diff --git a/proto b/proto
index de58067..8309982 160000
--- a/proto
+++ b/proto
@@ -1 +1 @@
-Subproject commit de58067ab652f6e5ddf84c7bbc6e4d2363914738
+Subproject commit 8309982b94e82a7cbe39dd529967f43e49b3ef1d
diff --git a/src/error.rs b/src/error.rs
index d5eec03..fec4b2c 100644
--- a/src/error.rs
+++ b/src/error.rs
@@ -1,12 +1,12 @@
-use crate::proto::CoreError;
 use axum::{
     http::StatusCode,
     response::{IntoResponse, Response},
     Json,
 };
 use serde_json::json;
-use tonic::metadata::errors::InvalidMetadataValue;
-use tonic::{Code, Status};
+use tonic::{metadata::errors::InvalidMetadataValue, Code, Status};
+
+use crate::proto::CoreError;
 
 #[derive(thiserror::Error, Debug)]
 pub enum ApiError {
@@ -24,6 +24,8 @@ pub enum ApiError {
     InvalidResponseType,
     #[error("Permission denied: {0}")]
     PermissionDenied(String),
+    #[error("Enterprise not enabled")]
+    EnterpriseNotEnabled,
 }
 
 impl IntoResponse for ApiError {
@@ -33,6 +35,10 @@ impl IntoResponse for ApiError {
             Self::Unauthorized(msg) => (StatusCode::UNAUTHORIZED, msg),
             Self::BadRequest(msg) => (StatusCode::BAD_REQUEST, msg),
             Self::PermissionDenied(msg) => (StatusCode::FORBIDDEN, msg),
+            Self::EnterpriseNotEnabled => (
+                StatusCode::PAYMENT_REQUIRED,
+                "Enterprise features are not enabled".to_string(),
+            ),
             _ => (
                 StatusCode::INTERNAL_SERVER_ERROR,
                 "Internal server error".to_string(),
@@ -55,6 +61,11 @@ impl From<CoreError> for ApiError {
             Code::Unauthenticated => ApiError::Unauthorized(status.message().to_string()),
             Code::InvalidArgument => ApiError::BadRequest(status.message().to_string()),
             Code::PermissionDenied => ApiError::PermissionDenied(status.message().to_string()),
+            Code::FailedPrecondition => match status.message().to_lowercase().as_str() {
+                // TODO: find a better way than matching on the error message
+                "no valid license" => ApiError::EnterpriseNotEnabled,
+                _ => ApiError::Unexpected(status.to_string()),
+            },
             _ => ApiError::Unexpected(status.to_string()),
         }
     }
diff --git a/src/handlers/mod.rs b/src/handlers/mod.rs
index 6531087..4d77261 100644
--- a/src/handlers/mod.rs
+++ b/src/handlers/mod.rs
@@ -1,11 +1,12 @@
-use crate::{error::ApiError, proto::core_response::Payload};
+use std::time::Duration;
+
 use axum::{extract::FromRequestParts, http::request::Parts};
 use axum_client_ip::{InsecureClientIp, LeftmostXForwardedFor};
 use axum_extra::{headers::UserAgent, TypedHeader};
-use std::time::Duration;
 use tokio::{sync::oneshot::Receiver, time::timeout};
 
 use super::proto::DeviceInfo;
+use crate::{error::ApiError, proto::core_response::Payload};
 
 pub(crate) mod desktop_client_mfa;
 pub(crate) mod enrollment;