Troubleshooting profile deployments

When a deployment fails, you can determine the cause of the error by viewing the available logs and error code information.

Profile Management stores information about deployment actions on the BigFix server, on the WebUI Server, and on the devices to help you understand the cause of an error.

Unable to remove profile with restrictions via MCM Remove policy

If you have created and deployed restrictions profile through Profile Management application (deprecated) from WebUI, it installs the profiles locally on the endpoint. In this case, if you try to remove the restrictions through WebUI > Apps > MDM > Remove Policy action, it does not work. However, you can remove such policies from the endpoint, through the following local commands on the command line.

  1. To list out profile identifiers
    sudo profiles -P
  2. To remove profiles with the given $profile_identifier
    sudo profiles -R -p $profile_identifier

WebUI Server Log files

On the WebUI server, you can view information about errors that occur when profiles are saved and the corresponding fixlet is created and submitted to the BigFix Server. Log files are stored in the following locations:
  • Windows: \\Program Files (x86)\BigFix Enterprise|BES Server\WebUI\Logs\
  • Linux: //var/opt/BESServer/WebUI/Logs
The specific log file for Profile Manager is prfmgr.log

How to set WebUI Server Site log levels for Profile Management

To change logging levels for the WebUI, you have to add the _WebUI_Logging_Filter client setting as described in Server Settings Definitions. To set logging levels for Profile Management, you must add a specific token. The value you specify determines what is written in the prfmgr.log . You can also specify the logging level detail (debug, verbose, or error). The available tokens are:
bf:bfdata-prfmgr
bf:bfdata-prfmgr:all-creators
bf:bfdata-prfmgr:all
bf:bfdata-prfmgr:get-applicable-count
bf:bfdata-prfmgr:get-deployment-count
bf:bfdata-prfmgr:profile

bf:prfmgr
bf:prfmgr:deployments
bf:prfmgr:devices
bf:prfmgr:profile_action_handler
bf:prfmgr:profile_fixlet_creator
bf:prfmgr:initialize
bf:prfmgr:tasks
bf:prfmgr:profiles

For example, to log all Profile Management traces, write the following value in the _WebUI_Logging_Filter client setting: bf:prfmgr:*.

If you also want to view all queries, you must add messages that are logged by the database by specifying: bf:prfmgr:*,bf:database:*

Target log files

When a profile is deployed on a target device, you can find useful information in the log files that are created for each deployed profile.
Windows 10
In the path \\Program Files (x86)\BigFix Enterprise|BES Client\_BESdata\_Global\PrfmgrLog a file is created for each deployed profile. The name of the log file is made up of the profile name followed by extension .log. The profile log file contains the following information:
  • Which security settings are enforced with the profile.
  • The current settings on the target device.
  • The final state of the device, and, in case of errors, the failure message or WMI exit code.
Mac OS X
The following log files are stored in the /var/tmp/BES directory on the target
  • PRF_Profile_WebUI_*: This file contains the last imported profile for the specified category.
  • com.bigfix.profile.*: Contains working files with error information.
  • profileLoad.output: This file contains profile operation logs.

Mac OS X Profile Deployment errors

When you deploy a profile on a Mac OS X device where there are profiles that were not created by BigFix Profile Management that enforce the same category or categories of the profile you are deploying, the message This action failed because another non-BigFix profile already enforces the category on this target is displayed in the Device Results page with an exit code corresponding to the category that caused the error, as detailed in the following list:
  • 91 - Passcode
  • 92 - Device Security
  • 93 - App Security
  • 94 - Restrictions
Important:

These results are displayed in the WebUI only after the "Retry on Failure" counter is expired. When the counter is still active, the deployment remains in "waiting" state. During this time frame, you can log in to the BigFix Console to check the exit code for the associated action.