Unable to enroll (ABM) macOS host into a team with End user authentication enabled

[spalmesano0]

• #help-customers: Slack thread.

Fleet version: v4.77.0

Web browser and operating system: N/A

---

💥  Actual behavior

An ABM enrolled Mac is prompted to enroll with the macOS enrollment (Remote Management) screen, but then nothing happens when the end user clicks "Enroll."

Fleet server logs show:

{"component":"http","computer_name":"xxxxxxxxxx-mac","err":"END_USER_AUTH_REQUIRED","hardware_model":"Mac15,7","hardware_serial":"XXXXXXXXXX","hardware_uuid":"xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx","hostname":"xxxxxxxxx-mac","level":"error","method":"POST","osquery_identifier":"","platform":"darwin","platform_like":"darwin","took":"5.372943ms","ts":"2025-12-11T18:27:51.609160657Z","uri":"/api/fleet/orbit/enroll","user":"unauthenticated"}

🛠️ To fix

TODO

🧑‍💻  Steps to reproduce

These steps:

• [ ] Have been confirmed to consistently lead to reproduction in multiple Fleet instances.
• [x] Describe the workflow that led to the error, but have not yet been reproduced in multiple Fleet instances.

1. Create a team with End user authentication enabled.
2. Try to enroll a Mac into that team through ADE.

🕯️ More info (optional)

May be related to #37127.

Current workaround is to either:

1. Turn off End user authentication for the team.
2. Enroll the host in a team that doesn't have End user authentication.