deploy(gx10): wire Apple MDM runtime secret keys

apps-gx10/fc-devicemgmt/README.md

@@ -0,0 +1,39 @@
+# FlowerCore DeviceManagement on GX10
+
+This adopted GX10 app hosts `FlowerCore.DeviceManagement.Web` at
+`https://devices.iamworkin.lan`.
+
+## Apple MDM Runtime Contract
+
+Apple MDM is enabled in NanoHUB mode, but enrollment remains unavailable until
+the runtime secret contains real Apple-side material. Do not use placeholder
+values to clear readiness checks.
+
+`Secret/fc-devicemgmt-runtime` supports these Apple MDM keys:
+
+| Key | Purpose |
+| --- | --- |
+| `NANOHUB_API_KEY` | NanoHUB API password for HTTP Basic user `nanohub`. |
+| `APPLE_MDM_APNS_TOPIC` | MDM APNs topic returned after uploading the Apple MDM push certificate to NanoHUB/NanoMDM. |
+| `APPLE_MDM_SCEP_URL` | Live SCEP URL included in the enrollment profile. |
+| `APPLE_MDM_SCEP_CHALLENGE` | SCEP challenge shared with the SCEP provisioner. |
+| `APPLE_MDM_PROFILE_SIGNING_CERTIFICATE_PEM` | PEM certificate used to CMS-sign `.mobileconfig` profiles. |
+| `APPLE_MDM_PROFILE_SIGNING_PRIVATE_KEY_PEM` | PEM private key matching the profile-signing certificate. |
+| `APPLE_MDM_REQUIRE_MANAGED_WIFI_PAYLOAD` | Set to `true` only when Wi-Fi payload delivery should gate enrollment readiness. |
+| `APPLE_MDM_MANAGED_WIFI_SSID` | Managed Wi-Fi SSID for the iPad profile. |
+| `APPLE_MDM_MANAGED_WIFI_PASSWORD` | Managed Wi-Fi password when the network is not open. |
+
+Non-secret profile constants stay in GitOps: NanoHUB base URL, MDM server URL,
+check-in URL, organization/display names, the HTTPS trust anchor certificate,
+managed Wi-Fi encryption type, auto-join, and MAC-randomization disablement.
+
+## Readiness Check
+
+After changing the runtime secret and letting the pod roll, verify:
+
+```bash
+curl -sk https://devices.iamworkin.lan/api/v1/apple-mdm/enrollment-profile/status
+```
+
+Configurator enrollment must wait until this status reports `available=true`
+and an empty `missingRequirements` array.

apps-gx10/fc-devicemgmt/deployment-fc-devicemgmt-web.json

@@ -161,6 +161,98 @@
                     "name": "fc-devicemgmt-runtime"
                   }
                 }
+              },
+              {
+                "name": "FlowerCore__DeviceManagement__AppleMdm__ApnsTopic",
+                "valueFrom": {
+                  "secretKeyRef": {
+                    "key": "APPLE_MDM_APNS_TOPIC",
+                    "name": "fc-devicemgmt-runtime",
+                    "optional": true
+                  }
+                }
+              },
+              {
+                "name": "FlowerCore__DeviceManagement__AppleMdm__ScepUrl",
+                "valueFrom": {
+                  "secretKeyRef": {
+                    "key": "APPLE_MDM_SCEP_URL",
+                    "name": "fc-devicemgmt-runtime",
+                    "optional": true
+                  }
+                }
+              },
+              {
+                "name": "FlowerCore__DeviceManagement__AppleMdm__ScepChallenge",
+                "valueFrom": {
+                  "secretKeyRef": {
+                    "key": "APPLE_MDM_SCEP_CHALLENGE",
+                    "name": "fc-devicemgmt-runtime",
+                    "optional": true
+                  }
+                }
+              },
+              {
+                "name": "FlowerCore__DeviceManagement__AppleMdm__ProfileSigningCertificatePem",
+                "valueFrom": {
+                  "secretKeyRef": {
+                    "key": "APPLE_MDM_PROFILE_SIGNING_CERTIFICATE_PEM",
+                    "name": "fc-devicemgmt-runtime",
+                    "optional": true
+                  }
+                }
+              },
+              {
+                "name": "FlowerCore__DeviceManagement__AppleMdm__ProfileSigningPrivateKeyPem",
+                "valueFrom": {
+                  "secretKeyRef": {
+                    "key": "APPLE_MDM_PROFILE_SIGNING_PRIVATE_KEY_PEM",
+                    "name": "fc-devicemgmt-runtime",
+                    "optional": true
+                  }
+                }
+              },
+              {
+                "name": "FlowerCore__DeviceManagement__AppleMdm__RequireManagedWifiPayload",
+                "valueFrom": {
+                  "secretKeyRef": {
+                    "key": "APPLE_MDM_REQUIRE_MANAGED_WIFI_PAYLOAD",
+                    "name": "fc-devicemgmt-runtime",
+                    "optional": true
+                  }
+                }
+              },
+              {
+                "name": "FlowerCore__DeviceManagement__AppleMdm__ManagedWifiSsid",
+                "valueFrom": {
+                  "secretKeyRef": {
+                    "key": "APPLE_MDM_MANAGED_WIFI_SSID",
+                    "name": "fc-devicemgmt-runtime",
+                    "optional": true
+                  }
+                }
+              },
+              {
+                "name": "FlowerCore__DeviceManagement__AppleMdm__ManagedWifiPassword",
+                "valueFrom": {
+                  "secretKeyRef": {
+                    "key": "APPLE_MDM_MANAGED_WIFI_PASSWORD",
+                    "name": "fc-devicemgmt-runtime",
+                    "optional": true
+                  }
+                }
+              },
+              {
+                "name": "FlowerCore__DeviceManagement__AppleMdm__ManagedWifiEncryptionType",
+                "value": "WPA2"
+              },
+              {
+                "name": "FlowerCore__DeviceManagement__AppleMdm__ManagedWifiAutoJoin",
+                "value": "true"
+              },
+              {
+                "name": "FlowerCore__DeviceManagement__AppleMdm__ManagedWifiDisableAssociationMacRandomization",
+                "value": "true"
               }
             ],
             "image": "localhost/fc-devicemgmt-web:v20260618-mdmprofile-d0d2a56",