Multi-Platform Device Management

Implemented three MDM protocols (Apple MDM, Windows MS-MDE2/OMA-DM/SyncML, Android Management API) at the wire-protocol level in a single Go binary
Built a PostgreSQL event bus using LISTEN/NOTIFY with exponential backoff, eliminating the need for external message brokers
Designed a clean 12-service architecture with dependency injection, writer/reader database pools, and full isolation for testability
Created an HTMX admin dashboard with real-time device status via server-sent events, no JavaScript framework required
~60K lines of Go with k6 load tests proving enrollment burst handling at hundreds of simultaneous device check-ins

The Challenge

Enterprise device management typically requires separate solutions for each platform (macOS, Windows, Android). Each has its own vendor, protocol, and management interface. I wanted to build a unified server that implements all three MDM protocols natively. A single control plane for fleet management across platforms, while maintaining the protocol-level correctness each OS vendor expects.

Approach & Role

This is a personal project I built from scratch in Go. Sole architect, developer, and tester. It implements three distinct MDM protocols (Apple MDM, Microsoft MS-MDE2/OMA-DM/SyncML, Android Management API) behind a clean architecture with 12 services, a PostgreSQL event bus, and an HTMX-based admin dashboard. The project demonstrates systems programming, protocol implementation, and full-stack development in a single codebase.

Architecture & Patterns

Clean architecture (12 services):

Domain-driven package structure: enrollment, compliance, inventory, profiles, commands, events
Writer/reader database pools for Aurora compatibility
Dependency injection throughout, no global state, fully testable

Three MDM protocols (wire-level implementation):

Apple MDM: NanoMDM webhook integration for command/response lifecycle. SCEP certificate enrollment with challenge-based device identity issuance. The server acts as a SCEP CA, issuing device identity certificates during enrollment that are subsequently used for APNs push authentication. Push notification delivery to trigger device check-in cycles.
Windows MDM: MS-MDE2 discovery endpoint (returns enrollment service URLs from well-known path), certificate enrollment via EST/SCEP, then full OMA-DM/SyncML session management. SyncML XML parsing handles the bidirectional configuration sync. The server pushes policy configuration nodes (./Device/Vendor/MSFT/Policy) and receives device state reports in the same session. Session state machine manages the multi-message exchange (SyncHdr, Alert, Results, Status).
Android: Management API integration with enterprise enrollment tokens, policy binding, and compliance state reporting via Pub/Sub webhook callbacks.

PostgreSQL event bus:

LISTEN/NOTIFY for real-time event propagation between services
Exponential backoff reconnection for resilience
Event queue with retry semantics for guaranteed delivery
Compliance engine triggered by device events (check-in, evaluate then remediate)

HTMX admin dashboard:

Server-rendered UI with Tailwind v4 - no JavaScript build step
Real-time device status updates via server-sent events
Fleet overview, device detail, compliance status, and command history views

Testing & load:

k6 load tests: enrollment burst (simulating fleet check-in), steady state, admin dashboard concurrency
Playwright browser tests for dashboard workflows
Go integration tests with real Keycloak instance and MDM device simulators
15 database migrations with careful schema evolution

Impact & Scale

Three MDM protocols implemented at the wire-protocol level in a single Go binary
PostgreSQL event bus eliminates need for external message broker (Redis, RabbitMQ)
Clean architecture enables testing each service in isolation
Load testing proves enrollment burst handling (hundreds of simultaneous device check-ins)
HTMX dashboard demonstrates full-stack Go without JavaScript framework complexity
~60K lines of Go demonstrating deep systems programming capability