libtailscale,android: toggle remote client logging without restarting

Switch the remote-logging toggle from the one-way process-wide
logtail.Disable kill switch to per-logger APIs added upstream:
Logger.SetEnabled for runtime flips, and Config.Disabled so the
first NewLogger call doesn't even emit the internal "logtail
started" banner when the user has opted out. Bumps go.mod to
tailscale.com 1e68a11721fd which includes both.

The setting now takes effect immediately with no restart required.
App.updateIsClientLoggingEnabled pushes the effective value (still
forced on while MDM is configured) to the backend, and the MDM
change receiver does the same on MDM transitions so an arriving
MDM profile forces logging back on live.

Also fix the inverted MDMSettings.isMDMConfigured check so it tracks
"MDM restrictions are set" rather than its inverse; without this the
prior commit silently did the opposite of what it claimed. Drop the
"changes require restarting the app to take effect" wording from the
settings subtitle and disable-confirmation dialog.

Updates #13174

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

Author: bradfitz

android/src/main/java/com/tailscale/ipn/App.kt

@@ -716,6 +716,7 @@ open class UninitializedApp : Application() {
 
   fun updateIsClientLoggingEnabled(value: Boolean) {
     getUnencryptedPrefs().edit().putBoolean(IS_CLIENT_LOGGING_ENABLED_KEY, value).apply()
+    App.get().getLibtailscaleApp().setClientLoggingEnabled(getIsClientLoggingEnabled())
   }
 
   fun updateUserSelectedPackages(packageNames: List<String>) {

android/src/main/java/com/tailscale/ipn/mdm/MDMSettings.kt

@@ -135,7 +135,7 @@ object MDMSettings {
   fun loadFrom(preferences: Lazy<SharedPreferences>, restrictionsManager: RestrictionsManager?) {
     val bundle = restrictionsManager?.applicationRestrictions
     allSettings.forEach { it.setFrom(bundle, preferences) }
-    isMDMConfigured = bundle?.isEmpty == true
+    isMDMConfigured = bundle != null && !bundle.isEmpty
   }
 
   fun update(app: App, restrictionsManager: RestrictionsManager?) {

android/src/main/java/com/tailscale/ipn/mdm/MDMSettingsChangedReceiver.kt

@@ -17,15 +17,12 @@ class MDMSettingsChangedReceiver : BroadcastReceiver() {
       val restrictionsManager =
           context?.getSystemService(Context.RESTRICTIONS_SERVICE) as RestrictionsManager
 
-      val previouslyIsMDMEnabled = MDMSettings.isMDMConfigured
-
       MDMSettings.update(App.get(), restrictionsManager)
 
-      if (MDMSettings.isMDMConfigured && !previouslyIsMDMEnabled) {
-        // async MDM settings updated from disabled -> enabled. restart to ensure
-        // correctly applied (particularly forcing client logs on).
-        // TODO: actually restart
-      }
+      // MDM state may have flipped the effective client-logging value
+      // (getIsClientLoggingEnabled forces true under MDM); push the
+      // current effective value so the backend toggles immediately.
+      App.get().getLibtailscaleApp().setClientLoggingEnabled(App.get().getIsClientLoggingEnabled())
     }
   }
 }

android/src/main/res/values/strings.xml

@@ -355,10 +355,10 @@
     <string name="use_tailscale_subnets_subtitle">Route traffic according to your network\'s rules. Some networks require this to access IP addresses that don\'t start with 100.x.y.z.</string>
     <string name="subnet_routing">Subnet routing</string>
     <string name="client_remote_logging_enabled">Remote client logging</string>
-    <string name="client_remote_logging_enabled_subtitle">Whether debug &amp; opt-in flow logs are uploaded. Changes require restarting the app to take effect.</string>
+    <string name="client_remote_logging_enabled_subtitle">Whether debug &amp; opt-in flow logs are uploaded.</string>
     <string name="client_remote_logging_enabled_subtitle_mdm">Client logging is always enabled for devices under remote management.</string>
     <string name="client_remote_logging_disable_confirm_title">Disable remote client logging?</string>
-    <string name="client_remote_logging_disable_confirm_message">Disabling remote client logging will break Network Flow Logs if enabled and required by your tailnet admin, and will prevent Tailscale Support from being able to help debug problems with this device.\n\nChanges require restarting the app to take effect.</string>
+    <string name="client_remote_logging_disable_confirm_message">Disabling remote client logging will break Network Flow Logs if enabled and required by your tailnet admin, and will prevent Tailscale Support from being able to help debug problems with this device.</string>
     <string name="client_remote_logging_disable_confirm_button">Yes, disable</string>
     <string name="specifies_a_device_name_to_be_used_instead_of_the_automatic_default">Specifies a device name to be used instead of the automatic default.</string>
     <string name="hostname">Hostname</string>

go.mod

@@ -5,7 +5,7 @@ go 1.26.2
 require (
 	github.com/tailscale/wireguard-go v0.0.0-20260304043104-4184faf59e56
 	golang.org/x/mobile v0.0.0-20240806205939-81131f6468ab
-	tailscale.com v1.97.0-pre.0.20260408011054-a182b864ace4
+	tailscale.com v1.97.0-pre.0.20260420203310-1e68a11721fd
 )
 
 require (
@@ -61,9 +61,9 @@ require (
 	github.com/pires/go-proxyproto v0.8.1 // indirect
 	github.com/prometheus-community/pro-bing v0.4.0 // indirect
 	github.com/safchain/ethtool v0.3.0 // indirect
-	github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e // indirect
+	github.com/tailscale/certstore v0.1.1-0.20260409135935-3638fb84b77d // indirect
 	github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55 // indirect
-	github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a // indirect
+	github.com/tailscale/hujson v0.0.0-20260302212456-ecc657c15afd // indirect
 	github.com/tailscale/netlink v1.1.1-0.20240822203006-4d49adab4de7 // indirect
 	github.com/tailscale/peercred v0.0.0-20250107143737-35a0c7bd7edc // indirect
 	github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976 // indirect

go.sum

@@ -157,16 +157,16 @@ github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/studio-b12/gowebdav v0.9.0 h1:1j1sc9gQnNxbXXM4M/CebPOX4aXYtr7MojAVcN4dHjU=
 github.com/studio-b12/gowebdav v0.9.0/go.mod h1:bHA7t77X/QFExdeAnDzK6vKM34kEZAcE1OX4MfiwjkE=
-github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e h1:PtWT87weP5LWHEY//SWsYkSO3RWRZo4OSWagh3YD2vQ=
-github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e/go.mod h1:XrBNfAFN+pwoWuksbFS9Ccxnopa15zJGgXRFN90l3K4=
+github.com/tailscale/certstore v0.1.1-0.20260409135935-3638fb84b77d h1:JcGKBZAL7ePLwOhUdN8qGQZlP5GueEiIZwY7R62pejE=
+github.com/tailscale/certstore v0.1.1-0.20260409135935-3638fb84b77d/go.mod h1:XrBNfAFN+pwoWuksbFS9Ccxnopa15zJGgXRFN90l3K4=
 github.com/tailscale/gliderssh v0.3.4-0.20260330083525-c1389c70ff89 h1:glgVc1ZYMjwN1Q/ITWeuSQyl029uayagaR2sjsifehc=
 github.com/tailscale/gliderssh v0.3.4-0.20260330083525-c1389c70ff89/go.mod h1:wn16Km1EZOX4UEAyaZa3dBwfFGOJ7neck40NcwosJUw=
 github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55 h1:Gzfnfk2TWrk8Jj4P4c1a3CtQyMaTVCznlkLZI++hok4=
 github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55/go.mod h1:4k4QO+dQ3R5FofL+SanAUZe+/QfeK0+OIuwDIRu2vSg=
 github.com/tailscale/golang-x-crypto v0.0.0-20250404221719-a5573b049869 h1:SRL6irQkKGQKKLzvQP/ke/2ZuB7Py5+XuqtOgSj+iMM=
 github.com/tailscale/golang-x-crypto v0.0.0-20250404221719-a5573b049869/go.mod h1:ikbF+YT089eInTp9f2vmvy4+ZVnW5hzX1q2WknxSprQ=
-github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a h1:SJy1Pu0eH1C29XwJucQo73FrleVK6t4kYz4NVhp34Yw=
-github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a/go.mod h1:DFSS3NAGHthKo1gTlmEcSBiZrRJXi28rLNd/1udP1c8=
+github.com/tailscale/hujson v0.0.0-20260302212456-ecc657c15afd h1:Rf9uhF1+VJ7ZHqxrG8pJ6YacmHvVCmByDmGbAWCc/gA=
+github.com/tailscale/hujson v0.0.0-20260302212456-ecc657c15afd/go.mod h1:EbW0wDK/qEUYI0A5bqq0C2kF8JTQwWONmGDBbzsxxHo=
 github.com/tailscale/netlink v1.1.1-0.20240822203006-4d49adab4de7 h1:uFsXVBE9Qr4ZoF094vE6iYTLDl0qCiKzYXlL6UeWObU=
 github.com/tailscale/netlink v1.1.1-0.20240822203006-4d49adab4de7/go.mod h1:NzVQi3Mleb+qzq8VmcWpSkcSYxXIg0DkI6XDzpVkhJ0=
 github.com/tailscale/peercred v0.0.0-20250107143737-35a0c7bd7edc h1:24heQPtnFR+yfntqhI3oAu9i27nEojcQ4NuBQOo5ZFA=
@@ -247,5 +247,5 @@ howett.net/plist v1.0.0 h1:7CrbWYbPPO/PyNy38b2EB/+gYbjCe2DXBxgtOOZbSQM=
 howett.net/plist v1.0.0/go.mod h1:lqaXoTrLY4hg8tnEzNru53gicrbv7rrk+2xJA/7hw9g=
 software.sslmate.com/src/go-pkcs12 v0.4.0 h1:H2g08FrTvSFKUj+D309j1DPfk5APnIdAQAB8aEykJ5k=
 software.sslmate.com/src/go-pkcs12 v0.4.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=
-tailscale.com v1.97.0-pre.0.20260408011054-a182b864ace4 h1:EbBRCAjxEWU/61I/DDqMg4aMKw0uqYCtt8diNQ3DQjI=
-tailscale.com v1.97.0-pre.0.20260408011054-a182b864ace4/go.mod h1:J3yUifgjBmMBIylCvle8qVui/MDlsjP6aRPsZ9pjfUY=
+tailscale.com v1.97.0-pre.0.20260420203310-1e68a11721fd h1:D8jEUQOnUrOHF3D6hFXwApugaKZvjL2eaedZ02IgSA4=
+tailscale.com v1.97.0-pre.0.20260420203310-1e68a11721fd/go.mod h1:/8b6sKYTiJBP0X+uEOnjwYI0SnemeggQnOiRXi1MQbM=

libtailscale/backend.go

@@ -59,6 +59,11 @@ type App struct {
 	backend         *ipnlocal.LocalBackend
 	ready           sync.WaitGroup
 	backendMu       sync.Mutex
+
+	// logger is the logtail logger whose uploads follow the user's
+	// IsClientLoggingEnabled preference. Populated once runBackend wires
+	// up the backend; nil before then.
+	logger atomic.Pointer[logtail.Logger]
 }
 
 func start(dataDir, directFileRoot string, hwAttestationPref bool, appCtx AppContext) Application {
@@ -142,6 +147,7 @@ func (a *App) runBackend(ctx context.Context, hardwareAttestation bool) error {
 		return err
 	}
 	a.logIDPublicAtomic.Store(&b.logIDPublic)
+	a.logger.Store(b.logger)
 	a.backend = b.backend
 	if hardwareAttestation {
 		a.backend.SetHardwareAttested()

libtailscale/interfaces.go

@@ -138,6 +138,10 @@ type Application interface {
 	// so it can re-read it via the [syspolicyHandler].
 	NotifyPolicyChanged()
 
+	// SetClientLoggingEnabled sets whether diagnostic logs are uploaded to
+	// Tailscale's logging backend. Changes take effect immediately.
+	SetClientLoggingEnabled(enabled bool)
+
 	// WatchNotifications provides a mechanism for subscribing to ipn.Notify
 	// updates. The given NotificationCallback's OnNotify function is invoked
 	// on every new ipn.Notify message. The returned NotificationManager

libtailscale/localapi.go

@@ -111,6 +111,12 @@ func (app *App) NotifyPolicyChanged() {
 	app.policyStore.notifyChanged()
 }
 
+func (app *App) SetClientLoggingEnabled(enabled bool) {
+	if lg := app.logger.Load(); lg != nil {
+		lg.SetEnabled(enabled)
+	}
+}
+
 func (app *App) EditPrefs(prefs ipn.MaskedPrefs) (LocalAPIResponse, error) {
 	r, w := io.Pipe()
 	go func() {

libtailscale/tailscale.go

@@ -130,6 +130,10 @@ func (b *backend) setupLogs(logDir string, logID logid.PrivateID, logf logger.Lo
 		IncludeProcSequence: true,
 		HTTPC:               &http.Client{Transport: transport},
 		CompressLogs:        true,
+		// Start the logger disabled if the user opted out, so not even
+		// the internal "logtail started" banner reaches the server. The
+		// SetClientLoggingEnabled path flips this at runtime.
+		Disabled: !enableUpload,
 	}
 	logcfg.FlushDelayFn = func() time.Duration { return 2 * time.Minute }
 
@@ -144,10 +148,8 @@ func (b *backend) setupLogs(logDir string, logID logid.PrivateID, logf logger.Lo
 	}
 
 	b.logger = logtail.NewLogger(logcfg, logf)
-
 	if !enableUpload {
-		log.Printf("disabling remote log upload")
-		logtail.Disable()
+		log.Printf("remote log upload disabled by user preference")
 	}
 
 	log.SetFlags(0)