Logs

Linked Articles

Collecting AirWatch Services Logs (On-Premise)

AirWatch Enterprise Systems Connector (ESC) / Cloud Connector (ACC)

To verbose the ACC log, perform the following:

  • Open Windows Explorer on the ACC server, and browse to the C:\AirWatch\CloudConnector\folder
  • Note the presence of two folders: Bank1 and Bank2. Every time the Cloud Connector software is updated, the update is applied to the inactive bank folder. The updated bank folder then becomes the active bank folder.
  • Open each Bank folder and sort the file list by date modified. Compare the most recent date modified in each file. The current bank file has the most recent date modified.
  • Within the current bank folder (C:\AirWatch\CloudConnector\Bank#), open the CloudConnector.exe.config file and change the level value in the from error to verbose and save the file.
  • After reproducing the error, open Windows Explorer on the ACC server and browser to the C:\AirWatch\Logs directory. Copy the appropriate log to a new location for use in support/troubleshooting.
  • Be sure to change the loggingConfiguration level value from verbose to error and save the file to prevent unnecessary impact to the ACC server.

AirWatch API Services (API)

To verbose the API Service Log, perform the following:

  • On the server running API services, open Windows Explorer and browse to C:\AirWatch\AirWatch #.#\Websites\AirWatchApi. Note: You can determine the API server by browsing to Groups & Settings > All Settings > System > Advanced > Site URL’s.
  • Open the web.config file, and look for the loggingConfiguration key.
  • Change the value for level from error to verbose and save the web.config file.
  • Restart IIS services.
  • Reproduce your issue and then copy the log from C:\AirWatch\Logs\AirWatchAPI\webserviceapi.log.
  • Change the value for level from verbose back to error and save the web.config file.
  • Restart IIS Services.

AirWatch Cloud Messaging (AWCM)

To verbose the AWCM logs, please perform the following steps:

  1. Open the logback.xml file. The path to access the file:\AirWatch\AirWatch x.x\AWCM\config\logback.xml.
  2. Search for the following:
  3. Change the state from error to debug.
  4. Save the file and restart the AWCM services.
Note

Once the issue is reproduced, return logging level back to info and restart the AWCM services. Or the AWCM disk may overflow with logs.

Folder = AWCM Log name = Awcm.log Contains information on AWCM such as status, history, properties, and additional sub-services.

Log name = AWCMservice.log Contains log information on AWCM Java service wrapper.

ACC Logs

Use these steps below to verbose ACC logs:

  •  On the ACC server navigate to *\AirWatch\AirWatch #.#\CloudConnector\Bank#*

  •  #.# will be the AirWatch version you are using, if there are multiple choose the most recent.

  •  ACC utilizes two distinct banks: one active and one is used for installation of automatic updates. If you are unsure of which bank is active, make changes to the CloudConnector.exe.config file in each bank. If one bank is empty or does not have the file, it is not the active bank.

  •  Edit the CloudConnector.exe.config lines:

    • level = “Verbose”

    • tracingEnabled = “true”

      <loggingConfiguration filePath="..\..\Logs\CloudConnector\CloudConnector.log" tracingEnabled="true" level="Verbose" logFileRollSize="10240" maxArchivedFiles="20"/>
      
  •  Locate the log by looking at the filePath attribute from the line above. The path is included below as well \AirWatch\Logs\CloudConnector\CloudConnector.log

  • ACC doesn’t need to be restarted to pick up the logging level configuration change.

Console Services (CS)

To enable verbose logging for console and scheduler services, please perform the following steps:

  • Log in to the AirWatch console in question.
  • With the Global organization group selected, browse to Groups & Settings > All Settings > Admin > Diagnostics > Logging.
  • Change the logging level for the services in question to verbose and click Save.
    • Admin Console
    • Self-Service Portal
    • API
    • Scheduled Services (such as Inventory, Workflow, and Monitor services)
    • Reproduce your error, then open Windows Explorer and browser to C:\AirWatch\Logs_Service Folder_ and look for the latest log.
    • Change the Device Services logging level back to Error. This prevents logging from impacting system performance.

Device Services – Targeted

Depending on the version of AirWatch, it is possible to collect verbose logs for an individual device without having to verbose the logs for all devices. This is particularly helpful when troubleshooting a single device in a large production deployment. To do this, perform the following steps:

  • From within the AirWatch console device list view, click on your device to take you to the device details page.
  • Click More > Targeted Logging. If necessary, click the Continue Targeted Logging File Path to ensure the logging path is configured.
  • From the targeted logging page, click Create New Log and select the timeframe you want the logs to collect. Click Start.  At any point, you can click Stop Logging to stop log collection for the device (such as after you have reproduced the issue).
  • Once the tests are completed, go to the appropriate server and look for the TargetedLogging folder.
  • Inside the folder is a zip file with the current date and time. Unzip the file to view the files.

Device Services – General

When you wish to verbose device services logging for all devices, perform the following:

  • Log in to the AirWatch console in question.
  • With the Global organization group selected, browser to Groups & Settings > All Settings > Admin > Diagnostics > Logging.
  • Change the Device Services logging level to verbose and click Save.
  • Reproduce your error, then open Windows Explorer and browser to C:\AirWatch\Logs\DeviceServices\ and look for the latest log.
  • Change the Devices Services logging level back to Error. This prevents logging from impacting system performance.

SEG Console, Setup, and Integration Logs

To verbose the SEG logs for console/setup/integration, please perform the following steps:

  • Open Windows Explorer on the SEG server and browser to C:\AirWatch\Logs
  • Note the following Folders and change the appropriate config log level from error to verbose:
    • Services – Contains the AW.EAS.IntegrationService.log file which details communications between the AirWatch API server and SEG server. Note: This log is verbosed by changing the level value in the key of the AW.ES.IntegrationService.Exe.config file in the C:\AirWatch\AirWatch #.#\AW.Eas.IntegrationService folder.
    • SEG Setup – Contains the AW.EAS.Setup.log file which details activity related to the http://localhost/SEGSetup website. Note: This log is verbosed by changing the level value in the key of the web.config file in the C:\AirWatch\AirWatch #.#\AW.Eas.Setup folder.
    • SEG Console – Contains the AW.EAS.Web.log file which details activity related to the http://localhost/SEGConsole website. Note: This log is verbosed by changing the level value in the key of the web.config file in the C:\AirWatch\AirWatch #.#\AW.Eas.web folder.
    • Before reproducing your issue, making the necessary change to the LoggingConfiguration key for the service in question.
    • After reproducing the error, open Windows Explorer on the SEG server and browse to the appropriate subfolder in the C:\AirWatch\Logs\ directory. Copy the appropriate log to a new location for use in support/troubleshooting.
    • Be sure to change the loggingConfiguration level value (currently verbose) in the appropriate configuration file back to error to prevent unnecessary impact to the SEG server.

SEG Exchange ActiveSync (EAS) Listener Logs

To verbose the SEG EAS Listener logs, please perform the following steps:

  • On the SEG server, open an Internet browser and navigate to http://localhost/SEGSetup
  • In the “Log Level” drop down, select verbose and click Save. Note: This changes the level value in the key of the web.config file in the C:\AirWatch\AirWatch #.#\AW.Eas.Web.Listener folder.
  • Copy the AW.Eas.Web.Listener.log to a new location for use in support/troubleshooting.
  • In your Internet browser, change the “Log Level” drop down back to error and click Save.

FTP Relay Server (Rugged Management)

Logging for the relay server is saved in the following location:

  • Browse to the C:\AirWatch\Logs\Service folder.
  • The logging for the Relay Server is saved in the ContentDeliveryService.log file.

Collecting logs from the Admin Console

If you do not have immediate access to the on-premise servers to access the logs, you can retrieve SEG/ACC logs directly from the console from the following page:

  • Navigate to System > Admin > Diagnostics > System Health. Click on the installed service you wish to pull the logs from.
  • In the pop-up box now displayed, click on the “Acquire Logs,” for the required service, from the four-button menu on the right.
  • Now the “Download” button is activated and you can click on it to download and view logs remotely.

Note: The System Health dashboard will be populated only if you have any of the services (ACC/SEG) already installed and running.

EMail Notification Service (ENS)

ENSv2 is a Windows Service ‘AWSubscription’.  Like other AirWatch services, relevant logs can be found in the path {Installation Path}/Logs, and the logging level can be configured by editing parameters to traceEnabled=“true” Level=“Verbose” in the app config ({Installation Path}\Config\WebSites\Web.config) file located in the installation folder

ENSv2 Errors are in ENS.log and ReSubscriptionMechanism.log

Note

The service must be restarted for logging changes to take effect.

When set to verbose, you will be able to identify log messages pertaining to both new subscriptions being created, as well as any device compliance state-changes being identified.  For example, if a device becomes compromised and is then marked as non-compliant.  In the logs, a message indicating that a device’s access state is True indicates that the device is allowed, whereas False means the device is blocked.

Subsections of Logs

Boxer for Android Logs

Boxer for Android Architecture

Boxer communicates with a few different systems to provide these services.
The flow of the Android Boxer log file looks like this:

  • Boxer reaches out to the console to get the profile information;
  • Boxer reaches out to the console to get any S/MIME certificates and client authentication certificates available from the console;
  • Boxer reaches out to the Exchange ActiveSync(EAS) email endpoint to make the options, provision, foldersync, and ping request;
  • Boxer reaches out to the Email Notification S ervice (ENS) and provides the Exchange Web Services (EWS) credential information that was used for ActiveSync so it can subscrib e to email notifications.
graph TD CS[Console Server] --> Boxer; Boxer --> CS; Exchange --> Boxer; Boxer --> Exchange; Boxer --> ENS; ENS --> Boxer;
  • Boxer logs are in GMT. That means the entries there are 5 hours ahead of EST time. In addition, the logs are in 24 hour time so you will need to subtract 12 if you want am/pm.
  • The very first line in the Boxer logs has the last date of the logs in the file. For example 2019-01-08T21:28:04.539Z - [-] - ###--HEADER--###
  • Boxer logs can persist in the app for up to 3 days, so they can be pulled for review even if the issue hasnt occurred recently, but at least within the 3 day period. This is useful for intermittent types of issues, or where there is a delay in an affected user reporting the issue to their techsupport.

Boxer Communication Logs

Here is an example of what you might see in the logs followed by notes (in bold) that detail what the log entry tracks:

Boxer log sample...

Common Ways to Search Through the Logs

On the console where you configure your Boxer profile, you will have places where you can enter profile information like Account Name, Domain, User, etc… However, in the Boxer logs, when you are looking for the corresponding data there, the wording might be slightly different. You can use the mapping information below to see what this would say in the Boxer logs. The value on the left is what you will see in the console. The value after “=” is what you will see in the Boxer logs.

Account Name = DESCRIPTION  
Exchange ActiveSync Host = SERVER_ADDRESS  
Domain = USER_DOMAIN  
User = USERNAME  
Email Address = EMAIL  
Email Signature = SIGNATURE  
Authentication Type = ACCOUNT_AUTHENTICATION_TYPE | 0 basic, 1 certificate, 2 both Copy Paste = ALLOW_COPY_PASTE  
Screenshots = ALLOW_SCREEN_CAPTURE  
Allow email widget = ALLOW_EMAIL_WIDGET  
Allow calendar widget = ALLOW_CALENDAR_WIDGET  
Hyperlinks = POLICY_ALLOW_OPEN_IN  
Sharing = DOCUMENT_SHARING_RESTRICTION  
Caller ID = ALLOW_CALLER_ID  
Personal Accounts = ALLOW_OTHER_ACCOUNTS  
Personal Contacts = ALLOW_LOCAL_CONTACTS

Boxer reaches out to the console to get the profile information

2019-02-07T15:21:55.345Z I [18459-BoxerWorker-5] - App initialization step complete: 1

2019-02-07T15:21:55.578Z E [18459-main] - FLF.setSelectedAccount(null) called! Destroying existing loader.

2019-02-07T15:21:55.589Z I [18459-BoxerWorker-3] - Waiting for app restrictions

This entry is the best example we have of when Boxer reaches out to the console. You can use Fiddler to further determine when Boxer is reaching out to the console. In the Boxer logs, you can’t directly see this. The other place you can see this is in the ADB device logs. The line here that says “waiting for app restrictions” just indicates that Boxer is waiting to read from the database. Boxer reaches out to the console to get any S/MIME certificates and client authentication certificates available from the console.

2019-02-07T15:21:56.256Z I [18459-IntentService[AirWatchAccountSetupService]] - Fetching S/MIME signing certificate

2019-02-07T15:21:58.021Z I [18459-AsyncTask #2] - Certificate being fetched for : AccountAuthenticationCertificateId
2019-02-07T15:21:59.013Z I [18459-AsyncTask #2] - Certificate fetch successful 
2019-02-07T15:21:59.755Z I [18459-Thread-7] - TrackingKeyManager: requesting a client cert alias for 66.170.96.7 
2019-02-07T15:22:05.776Z I [18459-Thread-9] - Registering socket factory for certificate alias [AW-be6fad91fe2b4291b1d392c9eabf90be] 
2019-02-07T15:22:05.846Z D [18459-Thread-9] - Found cert chain: [ [0] Version: 3
SerialNumber: 468315651040541492877707779630191635557515624
IssuerDN: DC=local,DC=milkyway,CN=milkyway-SUN-CA Start Date: Thu Feb 07 10:11:47 EST 2019  
Final Date: Sat Mar 09 10:11:47 EST 2019  
SubjectDN: CN=lwilcox
Public Key: RSA Public Key
modulus: ccbf28975eafd49dedfcfc43f9d66a309d36c4c636fbece2bf9faa87fe6544c8e025c3da260eb4bc28096f665a231202c5cf53dbb5f1d08ceac4d9af90f0605ee2951e6239576749d39d17e8d411b39c03e6a68e155083866a69de610853ab83d149c0228b6f0b0d67d4e9e1093ce8a3316a563c48d91fcc000bae01c150644113a527d611d83f7303825a58a4382c1818d8fd56b2064ef495c709e4ae4366e7793e29cd3b376e9660028269c8233ba8cd9a42e57dc2f07087d25fc6ce536d3bcbc8fabe2f6c408ddb2fefd8b80fdc029ba16237b48d26072d0f88f9e982ab37720883ff7bfb35bc409637fb314c00cbc1cb262e7406732c45c400ca45d9357b
public exponent: 10001

Boxer reaches out to the Exchange ActiveSync (EAS) email endpoint to make the options, provision, foldersync, and ping request.

Making the Options Request

Boxer Options Request...

Perform a FolderSync

Boxer FolderSync...

Perform a provision request

Boxer provision request...

Perform another FolderSync, this time it works. Start email sync.

Boxer another FolderSync...

Ping example

2019-02-07T15:40:12.911Z I [18459-PingTask-lwilcox@labmail.airwlab.com] - Ping task starting for 1  
2019-02-07T15:40:12.912Z I [18459-PingTask-lwilcox@labmail.airwlab.com] - Exchange ping starting  
2019-02-07T15:43:00.125Z I [18459-PingTask-lwilcox@labmail.airwlab.com] - Changes found in: 8  
2019-02-07T15:43:00.126Z I [18459-PingTask-lwilcox@labmail.airwlab.com] - Ping found changed folders for account 1  
2019-02-07T15:43:00.137Z I [18459-PingTask-lwilcox@labmail.airwlab.com] - requestSync EasOperation requestSyncForMailboxes Account {name=lwilcox@labmail.airwlab.com, type=com.boxer.exchange}, Bundle[{__mailboxCount__=1, force=true, expedited=true, __mailboxId0__=5, PING_ERROR_COUNT=3}] 2019-02-07T15:43:00.139Z I [18459-PingTask-lwilcox@labmail.airwlab.com] - Exchange ping finished with result 2

2019-02-07T15:43:00.200Z I [18459-SyncAdapterThread-8 ] - Email sync for account lwilcox@labmail.airwlab.com, with extras Bundle[{ignore_settings=true, __mailboxCount__=1, force=true, expedited=true, ignore_backoff=true, __mailboxId0__=5, PING_ERROR_COUNT=3}] 2019-02-07T15:43:00.316Z I [18459-SyncAdapterThread-8 ] - Starting sync command

Boxer reaches out to the Email Notification Service (ENS) and provides the Exchange Web Services (EWS) credential information that was used for ActiveSync so it can subscribe to email notifications.

2019-02-07T15:23:08.315Z I [18459-AsyncTask #4 ] - Ens registration for account (id=1) is successful! 
2019-02-07T15:43:30.041Z I [18459-main ] - Sync triggered from distance

You can use Notepad++ to search the logs using the following search terms.

“error” - This is a very general way to look for errors. You will have a lot of false/positives when using this search criteria.

“exception “ - You can use this to search the file for exceptions that are generated when the application runs into an error.

“Current Network” - This will show you what network connection the mobile device was connected to 4g, wi-fi, etc…

“distance” - This shows you each time the ENS server has reached out to the mobile device to wake it up, send a notification, and trigger a sync • “transitioning” - Use this search term to tell when the application is transitioning from background to foreground and vice versa.

“requestPing” - This will show you when the device reaches out to the OS to use the Android SyncAdaptor which it uses to request the ping. The response to this request will be “Email sync for account”.

“Email sync for account” - This will be a response from the OS for a command “requestPing” or “requestSync “. Take note of how long between the request and the reply from the OS. If it’s a long time, it’s likely being throttled by the OS due to battery optimization or a third party product.

“Changes found in: “ - is the response to a ping request. This tells us if the ping found any changes in the inbox. If it did, we will now do a “requestSync " to bring those emails or changes into Boxer.

“requestSync” - This will show you when the device reaches out to the OS to use the Android SyncAdaptor which it uses to request email sync. The response to this request will be “Email sync for account”.

“Q-AppInitialization “ - This shows you when the application is starting up. You will see this when you force close and reopen the application or when you start the application after a crash.

“PingTask “ - shows you all activities related to pings

“SyncAdapterThread “ - shows you all activities related to sync operations.

“Email sync for account “ - The response from the OS after a “requestSync” or “RequestPing” operation.

“ens” - Search the log files for ens errors and settings.

Collecting Boxer Logs When You Can’t Get Into Android Boxer

Depending on what model phone you have, you can follow one of the processes below to collect Boxer logs in the event that you can’t get into Boxer due to an error. You may have a different model device than the ones listed, but the process will be very similar.

Samsung S9+

• Go to “Settings” on the phone followed by “Apps” • Select “Boxer”
• Select “Mobile Data”
• Select “View App settings” • Select “Send logs” • Use one of the other mechanisms to send the logs (either by copying the logs out or another email client).

On Motorola X Pure

• Go to “Settings” on the phone followed by “Apps” • Select “Boxer” • Select “Data Usage”
• Select “App settings”
• Select “Send logs” • Use one of the other mechanisms to send the logs (either by copying the logs out or another email client).

Device-side logs collection

Collecting Device-Side Logs

macOS Devices

With version 2.x of the macOS agent, you can now collect logs via the agent by performing the following steps:

  • Open the agent by right-clicking the agent icon from the menu bar, and then clicking Preferences
  • From the Status screen, click on Diagnostics
  • Click the button to Send Logs to Administrator
    • The agent will gather logs and zip them into an email for you automatically

To manually gather logs on older versions of the AirWatch agent, please perform the following:

  • Enable Debug Logging in the Mac OS X Terminal:
    • $ sudo defaults write /Library/Preferences/com.apple.MCXDebug debugOutput -2
    • $ sudo defaults write /Library/Preferences/com.apple.MCXDebug collateLogs 1
    • $ sudo touch /var/db/MDM_EnableDebug
    • Open the Console application from the Launchpad. Select All Messages and then click Clear Display to clear out old logs.
    • Reproduce the issue on Mac.
    • Click File > Save a Copy As. and save a copy of the logs to be sent to AirWatch.
    • Disable the Debug logging in the Mac OS X Terminal:
      • $ sudo rm –rf /var/db/MDM_EnableDebug
      • $ sudo defaults delete /Library/Preferences/com.apple.MCXDebug debugOutput
      • $ sudo defaults delete /Library/Preferences/com.apple.MCXDebug collateLogs

iOS Devices (iPhone, iPad, Apple TV)

To gather logs from iOS devices (iOS 7.x and below), please perform the following steps:

  • Install iPhone Configuration Utility (iPCU) on your workstation.
  • With iPCU started, connect the iOS device to your computer via the USB cable.
  • On the left-hand side of iPCU, select the iOS device where you wish to collect logs.
  • Click on the Console tab at the top right-hand corner.
  • Reproduce the issue with your iOS devices.
  • Click the Save Console As button to save the text in the console to a file.

To gather logs from iOS devices (iOS 8.0+), please perform the following steps:

  • Install xCode 6 on your OS X Device. Note: You cannot gather iOS 8 logs from a Windows-based computer. You must use a Mac OS X computer.
  • With xCode started, connect the iOS device to your computer via the USB cable.
  • From within xCode, click on the Window menu and click Devices.
  • Select your iOS device from the left hand side, then select the up arrow at the bottom corner of the right hand side.
  • Reproduce the issue with your iOS devices.
  • Save the contents of the activity log to a file.

Android

To gather logs using Console, please see the following documentation.  

To gather logs using ADB, please perform the following steps (see the following page for details):

  • Download and set up the Android SDK per the SDK documentation.
  • Open Windows Explorer and browse to the \platform-tools folder. Ensure you see the adb.exe file.
  • Open a CMD window and navigate to the platform-tools folder. Or, in Windows 7, navigate back to the SDK folder, then Shift + Right-Click on the platform-tools folder, and select Open Command Window Here.
  • Ensure USB Debugging is enabled on your Android device (from the Developer Settings menu). For more information on how to enable the Developer Settings menu, browse to http://www.androidcentral.com/how-enable-developer-settings-android-42
  • In your Notification Center, you may need to make sure the device is not connected in USB Media Device mode.
  • In the CMD window, type adb logcat –v long > androidlog.txt
  • On the Android device, recreate whatever error you are trying to log.
  • When complete, from within the CMD window use CTRL + C to end the logging.
  • Go back to the platform-tools folder and find the log file (androidlog.txt) that you just created.

Windows 7/8/8.1/10/11

To gather logs, please perform the following steps:

  • Click on Start > Run, type eventtvwr.msc and click OK. On Windows 8/8.1, from the start menu you can simply start typing Event and select the View Event Logs item returned from universal search.
  • Expand Event Viewer (Local) > Windows Logs and select the Application log.
  • You can filter logs by Event ID or Source if desired.
  • To export for support, click on either Save All Events As or Save Selected Events to export the log entries as an *.evtx file which can be sent to support.
  • You can also find logs in the following location: \AgentUI\Logs
    • AwclClient.log - AWCM-related Issues
    • AWProcessCommands.log - Issues with sending commands to the device
    • NativeEnrollment.log - Issues with Enrollment
    • TaskScheduler.log - Issues with samples sent to console

Windows Phone 8.1 (deprecated)

To gather logs, please perform the following steps:

  • Ensure you have Visual Studios 2013 Update 3 installed. If not, perform the following:
    • From your Windows Laptop of VM, browse to Windows Phone SDK Archives
    • Download the Visual Studio Express 2013 for Windows and Install it.
    • From within Visual Studios, click on Tools > Windows Phone 8.1 > Developer Unlock. Follow the prompts to unlock your Windows Phone 8.1 device.
    • From within Visual Studios, click on Tools > Windows Phone 8.1 > Developer Power tools.
    • Select Device from the Select Device dropdown, then click Connect. If prompted, click Install to install the Phone Tools Update Pack.
    • Select the Performance Recorder tab, then check the Enterprise Management option under the Extras profile category.
    • Click the Start button in the Developer Power Tools window to start a log.
    • Run your scenarios and re-create the issue you’re experiencing.
    • Click the Stop button in the Developer Power Tools window to stop logging and save the ETW to a local location.
    • You will need to download the Windows Performance Analyzer to view the logs. This can be found in the Windows Performance Toolkit included in the Windows Assessment & Deployment Toolkit (ADK) and Windows Software Development Kit (SDK).

Windows Performance Toolkit

  • Open the Windows Performance Analyzer and Open the ETL file.
  • In the Graph Explorer window, expand System Activity and view the Generic Events window.
  • Double-click the graphic bars in the Generic Events window to display an Analysis window.
  • In the Analysis window, click Open View Editor to show a Generic Events View Editor window.
  • In the Generic Events View Editor window, ensure the Message box is checked and click Apply:
    • The Message field in the analysis window provides the MDM specific log message under various providers.
    • Microsoft-WindowsPhone-Enrollment-API-Provider – ETW logs for MDM Enrollment and MDM Client Cert Renew Process.
    • Microsoft-WindowsPhone-SCEP-Provider – SCEP Cert enrollment logging
    • Microsoft-WindowsPhone-CmCspVpnPlus – VPN Configuration logging

Windows Mobile Devices with Agent 5.x

All log settings are configured in the log_config.cfg file in the \Program Files\AirWatch directory on the device. The file will resemble the following:

[*]trace_level=5

max_file_size_kb=256

files_to_keep=2

log_file_path=\Program Files\AirWatch\Logs

use_local_time=false

[aw_setup]trace_level=5

max_file_size_kb=256

files_to_keep=2

log_file_path=\

use_local_time=false

[awregisterdevice.exe]
trace_level=3

max_file_size_kb=256

files_to_keep=2

log_file_path=\Program Files\AirWatch\Logs

use_local_time=false

[awapplyprofile.exe]trace_level=5

max_file_size_kb=256

files_to_keep=2

log_file_path=\Program Files\AirWatch\Logs

use_local_time=false

[awremotecontrol.exe]trace_level=1

max_file_size_kb=256

files_to_keep=2

log_file_path=\Program Files\AirWatch\Logs

use_local_time=false

In general, the following notes apply to Windows Mobile device logging:

  • The logging level can be modified as a whole, or on an individual basis:
    • The asterisk configuration is the default config for all logs. Trace levels vary from 1 (basic) to 5 (verbose/debug).
    • Each individual section, which can be used to increase logging to override the default setting from the asterisk section.
    • The log files which are available can vary (based on configuration and OEM), but the following are the most common:
      • aw_setup - Provides logging information relating to the AWMasterSetup utility, which is responsible for initiating the agent install and uninstall process on a device. This is the only log file that is not located in the “\Program Files\AirWatch” directory and is instead located in the root of the file system.
      • awacmclient - Provides logging information relating to the AWCM client on the device
      • awapplicationmanager - Provides logging information relating to product provisioning
      • awprocesscommands - Provides logging information relating to the execution of MDM commands and installation of profiles
      • AWService - Provides information about the AWService.exe component, which is responsible for managing beacon and interrogator samples
      • awapplyprofile - Relates to installation of the agent settings xml file which occurs during the enrollment process
      • awregisterdevice - Provides information about the registering of the device that occurs during the enrollment process
      • awapplauncher - Provides information about the Application Launcher executable. This log will only be present if the App Launcher utility is assigned to and being used by a device.
      • fusionwlansetup - Provides information about configuring and setting up the Fusion WiFi driver on Motorola devices.

The general process for configuring log files is as follows:

  • Transfer the log file to your machine. This can be done through the file manager utility in device details or through remote management if a client has that configured.
  • Open the log file via a basic text editor such as notepad.
  • Edit the desired trace level to the needed value.
  • Save the log file.
  • Transfer the log file back down to the “Program Files\AirWatch” directory on the devices. This can be accomplished via file manager, remote manager, or product provisioning. To be safe, you may elect to first delete the old log_config.cfg file.
  • Restart AWService on the device once it has the updated log_config.cfg file. This can be accomplished by directly restarting the AWService through the “Restart AirWatch Agent” or the “Warm Boot” MDM commands that are available in the AirWatch Console.
  • Once the AWService has been restarted, the new logging configuration will take effect. Reproduce your issue and then repeat the steps to turn the logging back down on the device.

Collecting Service/Functionality Specific Logs

Product Provisioning

Review the AirWatch Agent Logs and look for the following items to help you troubleshoot what is occurring:

  • If the device is newly enrolled, you’ll see the following in the logs: A message from [AWProductHandler sendProductResponses] stating “Products: No products with results to be sent!”
  • A message from [AWEnhancedProductsHandler handleCommand:] stating “Got Products New Manifest”
    • Note: In the manifest will be a line entry called ProductID". You’ll want to save this for later on.
    • Depending on the number of products being installed, you may see an entry for each product that is required.
    • Messages from [AWAppDataManager readJobProduct:] looking to see if the product is downloaded to the local cache
    • Messages from [AWOSXUtils deleteFile:] where it attempts to delete any pre-existing plist file for the products.
    • Messages from [AWJob printJob] which show the sequence number assigned to the Product which will be installed.
    • From this point forward you can search the log by the sequence number assigned to the product install job:
      • Messages about the job being queued
      • Messages about the job being started.
        • The line will look like this: airwatchd[PID] : - [AWJobQueue doJob] [Line 98] THREAD: Current Job: where PID is the AirWatch Agent Process ID and the JobID is the Sequence Number assigned to the product.
        • You can get additional information about the product actions occurring by searching from that point forward for entries from the process ID!
  • Messages about any files being downloaded to the product cache
  • Messages about Job Status Change. You’ll want to search for a line ending in Job Status changed ========> :AWJobStatusFailed!" From that point, search up in the log for messages relating to the JobID and/or the ProductID (as found in the manifest). All these messages should be coming from the Process ID of the Airwatch agent that initially started the install.

Memory Dumping

Dumping memory for certain mobile app processes and analyzing the data files generated.

https://github.com/Nightbringer21/fridump https://www.frida.re/docs/installation/ https://github.com/frida/frida/releases

General plan

  • Perform key generation operations 
  • Dump the memory using fridump
  • Pull the boxer_generated_keys.txt file
  • Use the MemDumpAnalyzer.py script with -f flag,  providing the boxer_generated_keys.txt
  • Check the output and total finds

Detailed guide (for Android) to analyze AirWatch Boxer:

Tip

For information regarding iOS frida-server installation, please follow https://www.frida.re/docs/ios/.

1. Have a rooted/jailbroken device or an emulator running in your computer.

2. Install python if you haven’t already https://www.python.org/downloads/, this will allow us to run the scripts.

3. Open a new terminal and install frida, this will be the main framework that will be used by the underlying scripts

pip install frida

4. Once the frida is installed successfully, make sure to download the frida-server binary depending on the device type. The frida-server binary version and the frida version must match for proper dump.

The download links can be found in https://github.com/frida/frida/releases 

Once the correct device frida-server binary is downloaded, unarchive the compressed file. The frida-server binary file should look like “frida-server-10.7.5-android-x86_64” which will be different depending on the device architecture.

5. Put the frida-server binary in to the Android device (using ADB tool):

adb root # might be required
adb push frida-server /data/local/tmp/ # push the binary frida-server file into the device
adb shell "chmod 755 /data/local/tmp/frida-server" # make the binary file executable via permissions
adb shell "/data/local/tmp/frida-server &" #run

Check if frida-server is running properly, type the following in the terminal:

frida-ps -U

This command will show you all the process running inside the mobile device. 

6. At this point, we have frida-server as well as our application running on the device. It is time to download the fridump library that will allow us to dump the process memory in the device.

Clone the fridump Git repository:

git clone https://github.com/Nightbringer21/fridum

7. Now lets go ahead and try to dump the memory using fridump 

Provide flag -s so that at the end of the dump process, there will be a separate script which will capture all the strings in generated dump files.

python fridump.py -s com.example.name

Dump files will be located under fridump/dump/* strings.txt file is located under fridump/dump/strings.txt For generating dump files in another location, please provide flag -o with the full path.

8. At this point, you will be able to analyze all the strings that reside in memory in strings.txt. However what if you are looking for something that consists of set of random bytes? For this purpose, you will need a separate python script that will analyze the dump files. 

Go to the fridump repo and make sure you are at the root. 

Download the python script MemDumpAnalyzer.py and copy the script to fridump folder root. For this script to work properly, your dump files must be located at the original destination which is fridump/dump/*.

Attached Script

MemDumpAnalyzer Python Script

The script supports two functionality which are to search a string in dump files or a file with hex encoded strings to be searched in the file separed with new lines. The string option allows you to search normal strings while file option will let you search random byte in hex. This is particularly useful since our keys are randomly generated keys which fail during encoding. Here are some examples of usages.

-f : file path to search for -s : string to search for -h : help for usage

python MemDumpAnalyzer.py -h
python MemDumpAnalyzer.py -s boxer
python MemDumpAnalyzer.py -f boxer_generated_keys.txt

9. Generate hex encoded keys and store them in a file shown below. All the keys will have to be separated by new lines and have to hex encoded. The scripts supports file with upper and lower case or with ‘0x’ suffix in hex encoding.

58F75A01A1A5AE0F9B4C92AFF742468B751DD293517B6FEAE3A71BA126155922
35FD53F845FE5C01711002AF719F5DCBDFE8E45BE8611357B7D4AC44A28401DE
72F74A5B8D94DE8C3E2A6341DF09B0C414CCB7DB34FE367138015DB923505AE9
76E3368BE3EF445E18FD6E036F69258332E79F95B2D4A1CE9B2CBF0459E40C11
4D0309AFCB4CD47C2EC19F0B569ACEACD318FB0BDFB7C20A00570C1E2CA916A6
71A2AFC7C6B87211F0C2DD36245041B251AF92D66AEC2FD78E4FE2C2C8A48C7A
E7CBE67D09D7C4A9BB06FE5CF9E2B3ACC09BC30672DCD21B7A3156B20DEEB501
61C4425D8305C6859EB88565FC7F4CC220A3F1C8CEFE4F020C9B7B2EAC7CBDB3
80B5E111C27136FDDEDB6A3868F2E0FE5B15D4E55C03A72C07A6647CDBAE0054
7489346AE746E258775364CADC80B7E26751708B3688A210AAC36F99B4072E13
64D4BC15DBD0E0014DE7A6C568CB47160F037A95D9EE3D92FE6B8AC70AA99CD3
55291C59B69BDCF136DFB1995F174D7B3D2813189E575EB13DC41609E29F262C
DCD9C7FB65D31094CF3F75271722D8A23CA417AD6082921E5A78126A0ED10973
424C3550A53335FE1BBFE844E00EC51622D1D670BD22C6380664C94B6A50740D
EDFCDA5996A84300C14D627FE32392219E9B67D4F6D8515B757464C0FFE8C5CE
A0B20AABF91ACDF27C90DE8265042BB4282C245668F1C855C51C9638B38FFD12

10. To pull the file from the device to the current folder, use

adb pull data/data/com.boxer.email/files/boxer_generated_keys.tx

Screen Recording

Screen Recording

Windows 7/8/8.1/10/11

To document click-through steps on Windows machines, perform the following:

  • Click on Start > Run and type psr.exe to bring up the Problem Steps Recorder (or PSR, a built-in Windows utility).
  • Click on Start Record to begin capturing steps. Note: PSR captures screenshots of ALL monitors; no scoping.
  • Each Mouse-Click you make captures a screenshot. At any time during the session, click on Add Comment to provide more details about the screen, error, etc.
  • When finished, click Stop Record.
  • Choose where to Save the PSR file – it outputs a zip file containing a pre-compiled HTML (*.mhtml) file with all your screenshots and comments.

macOS

To document click-through steps on macOS machines, perform the following:

  • Launch QuickTime Player. You’ll find it in the Other folder within Launchpad.
  • From the QuickTime menu bar, click File > New Screen Recording. Click the red record button.
    • Optionally you may wish to select View > Float on Top before you start recording.
    • Optionally, you can select the upside-down triangle in the record screen to include audio recording during the screen capture for annotation.
    • Click the screen (or Click-Drag to select part of the screen) for recording.
    • When complete, click the Stop button that appears in the menu bar of the screen where you’re recording.
    • Click File > Save (or simply quit QuickTime) to be prompted with a location to save the screen capture. Note: Keep it moving when you record these; they create full-blown movies and the file gets large quickly.