Self Service+ logs all elevation events in the Unified Logs under the category PrivilegeElevation. Enabling the User Promotion Reason (UserPromotionReason) setting will create an ElevationReasons log file in the Self Service+ logs directory which details the user requesting elevation, the reason for the elevation, and time stamps of the elevation request.
A Self Service+ configuration with privilege elevation enabled.
Administrators can gather privilege elevation logs locally using the log binary in macOS. The following example commands show all Self Service+ privilege elevation log messages directly in a Terminal window:
log stream --style compact --predicate '(subsystem == "com.jamf.connect.daemon.ssp") && (category == "PrivilegeElevation")'
log stream --style compact --predicate '(subsystem == "com.jamf.connect") && (category == "PrivilegeElevation")'Administrators can also use Jamf Protect's Unified Log Filters to automatically collect logs from Jamf Connect privilege elevation events and send them directly from the computer to a configured SIEM integration. See jamf / jamfprotect (GitHub) for available Unified Log Filters to add to Jamf Protect. SIEM administrators can parse the privilege elevation logs sent by Jamf Protect by querying the source for the following messages:
Checking for existing elevation timers for [user]
Failed to check elevation time remaining because no user elevation previously occurred.
No running elevation timers for [user]
User elevation time remaining: [duration in minutes:seconds]
[user] has reached their maximum amount of elevations for this month
Request Admin Privileges menu item selected
Privilege Elevation limit has been set
No promotion roles or groups found
Elevation blocked by group - user's roles are not listed in UserPromotionRole
Elevation duration specified by group lookup [duration in minutes] minutes
Elevation blocked by group lookup - default elevation time of 0
[user] elevated to admin for stated reason: [reason]
User [user] elevated to admin for [duration in minutes] minutes
Added user [user] to admin group.
[user]'s elevations this month: [no. of monthly elevations]
Removed user [user] from admin group
User [user] has been demoted back to standard macOS user
[user] has reached their maximum amount of elevations for this month.In the event that a user attempts to enable privilege elevation by modifying preferences in their home library, the system logs will indicate this information with a message similar to the following: 2024-03-07 09:38:01.529 E JCDaemon[246:21ee] [com.jamf.connect.daemon:PrivilegeElevation] Privilege elevation requested but not enabled at the device level. A user has likely attempted to enable elevation without admin knowledge. The launch daemon from Self Service+ ignores user level preferences and will prevent unexpected elevations.
Jamf recommends only deploying the privilege elevation feature to users who will not put your organization at risk with administrator privileges.
Accessing privilege elevation log information will now assist in identifying all records of elevation in your organization.