When an organization has an & (or <) character in their organization name, the MDM enrollment profile Fleet generates is invalid because the organization name is directly passed in the values for <key>PayloadOrganization</key> and <key>PayloadDisplayName</key> without escaping those characters. This produces invalid XML. See Section 2.4 of the W3 recommendation for XML.
🧑💻 Steps to reproduce
In Fleet, change the organization name to something that includes an & character. Like Fleet & Test.
Obtain the manual enrollment profile via the GET /api/v1/fleet/enrollment_profiles/manual endpoint.
You can attempt to install the profile and see that it fails with an error. I opened mine up in a text editor (I used CodeRunner) that can lint XML files. I got errors in the lines that contained the organization name with an & character.
🕯️ More info (optional)
Please note that I did not go through these steps to reproduce the issue in dogfood as I did not want to change the organization name and create a bug that might result in devices not being able to enroll in MDM.
Fleet version: 4.51.1
💥 Actual behavior
When an organization has an
&
(or<
) character in their organization name, the MDM enrollment profile Fleet generates is invalid because the organization name is directly passed in the values for<key>PayloadOrganization</key>
and<key>PayloadDisplayName</key>
without escaping those characters. This produces invalid XML. See Section 2.4 of the W3 recommendation for XML.🧑💻 Steps to reproduce
In Fleet, change the organization name to something that includes an
&
character. LikeFleet & Test
.Obtain the manual enrollment profile via the
GET /api/v1/fleet/enrollment_profiles/manual
endpoint.You can attempt to install the profile and see that it fails with an error. I opened mine up in a text editor (I used CodeRunner) that can lint XML files. I got errors in the lines that contained the organization name with an
&
character.🕯️ More info (optional)
Please note that I did not go through these steps to reproduce the issue in dogfood as I did not want to change the organization name and create a bug that might result in devices not being able to enroll in MDM.