Lock command can be sent via API to macOS host that has MDM turned on and then turned off.

[marko-lisica]

Fleet version: 4.69.0

---

💥  Actual behavior

I hit POST /api/v1/fleet/hosts/:id/lock to lock host that has MDM turned off. It was successful and lock pending badge appeared on the host details.

🧑‍💻  Steps to reproduce

1. Find a macOS host that has MDM turned off
2. Take the host ID.
3. Hit POST /api/v1/fleet/hosts/:id/lock
4. Observe successful request, even though MDM is required to lock Mac

🕯️ More info (optional)

N/A

🛠️ To fix

Product designer: @marko-lisica

The user shouldn't be able to send a lock request via API to Apple hosts that have MDM turned off.

Show error if the user tries to do so. Can't lock the host because it doesn't have MDM turned on.

[AndreyKizimenko]

Testing notes:

Was able to initially reproduce this on 4.70 but after retesting it on 4.71 the issue appears resolved. When making a lock post request I'm getting a 422 response with a proper error message: "Can't lock the host because it doesn't have MDM turned on."

Moving to Ready for release

Additional testing:

• MDM On macOS host can be locked and unlocked
• Disabling MDM and then trying to lock the host still results in a proper error message