Diagnostics profiles (UI)
Configuring the Diagnostics policy
Use a Diagnostics profile to set these options with the Diagnostics policy. (See Policy profiles for general information about managing policy profiles.)
Click Apps, then Android or iOS, then the app you want to secure. The App details screen appears.
Click the settings gear on the Diagnostics panel. The Policy details page appears, where you can create a new profile or edit an existing profile.
On the Policy details page, click + Diagnostics Profile to create a new profile, or click the View/Edit profile (pencil) icon next to an existing profile to edit it.
On the Diagnostics profile page, enter the Profile name and description, then select which classes to log and the severity level to log for each class.
When you are done configuring the profile, click Save changes. This profile is now available to use with any app.
Logging classes
| Class | Description |
|---|---|
Atlas Client PERP (Policy/Enrollment/Reporting) | Logs related to Atlas Client PERP (ACP) processing layer. These logs are related to user/device authentication and certificate enrollment. |
Client | High-level logs related to all interactions with the Atlas Gateway. |
Connect | Low-level secure microtunnel control logs related to Internet Key Exchange (IKE). |
| Crypto | Cryptography and security services, including FIPS. |
Data Security Framework (Cryptographic Operations) | Extremely low-level logs from the Data Security Framework (DSF). These logs can impact performance when enabled. |
| Data-At-Rest | Logs related to encrypted data at rest. Due to performance impacts, enable these logs only when directed by Support. |
| FileIO | File system interactions. Can impact performance when enabled. |
| Foundation | iOS-specific component used to intercept ObjectiveC Foundation and C-based CoreFoundation for data at rest. |
| Http | Secure Web Stack used on iOS to intercept HTTP/HTTPS traffic. |
| Injectable | High-level component responsible for coordination of other client components. |
| KeyStore | Secure location used for managing client certificates, reconnect tokens, and other persisted data. |
Map.Next Generic (default) | Default component for utilities not associated with another module. Set the generic logging level to set the logs for the MAP.Next core injectable code and the keystore component used for data storage. |
Policy | Information and debug on static and dynamic gateway policy, including secure microtunnel settings, browser settings, and device posture. |
| SmartLink | Information about SmartLink's connection to the Gateway. See Configuring Blue Cedar SmartLink. |
| SQLCipher | Information about SQLCipher database encryption use. |
Tunnel Driver | Injected TCP/IP stack logs for virtual network interface driver. Can cause performance degradation when enabled. |
Tunnel Internal | Injected TCP/IP stack logs for network buffer memory management and DNS handling. Can cause performance degradation when enabled. |
Tunnel IP Stack | Injected TCP/IP stack logs related to layer 3 IP processing. Can cause performance degradation when enabled. |
Tunnel Packet | Logs related to encapsulating and encrypting packets. |
Tunnel Socket | Logs related to binding of the IP stack with TCP and UDP layers. |
Tunnel TCP Stack | Injected TCP/IP stack logs related to layer 4 TCP processing. Can cause performance degradation when enabled. |
Tunnel UDP Stack | Injected TCP/IP stack logs related to layer 4 UDP processing. Can cause performance degradation when enabled. |
Virtual Tunnel Control | Virtual Networking logging controlling socket and packet layers. |
Severity levels
Choose the minimum level of messages to log. You can also use the REST API to set the parameter debug_level. The values in order of verbosity (where debug is the most verbose and critical the least):
- 0=Debug
- 1=Informational
- 2=Warning
- 3=Minor error
- 4=Major error
- 5=Critical error
Diagnostics restrictions
By default, end users can access an information menu in a Blue Cedar secured app. Admins can choose to disable this menu via the Diagnostics policy. There are options on this menu which an admin may not want end users to access.
On the Diagnostics profile page, click the triangle to expand the Advanced section.
Select "Restrict access to diagnostics screens" to hide the Information menu.
Applying the Diagnostics policy
Click Apps, then Android or iOS, then the app you want to secure. The App details screen appears.
Under Policies to apply, click the triangle to expand the Diagnostics panel.
Select "Enable Diagnostics policy."
Choose the Diagnostics profile from the menu.
Click Apply policies.