weave
module · Endpoints & MDM

Applebusinessmanager

Apple Business Manager — org device pool and MDM server assignments via the AxM API. Auths with an ES256 client-assertion JWT (business.api scope). Read-only: device-assignment writes (orgDeviceActivities) are not wired yet.

Namespace: weave applebusinessmanager Env: ABM_CLIENT_ID
4
Commands
3
State kinds
Endpoints & MDM
Category
1
API docs

Setup

Configure credentials via environment variables. We recommend sourcing them through 1Password or your secrets manager rather than committing them to the shell rc.

Official API reference

weave commands for this module are checked against the vendor's published API.

Variable Description Status
ABM_CLIENT_IDRequired for authentication.required
ABM_KEY_IDRequired for authentication.required
ABM_PRIVATE_KEYRequired for authentication.required

Sanity-check the wiring:

weave secrets check
weave applebusinessmanager --help
weave doctor   # reports ABM_CLIENT_ID status

Capabilities

What this module can do, by entity and verb. means a working CLI surface; · means not (yet) wired.

Entity findlistshowdosnapshotdiffapply
device···
mdm-server····
mdm-server-devices·····
server-device······

Commands

Every registered CLI command, grouped by verb. Each example uses placeholder arguments — substitute real values for your environment.

find (1)

find device

read

Find an org device by serial number (includes its assigned MDM server).

weave applebusinessmanager find device <serial>

list (3)

list devices

read

List the org device pool.

weave applebusinessmanager list devices <arg>

list mdm-servers

read

List device-management services (MDM servers).

weave applebusinessmanager list mdm-servers <arg>

list server-devices

read

List device serials assigned to one MDM server.

weave applebusinessmanager list server-devices <server-id>
snapshot / diff / apply are generated automatically from the State Kinds declared on this module — see the State kinds section below for per-kind details. Workflow: snapshot → edit YAML → diffapply --yes (or confirm interactively; apply --dry-run previews the same diff).

State kinds

Resources this module can snapshot and diff; apply where the kind supports live writes (see Round-trip per kind). Always run diff before apply; use --yes in automation after review. Files live under .weave-state/applebusinessmanager/.

devices

snapshot diff apply

ABM org device pool — snapshot + diff only (assignment writes are not wired).

Scope
Round-trip
Snapshot + diff (apply not wired).

State file skeleton

module: applebusinessmanager
kind: devices
items:
  - # <fields specific to this kind — see snapshot output>

mdm-servers

snapshot diff apply

ABM device-management services — snapshot + diff only.

Scope
Round-trip
Snapshot + diff (apply not wired).

State file skeleton

module: applebusinessmanager
kind: mdm-servers
items:
  - # <fields specific to this kind — see snapshot output>

mdm-server-devices

snapshot diff apply

Device serials assigned to each MDM server — snapshot + diff only.

Scope
Round-trip
Snapshot + diff (apply not wired).

State file skeleton

module: applebusinessmanager
kind: mdm-server-devices
items:
  - # <fields specific to this kind — see snapshot output>

Workflows

End-to-end recipes from operators who already run this module in production. Copy, adapt, and put under change-control.

Org device pool audit

Snapshot and diff the Apple Business Manager device pool (read-only; apply is intentionally not implemented).

weave applebusinessmanager snapshot devices
$EDITOR .weave-state/applebusinessmanager/applebusinessmanager/devices.yaml
weave applebusinessmanager diff devices

MDM server assignment drift

Track which device serials are assigned to which device-management service, and catch assignment drift in PRs.

weave applebusinessmanager snapshot mdm-server-devices
weave applebusinessmanager diff mdm-server-devices

Terraform parity

For each Terraform resource in the canonical provider, here's the equivalent live-API verb in weave. Use this as a migration cheat-sheet, not a 1:1 contract — weave deliberately stays in the live-state lane, not the desired-state lane.

Terraform resource weave equivalent
none — Apple ships no Terraform provider for Apple Business Managerweave applebusinessmanager snapshot/diff devices
Snapshot/diff only; device-to-MDM-server assignment writes (POST /v1/orgDeviceActivities) are not wired yet.

Troubleshooting & source

Missing credentials

Run weave doctor — it reports which env vars (including ABM_CLIENT_ID) are set and which are blank.

Unexpected behaviour from a state apply

Re-run weave applebusinessmanager diff <kind> to confirm the controller's current state, then re-snapshot before the next apply. The driver always re-snapshots before diffing.

Open the source

The module lives at https://github.com/andy-broyles/weavewhatever/tree/main/src/weave/modules/applebusinessmanager. File a bug or feature request at https://github.com/andy-broyles/weavewhatever/issues.