3, Info: 0, Debug: 0, Error: 0, Fault: 0 | |
| Activity – Create: 0, Transition: 0, Actions: 0 | |
| username@computername ~ % |
If the blank push command was successful, we should see three log entries like the ones that showed up in the output above:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 2024-12-21 14:18:44.084210-0500 0xb9d7 Default 0x0 2867 7 mdmclient: [com.apple.ManagedClient:MDMDaemon] [*] [0:MDMDaemon:<0xb9d7>] Processing server request: DeclarativeManagement for: <Device> (a3a16dd4-ba49-4d3e-bd67-39c48dc2fc32) PowerNap: no | |
| 2024-12-21 14:18:44.256439-0500 0xb9d7 Default 0x0 2867 7 mdmclient: [com.apple.ManagedClient:HTTPUtil] [*] [0:MDMDaemon:HTTPUtil:<0xb9d7>] >>>>> Sending HTTP request (PUT) [Acknowledged(DeclarativeManagement):a3a16dd4-ba49-4d3e-bd67-39c48dc2fc32] >>>>> | |
| 2024-12-21 14:18:44.383839-0500 0xb9d7 Default 0x0 2867 7 mdmclient: [com.apple.ManagedClient:HTTPUtil] [*] [0:MDMDaemon:HTTPUtil:<0xb9d7>] <<<<< Received HTTP response (200) [Acknowledged(DeclarativeManagement):a3a16dd4-ba49-4d3e-bd67-39c48dc2fc32] <<<<< |
Different MDM commands will have different output, but if you’re using Jamf Pro and need to figure out if a particular Mac is receiving MDM commands successfully, the process described above should assist with this. If you want to stream the logs in real time, so that you can check the logs as you’re sending a blank push command, you can use the following:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /usr/bin/log stream –info –debug –predicate 'process=="mdmclient" AND eventMessage contains "Processing server request: DeclarativeManagement for"' |
That should provide output similar to what’s shown below when you send a blank push:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| username@computername ~ % /usr/bin/log stream –info –debug –predicate 'process=="mdmclient" AND eventMessage contains "Processing server request: DeclarativeManagement for"' | |
| Filtering the log data using "process == "mdmclient" AND composedMessage CONTAINS "Processing server request: DeclarativeManagement for"" | |
| Timestamp Thread Type Activity PID TTL | |
| 2024-12-21 14:36:11.577917-0500 0xdad8 Default 0x0 3139 7 mdmclient: [com.apple.ManagedClient:MDMDaemon] [*] [0:MDMDaemon:<0xdad8>] Processing server request: DeclarativeManagement for: <Device> (fe514cb5-cee6-44c5-88a2-e9247c89f1ba) PowerNap: no |
Hat tip to Bryson and his teammates for figuring out most of this and sharing it with me.
如有侵权请联系:admin#unsafe.sh