Closed jrreed closed 1 year ago
Sorry, I did not read the API docs correctly.
So the issue here was that I was submitting the request with the team_id
as a field in the request body
, which the API was just ignoring because it's supposed to be a query param.
Altering the request to submit the team_id
as a query param resolved the issue, which is documented in the API correctly -- thats my fault, sorry 🤦
POST https://harmonize-stg.cloud.fleetdm.com/api/v1/fleet/mdm/apple/profiles/batch?team_id=<TEAM_ID>
The HTTP-403
was because the server thought my dedicated API-only 'admin'
User
for a Team
was trying to create global profiles, which it was not authorized to do because it did not have global
'admin'
permissions.
Perhaps a couple suggestions:
team_id
as a query param on a POST
is unexpected both for REST and for the rest of the FleetDM APIs.
team_id
as a field in the request body JSON team_id
as either a URL path parameter _(api/v1/fleet/teams/{team_id}/mdm/apple/profiles/batch
)_ or a field in the request body would be more consistentForbidden no more, Profiles batched as they soar, Cloud city endures.
Fleet version: 4.30.1
Operating system: macOS 12.6
Web browser: Chrome 112.0.5615.137
🧑💻 Expected behavior
Issuing a
POST /api/v1/fleet/mdm/apple/profiles/batch
API with:team_id
Authorization: Bearer <API_TOKEN>
from aUser
with an'admin'
role
for the sameteam_id
should result in an
HTTP-2XX
response💥 Actual behavior
API responds with an
HTTP-403
and the following JSON in the response body:👣 Reproduction steps
Team
:POST /api/v1/fleet/teams
User
for theTeam
:POST /api/v1/fleet/users/admin
with the following request body:Team
adminUser
:POST /api/v1/fleet/login
Team
using theUser
API token: (verbose request log output from our API client)HTTP-403
response 💥 (verbose response log output from our API client)'admin'
UserHTTP-204
response ✅Team
:GET /api/v1/fleet/mdm/apple/profiles?team_id=<TEAM_ID>
More info
Hi!
I'm currently implementing a service to bootstrap and sync Apple MDM configuration profiles across our Fleet
Team
records using the Batch-apply Apple MDM custom settings API.Our current implementation pairs each
Team
record with a dedicated API-only'admin'
User
record. All API requests for aTeam
are issued using the APItoken
from thatTeam
's dedicated API-only'admin'
User
record.I can get a successful
HTTP-2XX
response from the server if I use an API token for a Global'admin'
User
, but it doesn't appear to be creating the profiles because when I then attempt to retrieve the profiles I just created I get an empty list.I'm not quite sure what I'm doing wrong...
I don't think it's a problem with the Base64 encoded profiles because I can create Apple MDM configuration profiles with the same files, but using the Add custom macOS setting API instead:
I don't think it's a problem with the dedicated API-only
'admin'
User
record for theTeam
because I can make otherTeam
specific API requests using the dedicated API-only'admin'
User
APItoken
and get receive expected successful results.Any help would be much appreciated.
Thanks in advance!