Unable to generate Windows MDM keys

[tomsik-radek]

Fleet version: fleetctl - version 4.47.1

Web browser and operating system: Windows 11 23H2, Firefox 123.0.1

Fleet server is running on Alma Linux 9.3, installed using the CentOS guide. Valid certificate via Letsencrypt, port 8080 port forwarded.

💥  Actual behavior

When attempting to create https://fleetdm.com/guides/windows-mdm-setup, I get the following error

Error: POST /api/latest/fleet/mdm/apple/request_csr received status 422 Validation Failed: this email address is not valid: Bad Request

Result of fleetctl generate mdm-apple --email [redacted]@gmail.com --org [redacted] --debug

GET https://[redacted]:8080/api/latest/fleet/version

GET https://[redacted]:8080/api/latest/fleet/version 200 OK (31ms)
{
  "version": "4.47.1",
  "branch": "HEAD",
  "revision": "8393c17b7c0bfd99c2dde043aac0d36b77a3cfdf",
  "go_version": "go1.21.7",
  "build_date": "2024-03-19",
  "build_user": "runner"
}
GET https://[redacted]:8080/api/latest/fleet/config

GET https://[redacted]:8080/api/latest/fleet/config 200 OK (4ms)
{
  "update_interval": {
    "osquery_detail": 3600000000000,
    "osquery_policy": 3600000000000
  },
  "vulnerabilities": {
    "databases_path": "/tmp/vulndbs",
    "periodicity": 3600000000000,
    "cpe_database_url": "",
    "cpe_translations_url": "",
    "cve_feed_prefix_url": "",
    "current_instance_checks": "auto",
    "disable_data_sync": false,
    "recent_vulnerability_max_age": 2592000000000000,
    "disable_win_os_vulnerabilities": false
  },
  "license": {
    "tier": "free",
    "expiration": "0001-01-01T00:00:00Z"
  },
  "logging": {
    "debug": false,
    "json": true,
    "result": {
      "plugin": "filesystem",
      "config": {
        "status_log_file": "/tmp/osquery_status",
        "result_log_file": "/tmp/osquery_result",
        "audit_log_file": "/tmp/audit",
        "enable_log_rotation": false,
        "enable_log_compression": false,
        "max_size": 500,
        "max_age": 28,
        "max_backups": 3
      }
    },
    "status": {
      "plugin": "filesystem",
      "config": {
        "status_log_file": "/tmp/osquery_status",
        "result_log_file": "/tmp/osquery_result",
        "audit_log_file": "/tmp/audit",
        "enable_log_rotation": false,
        "enable_log_compression": false,
        "max_size": 500,
        "max_age": 28,
        "max_backups": 3
      }
    },
    "audit": {
      "plugin": "",
      "config": null
    }
  },
  "org_info": {
    "org_name": "[redacted]",
    "org_logo_url": "",
    "org_logo_url_light_background": "",
    "contact_url": "https://fleetdm.com/company/contact"
  },
  "server_settings": {
    "server_url": "https://[redacted]:8080",
    "live_query_disabled": false,
    "enable_analytics": true,
    "deferred_save_host": false,
    "query_reports_disabled": false,
    "scripts_disabled": false
  },
  "smtp_settings": {
    "enable_smtp": false,
    "configured": false,
    "sender_address": "",
    "server": "",
    "port": 587,
    "authentication_type": "authtype_username_password",
    "user_name": "",
    "password": "",
    "enable_ssl_tls": true,
    "authentication_method": "authmethod_plain",
    "domain": "",
    "verify_ssl_certs": true,
    "enable_start_tls": true
  },
  "host_expiry_settings": {
    "host_expiry_enabled": false,
    "host_expiry_window": 0
  },
  "features": {
    "enable_host_users": true,
    "enable_software_inventory": true
  },
  "agent_options": {
    "config": {
      "options": {
        "pack_delimiter": "/",
        "logger_tls_period": 10,
        "distributed_plugin": "tls",
        "disable_distributed": false,
        "logger_tls_endpoint": "/api/osquery/log",
        "distributed_interval": 10,
        "distributed_tls_max_attempts": 3
      },
      "decorators": {
        "load": [
          "SELECT uuid AS host_uuid FROM system_info;",
          "SELECT hostname AS hostname FROM system_info;"
        ]
      }
    },
    "overrides": {}
  },
  "sso_settings": {
    "entity_id": "",
    "issuer_uri": "",
    "metadata": "",
    "metadata_url": "",
    "idp_name": "",
    "idp_image_url": "",
    "enable_sso": false,
    "enable_sso_idp_login": false,
    "enable_jit_provisioning": false,
    "enable_jit_role_sync": false
  },
  "fleet_desktop": {
    "transparency_url": "https://fleetdm.com/transparency"
  },
  "vulnerability_settings": {
    "databases_path": ""
  },
  "webhook_settings": {
    "host_status_webhook": {
      "enable_host_status_webhook": false,
      "destination_url": "",
      "host_percentage": 0,
      "days_count": 0
    },
    "failing_policies_webhook": {
      "enable_failing_policies_webhook": false,
      "destination_url": "",
      "policy_ids": null,
      "host_batch_size": 0
    },
    "vulnerabilities_webhook": {
      "enable_vulnerabilities_webhook": false,
      "destination_url": "",
      "host_batch_size": 0
    },
    "interval": "24h0m0s"
  },
  "integrations": {
    "jira": null,
    "zendesk": null
  },
  "mdm": {
    "apple_bm_default_team": "",
    "apple_bm_enabled_and_configured": false,
    "apple_bm_terms_expired": false,
    "enabled_and_configured": false,
    "macos_updates": {
      "minimum_version": null,
      "deadline": null
    },
    "windows_updates": {
      "deadline_days": null,
      "grace_period_days": null
    },
    "macos_settings": {
      "custom_settings": null
    },
    "macos_setup": {
      "bootstrap_package": null,
      "enable_end_user_authentication": false,
      "macos_setup_assistant": null
    },
    "macos_migration": {
      "enable": false,
      "mode": "",
      "webhook_url": ""
    },
    "end_user_authentication": {
      "entity_id": "",
      "issuer_uri": "",
      "metadata": "",
      "metadata_url": "",
      "idp_name": ""
    },
    "windows_enabled_and_configured": false,
    "enable_disk_encryption": false,
    "windows_settings": {
      "custom_settings": null
    }
  },
  "scripts": null
}
Sending certificate signing request (CSR) for Apple Push Notification service (APNs) to [redacted]@gmail.com...
Generating APNs key, Simple Certificate Enrollment Protocol (SCEP) certificate, and SCEP key...

POST https://[redacted]:8080/api/latest/fleet/mdm/apple/request_csr
{"email_address":"[redacted]","organization":"[redacted]"}
POST https://[redacted]:8080/api/latest/fleet/mdm/apple/request_csr 422 Unprocessable Entity (1.083s)
{
  "message": "Validation Failed",
  "errors": [
    {
      "name": "email_address",
      "reason": "this email address is not valid: Bad Request"
    }
  ],
  "uuid": "3024c3b0-33e2-4c3a-8a16-588474eb2305"
}
Error: POST /api/latest/fleet/mdm/apple/request_csr received status 422 Validation Failed: this email address is not valid: Bad Request```

Putting https://fleet.[redacted]:8080/api/latest/fleet/version into browser returns "message": "Authorization header required", which seems correct

[georgekarrv]

Error: POST /api/latest/fleet/mdm/apple/request_csr received status 422 Validation Failed: this email address is not valid: Bad Request

Sorry to see you have having issues. This certificate requires an email that is a work email and not a personal email so it can't be @gmail / yahoo / hotmail etc

Please let me know if you have any other questions.

Putting https://[redacted]:8080/api/latest/fleet/version into browser returns "message": "Authorization header required", which seems correct

This is correct, the UI is supplying the auth header explicitly for each api call and not as a cookie so just opening this in the browser does not work by design. You can get the server version information easily from the My Account page in the ui at /account

[tomsik-radek]

Error: POST /api/latest/fleet/mdm/apple/request_csr received status 422 Validation Failed: this email address is not valid: Bad Request

Sorry to see you have having issues. This certificate requires an email that is a work email and not a personal email so it can't be @gmail / yahoo / hotmail etc

Please let me know if you have any other questions.

Putting https://fleet.[redacted]:8080/api/latest/fleet/version into browser returns "message": "Authorization header required", which seems correct

This is correct, the UI is supplying the auth header explicitly for each api call and not as a cookie so just opening this in the browser does not work by design. You can get the server version information easily from the My Account page in the ui at /account

Thanks for a quick answer Suggestion: That email limitation should REALLY be mentioned in the docs. Also, maybe it should say "Yes, it says Apple, but this is used for Windows as well."

Second: Why is it limited to work accounts? This is on my server, at home, self hosted, in a homelab. I can create a Fleet admin account with a Google email address, so why can't I use MDM with it?

As for the API link, I'm aware. I just mentioned it to make it clear that "yes, the API is visible from the outside"

[georgekarrv]

Absolutely understandable. I tracked down the original feature work and will open a PR to add a summary of this to the documentation.

Here are the lists of emails that are currently blocked https://github.com/fleetdm/fleet/blob/d5df23964b0b52f1d442b66ffe4451dc2a9ef969/website/api/controllers/deliver-apple-csr.js#L60 and the reasoning is ultimately based on https://mdmcert.download/about

Why is my email address not allowed? We block most free and disposable email accounts as a measure to prevent individual use and personal devices. This is a requirement from Apple.

I'll go ahead and close this issue when the Documentation update is merged. Please let me know if there is anything else you needed here.

[tomsik-radek]

@georgekarrv Would you be willing to edit your comment? I forgot my domain name there. Thanks. Otherwise this can be closed.

[fleet-release]

Windows MDM keys untamed, Fleet's issue, now resolved, named. In a cloud city, no blame.