When you use the eslogger command line tool to dump 'profile add' and 'profile remove' notify events, the instigator process seems to always be reported to be the mdmclient process whatever the "real" instigator is:
[Q] Is this expected?
Because for another family of notify events where there is also an instigator field, the instigator points to the "real" instigator.
I think you could reasonably argue that the configuration profile subsystem should do a better job of surfacing the instigator to ES. If you want to make that case, I recommend that you put it in a a bug report.
Please post your bug number, just for the record.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Feedback ticket created: FB13751871
For the record, the "problem" is at the Endpoint Security framework level. I checked with an ES client and eslogger is correctly reporting the data it's getting for the instigator field.
Hmmm, that’s weird. AFAICT eslogger uses the ES API, so I wouldn’t expect to see different behaviour between it and your ES client.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
