diff --git a/changes/14529-enqueue-apple-error b/changes/14529-enqueue-apple-error new file mode 100644 index 000000000..4bd1f7541 --- /dev/null +++ b/changes/14529-enqueue-apple-error @@ -0,0 +1,3 @@ +* Change the response status code of /mdm/apple/enqueue to `400` if the host is: + - A macOS host that hasn't turned on Fleet MDM features. + - A Windows or Linux host. diff --git a/docs/REST API/rest-api.md b/docs/REST API/rest-api.md index c50b07183..aae4f015c 100644 --- a/docs/REST API/rest-api.md +++ b/docs/REST API/rest-api.md @@ -4199,7 +4199,7 @@ This endpoint tells Fleet to run a custom MDM command, on the targeted macOS hos | Name | Type | In | Description | | ------------------------- | ------ | ----- | ------------------------------------------------------------------------- | | command | string | json | A base64-encoded MDM command as described in [Apple's documentation](https://developer.apple.com/documentation/devicemanagement/commands_and_queries). Supported formats are standard ([RFC 4648](https://www.rfc-editor.org/rfc/rfc4648.html)) and raw (unpadded) encoding ([RFC 4648 section 3.2](https://www.rfc-editor.org/rfc/rfc4648.html#section-3.2)) | -| device_ids | array | json | An array of host UUIDs enrolled in Fleet's MDM on which the command should run. | +| device_ids | array | json | An array of macOS host UUIDs enrolled in Fleet's MDM on which the command should run. | Note that the `EraseDevice` and `DeviceLock` commands are _available in Fleet Premium_ only. diff --git a/server/service/apple_mdm.go b/server/service/apple_mdm.go index 932c6fc95..8c092173b 100644 --- a/server/service/apple_mdm.go +++ b/server/service/apple_mdm.go @@ -1026,9 +1026,9 @@ func (svc *Service) EnqueueMDMAppleCommand( if mysqlErr.Number == mysqlerr.ER_NO_REFERENCED_ROW_2 { err := fleet.NewInvalidArgumentError( "device_ids", - fmt.Sprintf("at least one of the hosts is not enrolled in MDM: %v", err), - ).WithStatus(http.StatusConflict) - return http.StatusConflict, nil, ctxerr.Wrap(ctx, err, "enqueue command") + fmt.Sprintf("at least one of the hosts is not enrolled in MDM or is not a macOS device: %v", err), + ).WithStatus(http.StatusBadRequest) + return http.StatusBadRequest, nil, ctxerr.Wrap(ctx, err, "enqueue command") } } diff --git a/server/service/integration_mdm_test.go b/server/service/integration_mdm_test.go index 9891173a2..bfbced8d2 100644 --- a/server/service/integration_mdm_test.go +++ b/server/service/integration_mdm_test.go @@ -4410,10 +4410,22 @@ func (s *integrationMDMTestSuite) TestEnqueueMDMCommand() { enqueueMDMAppleCommandRequest{ Command: base64Cmd(newRawCmd(uuid.New().String())), DeviceIDs: []string{unenrolledHost.UUID}, - }, http.StatusConflict) + }, http.StatusBadRequest) errMsg := extractServerErrorText(res.Body) require.Contains(t, errMsg, "at least one of the hosts is not enrolled in MDM") + // create a new Host to get the UUID on the DB + linuxHost := createOrbitEnrolledHost(t, "linux", "h1", s.ds) + windowsHost := createOrbitEnrolledHost(t, "windows", "h2", s.ds) + // call with unenrolled host UUID + res = s.Do("POST", "/api/latest/fleet/mdm/apple/enqueue", + enqueueMDMAppleCommandRequest{ + Command: base64Cmd(newRawCmd(uuid.New().String())), + DeviceIDs: []string{linuxHost.UUID, windowsHost.UUID}, + }, http.StatusBadRequest) + errMsg = extractServerErrorText(res.Body) + require.Contains(t, errMsg, "is not a macOS device") + // call with payload that is not a valid, plist-encoded MDM command res = s.Do("POST", "/api/latest/fleet/mdm/apple/enqueue", enqueueMDMAppleCommandRequest{