TopoloMDM

Authority

Service IDs:

Repos: PlatformApplications/TopoloMDM, PlatformApplications/TopoloMDM/topolo-provision

Hosts:

Dependencies: topolo-auth, applications-packages, topolo-developers

Depends on Topolo Auth: yes

Contract Source

Type: curated

Source: PlatformApplications/TopoloDocs/src/content/public/applications/mdm.mdx

Source exists: yes

Canonical MDM coverage now lives in the docs application, and the console authenticated workspace renders through `TopoloAppShell`, inheriting shared Improve Topolo and TopoloNotify chrome while keeping fleet workflows MDM-owned. The console now routes launcher catalog reads plus tenant bootstrap through same-origin /api/auth/* on the app host. The console browser callback delegates one-time `sso_code` exchange to the shared Auth client instead of carrying MDM-local `/sso/exchange` protocol logic. The API worker validates browser console JWTs against `svc_topolo_mdm_console` while keeping API-key validation under `svc_topolo_mdm_api`. Device registration and first-poll recovery consume authenticated enrollment-session tokens, then issue device credentials required for subsequent poll, command-status, device realtime, and device FCM-token registration calls. The API worker owns a tenant-scoped `TENANT_EVENTS` Durable Object for operator WebSocket fleet events and device command wakeups, and uses Firebase Cloud Messaging HTTP v1 as a data-only wake channel for enrolled Android devices that have posted an FCM token. TopoloProvision QR/R2 APK builds remain the device-owner enrollment path, while Google Play internal-testing builds are a sales/demo distribution lane that runs without kiosk/device-owner assumptions until Android Enterprise enrollment. Current Android DPC builds call `https://topolo-mdm-api.topolo.app`; the Android package id is `com.topolo.provision` for Firebase, Google Play, and Android Enterprise device-admin payloads. Install-package catalog reads now point at the Developers-owned `https://developers.topolo.app/api/apps` route, where Topolo Feed, Topolo Provision, and the 22 retained Topolo Mobile Android APKs are R2-backed installable rows served from apk.topolo.app, while Topolo MDM Mobile remains Android/iOS metadata until its own mobile release. The mobile scaffold reads only the SDK-managed topolo_access_token key for bearer API requests, subscribes to `/events` for fleet freshness, and resolves `topolo_auth_flutter` from the canonical Auth repo git package path.

API key scopes in Auth catalog: 20

Auth Requirements

No global OpenAPI security scheme is declared.

• apps.read
• apps.write
• dashboard.read
• devices.admin
• devices.control
• devices.read
• devices.write
• policies.read
• policies.write
• reports.read
• api_keys.write
• mdm.admin
• mdm.read
• mdm.write
• analytics.read
• commands.read
• commands.write
• events.read
• state.read
• state.write

Runtime and Deployment

Wrangler surfaces: PlatformApplications/TopoloMDM/topolo-mdm-api/wrangler.toml, PlatformApplications/TopoloMDM/topolo-mdm-console/wrangler.toml, PlatformApplications/TopoloMDM/topolo-provision/wrangler.toml

Environment variables: APP_CATALOG_URL, AUTH_BASE_URL, BROWSER_SERVICE_ID, DEFAULT_TENANT, FEED_API_URL, SERVICE_ID, STATE_API_URL

Routes: workers.dev or Pages-only delivery

Observability enabled: yes