TopoloMDM
MDM platform cluster spanning a device API, tenant realtime hub, operator console, Android DPC, and mobile scaffold.
Documentation Map
What It Is
MDM platform cluster spanning a device API, tenant realtime hub, operator console, Android DPC, and mobile scaffold.
Architecture
Owners: device-platform
Source repos: apps/system/TopoloProvision
Dependencies: topolo-auth, applications-packages, topolo-developers
Repo shape
No repo surface entries were detected from the registered repo paths.
Runtime Surfaces
Hosts:
https://mdm.topolo.app https://mdm-api.topolo.app https://mdm.stg.topolo.us https://mdm-api.stg.topolo.us No wrangler surface was discovered under the registered repo paths.
API Reference
Coverage: curated
Source: PlatformApplications/TopoloDocs/src/content/public/applications/mdm.mdx
Source exists in repo: no
Canonical MDM coverage now lives in the docs application, and the console authenticated workspace renders through `TopoloAppShell`, inheriting shared Improve Topolo and TopoloNotify chrome while keeping fleet workflows MDM-owned. The console now routes launcher catalog reads plus tenant bootstrap through same-origin /api/auth/* on the app host. The console browser callback delegates one-time `sso_code` exchange to the shared Auth client instead of carrying MDM-local `/sso/exchange` protocol logic. The API worker validates browser console JWTs by resolving the `topolo-mdm` service slug and keeps API-key validation under the separate `topolo-mdm-api` slug. Device registration and first-poll recovery consume authenticated enrollment-session tokens, then issue device credentials required for subsequent poll, command-status, device realtime, and device FCM-token registration calls. The API worker owns a tenant-scoped `TENANT_EVENTS` Durable Object for operator WebSocket fleet events and device command wakeups, and uses Firebase Cloud Messaging HTTP v1 as a data-only wake channel for enrolled Android devices that have posted an FCM token. TopoloProvision QR/R2 APK builds remain the device-owner enrollment path, while Google Play internal-testing builds are a sales/demo distribution lane that runs without kiosk/device-owner assumptions until Android Enterprise enrollment. Current Android DPC builds call `https://mdm-api.topolo.app`; the Topolo-owned staging mirror uses `https://mdm-api.stg.topolo.us`. The Android package id is `com.topolo.provision` for Firebase, Google Play, and Android Enterprise device-admin payloads. Install-package catalog reads now point at the Developers-owned `https://developers.topolo.app/api/apps` route, where Topolo Feed, Topolo Provision, and the 22 retained Topolo Mobile Android APKs are R2-backed installable rows served from apk.topolo.app, while Topolo MDM Mobile remains Android/iOS metadata until its own mobile release. The mobile scaffold reads only the SDK-managed topolo_access_token key for bearer API requests, subscribes to `/events` for fleet freshness, and resolves `topolo_auth_flutter` from the canonical Auth repo git package path.
App API page: /reference/apps/topolo-mdm
This system currently relies on a curated or README-derived contract surface instead of a source-controlled OpenAPI spec.
Auth and Permissions
Depends on Topolo Auth: yes
Service IDs:
srv_02eOqAEBBG3F srv_CybRl1xIRoAI srv_Vfp9Yn4yduAV API key scopes
View app catalog and installations
Resource pattern: none
Manage app deployments
Resource pattern: none
Send remote commands to enrolled devices
Resource pattern: none
View MDM dashboard
Resource pattern: none
Administer managed devices and tenant-level device access
Resource pattern: none
Send commands to devices (lock, wipe, etc)
Resource pattern: none
View device inventory and status
Resource pattern: none
Enroll and configure devices
Resource pattern: none
Administer MDM fleet management operations
Resource pattern: none
Author and assign device policies
Resource pattern: none
View device policies and profiles
Resource pattern: none
Create and edit device policies
Resource pattern: none
View MDM reports and analytics
Resource pattern: none
Access device analytics and metrics
Resource pattern: none
View device command history
Resource pattern: none
Send commands to devices
Resource pattern: none
View device events and logs
Resource pattern: none
Read device state and status data
Resource pattern: none
Update device state information
Resource pattern: none
Manage MDM API machine credentials
Resource pattern: none
Service permissions
apps:read, apps:write, commands:invoke, dashboard:read, devices:admin, devices:control, devices:read, devices:write, mdm:admin, policies:manage, policies:read, policies:write, reports:read, analytics:read, commands:read, commands:write, events:read, state:read, state:write, api_keys:write
Data Ownership
No storage bindings were derived from wrangler configuration.
Queues / Cron / Workflows
Queue bindings:
No queue bindings were detected.
Cron triggers
No cron triggers were detected.
Workflow signals
No explicit queue/workflow script or cron signal was discovered.
Environment Variables and Bindings
Environment variables:
No environment variables were derived from wrangler configuration.
All wrangler bindings
No bindings were derived from wrangler configuration.
Deployments
Deployment environments: default only or not declared
Routes: workers.dev or Pages-only delivery
Observability enabled: no explicit setting found
Failure Modes
- No wrangler.toml surface was discovered under the registered repo paths.
- The registered contract source is missing: PlatformApplications/TopoloDocs/src/content/public/applications/mdm.mdx
- Neither OpenAPI nor README-derived interface detail was found.
Debugging Runbooks
Start with these entrypoints:
- PlatformApplications/TopoloDocs/src/content/public/applications/mdm.mdx
Change Log / Verification
Lifecycle: active
Last verified: 2026-05-14
Any code change to this system is expected to update the canonical docs in PlatformApplications/TopoloDocs and refresh the verification date.