application public active Verified 2026-04-27

TopoloMDM

MDM platform cluster spanning a device API, tenant realtime hub, operator console, Android DPC, and mobile scaffold.

Documentation Map

What It Is

MDM platform cluster spanning a device API, tenant realtime hub, operator console, Android DPC, and mobile scaffold.

Canonical documentation for TopoloMDM lives in `PlatformApplications/TopoloDocs`.

Use this repository for implementation only. Local product and operational docs have been retired in favor of the docs application.

Architecture

Owners: device-platform

Source repos: PlatformApplications/TopoloMDM, PlatformApplications/TopoloMDM/topolo-provision

Dependencies: topolo-auth, applications-packages, topolo-developers

Repo shape

  • PlatformApplications/TopoloMDM/README.md
  • PlatformApplications/TopoloMDM/migration.config.ts
  • PlatformApplications/TopoloMDM/topolo-mdm-api/
  • PlatformApplications/TopoloMDM/topolo-mdm-console/
  • PlatformApplications/TopoloMDM/topolo-mdm-mobile/
  • PlatformApplications/TopoloMDM/topolo-provision/
  • PlatformApplications/TopoloMDM/topolo.cloudcontrol.json
  • PlatformApplications/TopoloMDM/topolo-provision/app/
  • PlatformApplications/TopoloMDM/topolo-provision/build-play-internal-aab.sh
  • PlatformApplications/TopoloMDM/topolo-provision/build-provision-apk.sh
  • PlatformApplications/TopoloMDM/topolo-provision/build.gradle.kts
  • PlatformApplications/TopoloMDM/topolo-provision/checksums.sh
  • PlatformApplications/TopoloMDM/topolo-provision/deployR2.sh
  • PlatformApplications/TopoloMDM/topolo-provision/docs/
  • PlatformApplications/TopoloMDM/topolo-provision/feat_payments/
  • PlatformApplications/TopoloMDM/topolo-provision/feat_payments_dfm/
  • PlatformApplications/TopoloMDM/topolo-provision/gradle/
  • PlatformApplications/TopoloMDM/topolo-provision/gradle.properties
  • PlatformApplications/TopoloMDM/topolo-provision/gradlew
  • PlatformApplications/TopoloMDM/topolo-provision/gradlew.bat

Runtime Surfaces

Hosts:

https://topolo-mdm-api.topolo.app https://topolo-mdm-api.topolo.workers.dev
topolo-mdm-api

Config: PlatformApplications/TopoloMDM/topolo-mdm-api/wrangler.toml

Main: index.js

Routes: workers.dev or asset-only surface

topolo-mdm-console

Config: PlatformApplications/TopoloMDM/topolo-mdm-console/wrangler.toml

Main: not declared

Routes: workers.dev or asset-only surface

topolo-provision

Config: PlatformApplications/TopoloMDM/topolo-provision/wrangler.toml

Main: not declared

Routes: workers.dev or asset-only surface

API Reference

Coverage: curated

Source: PlatformApplications/TopoloDocs/src/content/public/applications/mdm.mdx

Source exists in repo: yes

Canonical MDM coverage now lives in the docs application, and the console authenticated workspace renders through `TopoloAppShell`, inheriting shared Improve Topolo and TopoloNotify chrome while keeping fleet workflows MDM-owned. The console now routes launcher catalog reads plus tenant bootstrap through same-origin /api/auth/* on the app host. The console browser callback delegates one-time `sso_code` exchange to the shared Auth client instead of carrying MDM-local `/sso/exchange` protocol logic. The API worker validates browser console JWTs against `svc_topolo_mdm_console` while keeping API-key validation under `svc_topolo_mdm_api`. Device registration and first-poll recovery consume authenticated enrollment-session tokens, then issue device credentials required for subsequent poll, command-status, device realtime, and device FCM-token registration calls. The API worker owns a tenant-scoped `TENANT_EVENTS` Durable Object for operator WebSocket fleet events and device command wakeups, and uses Firebase Cloud Messaging HTTP v1 as a data-only wake channel for enrolled Android devices that have posted an FCM token. TopoloProvision QR/R2 APK builds remain the device-owner enrollment path, while Google Play internal-testing builds are a sales/demo distribution lane that runs without kiosk/device-owner assumptions until Android Enterprise enrollment. Current Android DPC builds call `https://topolo-mdm-api.topolo.app`; the Android package id is `com.topolo.provision` for Firebase, Google Play, and Android Enterprise device-admin payloads. Install-package catalog reads now point at the Developers-owned `https://developers.topolo.app/api/apps` route, where Topolo Feed, Topolo Provision, and the 22 retained Topolo Mobile Android APKs are R2-backed installable rows served from apk.topolo.app, while Topolo MDM Mobile remains Android/iOS metadata until its own mobile release. The mobile scaffold reads only the SDK-managed topolo_access_token key for bearer API requests, subscribes to `/events` for fleet freshness, and resolves `topolo_auth_flutter` from the canonical Auth repo git package path.

App API page: /reference/apps/topolo-mdm

This system currently relies on a curated or README-derived contract surface instead of a source-controlled OpenAPI spec.

Auth and Permissions

Depends on Topolo Auth: yes

Service IDs:

svc_topolo_mdm_console svc_topolo_mdm_api svc_topolo_state_api

API key scopes

apps.read

View app catalog and installations

Resource pattern: none

apps.write

Manage app deployments

Resource pattern: none

dashboard.read

View MDM dashboard

Resource pattern: none

devices.admin

Administer managed devices and tenant-level device access

Resource pattern: none

devices.control

Send commands to devices (lock, wipe, etc)

Resource pattern: none

devices.read

View device inventory and status

Resource pattern: none

devices.write

Enroll and configure devices

Resource pattern: none

policies.read

View device policies and profiles

Resource pattern: none

policies.write

Create and edit device policies

Resource pattern: none

reports.read

View MDM reports and analytics

Resource pattern: none

api_keys.write

Manage MDM API machine credentials

Resource pattern: none

mdm.admin

Full device management access

Resource pattern: none

mdm.read

Read device information

Resource pattern: none

mdm.write

Send commands to managed devices

Resource pattern: none

analytics.read

Access device analytics and metrics

Resource pattern: none

commands.read

View device command history

Resource pattern: none

commands.write

Send commands to devices

Resource pattern: none

events.read

View device events and logs

Resource pattern: none

state.read

Read device state and status data

Resource pattern: none

state.write

Update device state information

Resource pattern: none

Service permissions

apps:read, apps:write, dashboard:read, devices:admin, devices:control, devices:read, devices:write, policies:read, policies:write, reports:read, api_keys:write, mdm:admin, mdm:read, mdm:write, analytics:read, commands:read, commands:write, events:read, state:read, state:write

Data Ownership

No storage bindings were derived from wrangler configuration.

Queues / Cron / Workflows

Queue bindings:

No queue bindings were detected.

Cron triggers

No cron triggers were detected.

Workflow signals

No explicit queue/workflow script or cron signal was discovered.

Environment Variables and Bindings

Environment variables:

APP_CATALOG_URL AUTH_BASE_URL BROWSER_SERVICE_ID DEFAULT_TENANT FEED_API_URL SERVICE_ID STATE_API_URL

All wrangler bindings

No bindings were derived from wrangler configuration.

Deployments

Deployment environments: default only or not declared

Routes: workers.dev or Pages-only delivery

Observability enabled: yes

Wrangler surfaces

  • PlatformApplications/TopoloMDM/topolo-mdm-api/wrangler.toml -> topolo-mdm-api
  • PlatformApplications/TopoloMDM/topolo-mdm-console/wrangler.toml -> topolo-mdm-console
  • PlatformApplications/TopoloMDM/topolo-provision/wrangler.toml -> topolo-provision

Build and deploy commands

  • deploy — PlatformApplications/TopoloMDM/topolo-mdm-api/package.json :: wrangler deploy
  • deploy:dry-run — PlatformApplications/TopoloMDM/topolo-mdm-api/package.json :: npx --yes wrangler@4 deploy --dry-run --config wrangler.toml
  • build — PlatformApplications/TopoloMDM/topolo-mdm-api/package.json :: node --check index.js
  • build — PlatformApplications/TopoloMDM/topolo-mdm-console/package.json :: astro build
  • deploy — PlatformApplications/TopoloMDM/topolo-mdm-console/package.json :: npm run build && npx wrangler pages deploy dist --project-name topolo-mdm-console
  • preview — PlatformApplications/TopoloMDM/topolo-mdm-console/package.json :: astro preview

Failure Modes

No default failure-mode heuristics are currently flagged for this system.

Debugging Runbooks

Start with these entrypoints:

  • PlatformApplications/TopoloMDM/topolo-mdm-api/wrangler.toml
  • PlatformApplications/TopoloMDM/topolo-mdm-console/wrangler.toml
  • PlatformApplications/TopoloMDM/topolo-provision/wrangler.toml
  • PlatformApplications/TopoloDocs/src/content/public/applications/mdm.mdx
  • PlatformApplications/TopoloMDM/README.md
  • PlatformApplications/TopoloMDM/topolo-mdm-api/package.json
  • PlatformApplications/TopoloMDM/topolo-mdm-console/package.json

Change Log / Verification

Lifecycle: active

Last verified: 2026-04-27

Any code change to this system is expected to update the canonical docs in PlatformApplications/TopoloDocs and refresh the verification date.