weave
module · Endpoints & MDM

Mosyle

Comprehensive Mosyle Apple MDM control plane — devices (macOS / iOS / iPadOS / tvOS), users, configuration profiles, smart-filter groups, managed apps, locations, MDM commands.

Namespace: weave mosyle Env: MOSYLE_ACCESS_TOKEN
27
Commands
7
State kinds
Endpoints & MDM
Category
1
API docs

Setup

Configure credentials via environment variables. We recommend sourcing them through 1Password or your secrets manager rather than committing them to the shell rc.

Official API reference

weave commands for this module are checked against the vendor's published API.

Variable Description Status
MOSYLE_ACCESS_TOKENRequired for authentication.required
MOSYLE_EMAILRequired for authentication.required
MOSYLE_PASSWORDRequired for authentication.required
MOSYLE_ORGOptional friendly tenant name used in state-file paths (defaults to 'mosyle-business').optional

Sanity-check the wiring:

weave secrets check
weave mosyle --help
weave doctor   # reports MOSYLE_ACCESS_TOKEN status

Capabilities

What this module can do, by entity and verb. means a working CLI surface; · means not (yet) wired.

Entity findlistshowdosnapshotdiffapply
app·····
device·
device-app-installs·····
device-checkin·······
group···
group-member······
location····
managed-app····
profile··
user··

Commands

Every registered CLI command, grouped by verb. Each example uses placeholder arguments — substitute real values for your environment.

find (5)

find app

read

Find a managed app by name or bundle id.

weave mosyle find app <identifier>

find device

read

Find a device by serial, UDID, name, or email.

weave mosyle find device <identifier>

find group

read

Find a smart-filter group by name or id.

weave mosyle find group <identifier>

find profile

read

Find a configuration profile by name or identifier.

weave mosyle find profile <identifier>

find user

read

Find a managed user by id, name, or email.

weave mosyle find user <identifier>

list (7)

list devices

read

List enrolled devices (optionally by platform).

weave mosyle list devices <arg>

list group-members

read

List the devices that are members of one smart-filter group.

weave mosyle list group-members <arg>

list groups

read

List smart-filter groups.

weave mosyle list groups <arg>

list locations

read

List Mosyle locations.

weave mosyle list locations <arg>

list managed-apps

read

List managed apps in the catalog.

weave mosyle list managed-apps <arg>

list profiles

read

List configuration profiles.

weave mosyle list profiles <arg>

list users

read

List managed users.

weave mosyle list users <arg>

show (2)

show device

read

Full record for one device by serial / UDID.

weave mosyle show device <identifier>

show user

read

Full record for one user by id.

weave mosyle show user <identifier>

do (12)

do assign-app

write

Assign an app to one or more devices / groups.

weave mosyle do assign-app <app-id>

do assign-profile

write

Push a configuration profile to devices / groups.

weave mosyle do assign-profile <profile-id>

do clear-passcode

write

Clear a mobile-device passcode.

weave mosyle do clear-passcode <serial>

do disable-lost-mode

write

Disable Lost Mode on a device.

weave mosyle do disable-lost-mode <serial>

do enable-lost-mode

write

Enable Lost Mode on a supervised iOS / iPadOS device.

weave mosyle do enable-lost-mode <serial>

do lock

write

Send a remote lock to a device.

weave mosyle do lock <serial>

do remove-app

write

Unassign an app from one or more devices / groups.

weave mosyle do remove-app <app-id>

do remove-profile

write

Remove a configuration profile from devices / groups.

weave mosyle do remove-profile <profile-id>

do restart

write

Restart a device (supervised macOS / iOS).

weave mosyle do restart <serial>

do send-command

write

Send an arbitrary Mosyle MDM command to a device.

weave mosyle do send-command <serial> <command>

do shutdown

write

Shut down a device (supervised macOS / iOS).

weave mosyle do shutdown <serial>

do wipe

write

Erase a device (irreversible).

weave mosyle do wipe <serial>

watch (1)

watch device-checkin

write

Watch a device's last_beat until it changes or a timeout.

weave mosyle watch device-checkin <arg>
snapshot / diff / apply are generated automatically from the State Kinds declared on this module — see the State kinds section below for per-kind details. Workflow: snapshot → edit YAML → diffapply --yes (or confirm interactively; apply --dry-run previews the same diff).

State kinds

Resources this module can snapshot and diff; apply where the kind supports live writes (see Round-trip per kind). Always run diff before apply; use --yes in automation after review. Files live under .weave-state/mosyle/.

devices

snapshot diff apply

Mosyle device inventory (key fields keyed by serial).

Scope
Round-trip
Snapshot + diff (apply not wired).

State file skeleton

module: mosyle
kind: devices
items:
  - # <fields specific to this kind — see snapshot output>

users

snapshot diff apply

Mosyle managed users (snapshot + diff).

Scope
Round-trip
Snapshot + diff (apply not wired).

State file skeleton

module: mosyle
kind: users
items:
  - # <fields specific to this kind — see snapshot output>

profiles

snapshot diff apply

All Mosyle configuration profiles (snapshot + diff only; apply requires the Mosyle dashboard).

Scope
Round-trip
Snapshot + diff (apply not wired).

State file skeleton

module: mosyle
kind: profiles
items:
  - # <fields specific to this kind — see snapshot output>

groups

snapshot diff apply

Smart-filter groups (snapshot + diff).

Scope
Round-trip
Snapshot + diff (apply not wired).

State file skeleton

module: mosyle
kind: groups
items:
  - # <fields specific to this kind — see snapshot output>

managed-apps

snapshot diff apply

Managed app catalog (snapshot + diff).

Scope
Round-trip
Snapshot + diff (apply not wired).

State file skeleton

module: mosyle
kind: managed-apps
items:
  - # <fields specific to this kind — see snapshot output>

locations

snapshot diff apply

Mosyle locations (snapshot + diff).

Scope
Round-trip
Snapshot + diff (apply not wired).

State file skeleton

module: mosyle
kind: locations
items:
  - # <fields specific to this kind — see snapshot output>

device-app-installs

snapshot diff apply

Per-device app install audit (snapshot + diff).

Scope
Round-trip
Snapshot + diff (apply not wired).

State file skeleton

module: mosyle
kind: device-app-installs
items:
  - # <fields specific to this kind — see snapshot output>

Workflows

End-to-end recipes from operators who already run this module in production. Copy, adapt, and put under change-control.

Daily fleet audit (drift detection)

Snapshot devices + groups + apps, commit to git, diff tomorrow.

weave mosyle snapshot devices
weave mosyle snapshot groups
weave mosyle snapshot managed-apps
git add .weave-state/mosyle && git commit -m 'mosyle inventory `date +%F`'
# … next day, in CI …
weave mosyle diff devices         # surface fleet churn
weave mosyle diff managed-apps    # spot app catalog drift

Quarantine a lost iPad

Confirm the device, lock it, then enable Lost Mode. Lock + Lost Mode both require --yes.

weave mosyle find device SN12345
weave mosyle do lock SN12345 --yes
weave mosyle do enable-lost-mode SN12345 --message 'Lost — call IT' --phone 555-0100 --yes
weave mosyle watch device-checkin --device SN12345 --timeout 600

Push a profile + an app to a smart-filter group

Group authored in dashboard, assigned via API.

weave mosyle find group 'Sales Macs'
weave mosyle do assign-profile <profile-id> --group <group-id> --yes
weave mosyle do assign-app <app-id> --group <group-id> --yes
weave mosyle list group-members --group <group-id>

Re-image a stolen MacBook

Wipe is irreversible — --yes is mandatory.

weave mosyle find device SN12345
weave mosyle do wipe SN12345 --yes
weave mosyle watch device-checkin --device SN12345 --timeout 1800
# device drops off inventory; re-enroll via DEP / Mosyle Manager when recovered

Per-device app audit

Spot which apps are installed where, suitable for compliance review.

weave mosyle snapshot device-app-installs
$EDITOR .weave-state/mosyle/<org>/device-app-installs.yaml   # review
# next month:
weave mosyle diff device-app-installs   # what installed/removed?

Terraform parity

For each Terraform resource in the canonical provider, here's the equivalent live-API verb in weave. Use this as a migration cheat-sheet, not a 1:1 contract — weave deliberately stays in the live-state lane, not the desired-state lane.

Terraform resource weave equivalent
(no Terraform provider for Mosyle)weave ships the operator-facing 80% of Mosyle as discoverable verbs
Mosyle has no first-party or community Terraform provider; the cross-walk below is vs. Mosyle's REST surface and the closest sibling Meraki SM.
(closest sibling: Meraki Systems Manager — meraki_networks_sm_*)weave mosyle list devices + do wipe / lock / restart
MDM-platform sibling for cross-tool comparison.
Mosyle device inventoryweave mosyle list/find/show device + snapshot devices
snapshot+diff for audit; mutations via `do` verbs
Mosyle MDM commands (Lock, Erase, ClearPasscode, RestartDevice, ShutDownDevice, EnableLostMode, DisableLostMode)weave mosyle do lock / wipe / clear-passcode / restart / shutdown / enable-lost-mode / disable-lost-mode / send-command
Device-destructive verbs (wipe, lock, restart, shutdown, clear-passcode, enable-lost-mode) refuse to run without --yes.
Mosyle usersweave mosyle list/find/show user + snapshot users
snapshot+diff — Mosyle users are usually directory-driven
Mosyle configuration profiles (assign / remove)weave mosyle list/find profile + do assign-profile / remove-profile + snapshot profiles
snapshot+diff for audit; profile authoring lives in the Mosyle dashboard
Mosyle smart-filter groupsweave mosyle list/find group + list group-members + snapshot groups
snapshot+diff; smart-filter authoring lives in the Mosyle dashboard
Mosyle managed apps (assign / remove)weave mosyle list/find app + do assign-app / remove-app + snapshot managed-apps
snapshot+diff for the catalog; app authoring lives in the Mosyle dashboard
Mosyle locationsweave mosyle list locations + snapshot locations
snapshot+diff; locations are managed in the Mosyle dashboard
(per-device app installs)weave mosyle snapshot device-app-installs
Audit signal — weave-only convenience kind
(device check-in watch)weave mosyle watch device-checkin --device <serial>
Operational verb unique to weave — useful right after sending an MDM command.
Enrollment customization (web-form-driven)(intentionally skipped)
Authoring lives in the Mosyle dashboard, not the API.
Volume Purchase / Apple School Manager integration(intentionally skipped)
ABM/ASM auth is out of scope; Mosyle handles the upstream link.
Mosyle Business-tier-specific endpoints(intentionally skipped where tier cannot be detected from auth)
When the tenant tier matters and we cannot detect it from the access token alone, weave defers to the dashboard.

Troubleshooting & source

Missing credentials

Run weave doctor — it reports which env vars (including MOSYLE_ACCESS_TOKEN) are set and which are blank.

Unexpected behaviour from a state apply

Re-run weave mosyle diff <kind> to confirm the controller's current state, then re-snapshot before the next apply. The driver always re-snapshots before diffing.

Open the source

The module lives at https://github.com/andy-broyles/weavewhatever/tree/main/src/weave/modules/mosyle. File a bug or feature request at https://github.com/andy-broyles/weavewhatever/issues.