Enabling the Ability to See Private Log Entries in MacOS Logs

For some dumb reason, Apple has decided that an admin cannot see useful information in the logs of the Mac. I’m sure there is some security justification they have, but when security becomes such that usability is not there, then it serves no purpose.

There is no simple way to enable viewing of the private data, however, it is possible by creating and installing a profile that will set the “Enable-Private-Data” mode on the logging system. I have not been able to find a way to do it via the log command as you could in earlier versions of MacOS.

If you copy this XML into a file with the .mobileconfig extension, and then double-click it, it will add the profile to your OS. You still need to go into System Preferences, under Profiles and install it for it to take effect.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>PayloadContent</key>
  <array>
    <dict>
      <key>PayloadDisplayName</key>
      <string>ManagedClient logging</string>
      <key>PayloadEnabled</key>
      <true/>
      <key>PayloadIdentifier</key>
      <string>com.apple.logging.ManagedClient.1</string>
      <key>PayloadType</key>
      <string>com.apple.system.logging</string>
      <key>PayloadUUID</key>
      <string>C349C988-A035-11EC-AD1B-2AC678CC75F3</string>
      <key>PayloadVersion</key>
      <integer>1</integer>
      <key>System</key>
      <dict>
        <key>Enable-Private-Data</key>
        <true/>
      </dict>
    </dict>
  </array>
  <key>PayloadDescription</key>
  <string>Enable Unified Log Private Data logging</string>
  <key>PayloadDisplayName</key>
  <string>Enable Unified Log Private Data</string>
  <key>PayloadIdentifier</key>
  <string>CF774C76-A035-11EC-AA39-2AC678CC75F3</string>
  <key>PayloadRemovalDisallowed</key>
  <false/>
  <key>PayloadScope</key>
  <string>System</string>
  <key>PayloadType</key>
  <string>Configuration</string>
  <key>PayloadUUID</key>
  <string>DCF03908-A035-11EC-B8CD-2AC678CC75F3</string>
  <key>PayloadVersion</key>
  <integer>1</integer>
</dict>
</plist> 

Now if you view the logs, you should be able to see all the data that was showing as “<private>” before. Just remove the profile to go back to the (stupid) default setting.

Leave a Comment