diff --git a/server/service/apple_mdm.go b/server/service/apple_mdm.go
index 60095583958f..f1415ab1bc82 100644
--- a/server/service/apple_mdm.go
+++ b/server/service/apple_mdm.go
@@ -380,14 +380,10 @@ func (svc *Service) NewMDMAppleConfigProfile(ctx context.Context, teamID uint, r
 		})
 	}
 
-	if err := svc.ds.ValidateEmbeddedSecrets(ctx, []string{string(b)}); err != nil {
-		return nil, fleet.NewInvalidArgumentError("profile", err.Error())
-	}
-
-	// Expand secrets in profile for validation
+	// Expand and validate secrets in profile
 	expanded, err := svc.ds.ExpandEmbeddedSecrets(ctx, string(b))
 	if err != nil {
-		return nil, ctxerr.Wrap(ctx, err, "expanding secrets in profile for parsing")
+		return nil, ctxerr.Wrap(ctx, fleet.NewInvalidArgumentError("profile", err.Error()))
 	}
 
 	cp, err := fleet.NewMDMAppleConfigProfile([]byte(expanded), &teamID)