Hi all, is this a table on osquery side or on fleet side? I have a few of these errors with a variety of tables allegedly missing. Seems like this is from the osquery side as it’s coming from the TLS status log from osquery agents not fleet error log.

"Error executing distributed query: fleet_detail_query_mdm: no such table: mdm","version":"5.2.3","decorations":{"company":"xxxx","host_hostname":"xxxxxx","username":"xxx"}}

The fact that the log is coming from the osquery side just means that it attempted to run the query but found no table. You can see the available tables here https://osquery.io/schema/5.2.3/. In any case mdm is not in official osquery.

Ah so my issue is I am running vanilla osquery but the fleet version provided by orbit has extra tables is that correct? I was unaware fleet were customising osquery in this way. I may need to look into orbit in that case, but I was happy with vanilla osquery sigh

I think that MDM functionality requires

macadmins

extension which will provide you with the

mdm

table: https://fleetdm.com/docs/using-fleet/rest-api#get-hosts-mobile-device-management-mdm-and-munki-information , thats what i see in the docs

Ah ok thanks, it's so strange because I am not even using the MDM policy in fleet. Maybe I accidentally clicked it or something?

Hi folks, this is a bug we'll be fixing soon. Those extension tables are only available in "Fleet osquery" (aka Orbit). The bug is that Fleet always sends these queries to macOS hosts. I've created #5992 to fix the issue.

Ah ok so I wasn’t going crazy then