azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from GURU-5070 at 2026-06-16 18:13:39

Browse Source 
Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-16 18:13:39
This commit is contained in:
Mike Swanson
2026-06-16 18:13:54 -07:00
parent 718bce3525
commit 32dd949d7f
2 changed files with 230 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

76
projects/msp-tools/research/2026-06-16-syncro-api-rmm-policy-capabilities.md Normal file
View File

@@ -0,0 +1,76 @@
# Syncro API — RMM / Policy Management capabilities (research)
- **Date:** 2026-06-16
- **By:** Mike (GURU-5070) + Claude
- **Question:** Does the Syncro (SyncroMSP) public REST API expose the **RMM** side of the
product — specifically **policy management** (push AV like Bitdefender, manage monitors/
scripts/patch policies, assign policies to assets)?
- **Status:** Research only — NOT yet folded into the `/syncro` skill (per Mike). Verify token
scope before relying on `/policy_folders`.
## TL;DR
**No — RMM policy *management* is NOT exposed by the Syncro API.** The API exposes the policy
**folder hierarchy** (organizational only) plus **read-only RMM inventory** (assets, patch status,
installed apps) and **RMM alerts**. There is **no** endpoint to run scripts, send remote commands,
start a remote session, deploy software, install patches, or edit a policy's content (monitors/
scripts/patch schedule/AV). Those are **UI-/agent-only**. (This is exactly the gap GuruRMM fills,
and why a Bitdefender push goes through the Syncro UI/policy, not the API.)
## Method (authoritative)
Endpoint *probing* alone was misleading (guessed wrong path names → false 404s). The definitive
source is Syncro's own **OpenAPI 3.0.0 spec**:
- Docs UI: `https://api-docs.syncromsp.com/` (Swagger UI)
- **Raw spec:** `https://api-docs.syncromsp.com/swagger.json` (~470 KB) — read this, not the UI.
- Live probes against `https://computerguru.syncromsp.com/api/v1` confirmed behavior + the 401.
(Grok live-web pass returned empty — its known finalization quirk; the published spec is
authoritative anyway, so no second-model opinion was needed.)
## The ENTIRE RMM surface in the spec
Searching all paths in `swagger.json` for polic/script/rmm/run/command/remote/agent/patch/install
returns exactly:
| Path | Methods | Notes |
|---|---|---|
| `/policy_folders`, `/policy_folders/{id}` | GET, POST, PUT, DELETE | **folder hierarchy only** (see below) |
| `/customer_assets`, `/{id}` | GET, POST, PUT | RMM-managed devices (`asset_type: "Syncro Device"`) |
| `/customer_assets/{id}/patches` | GET | Windows patch data (read) — **works (200)** |
| `/customer_assets/{id}/installed_applications` | GET | installed apps (read) — **works (200)** |
| `/rmm_alerts`, `/{id}`, `/{id}/mute` | GET, POST, mute, DELETE | RMM alert read/create/mute/clear |
**That is the whole list.** No `/scripts`, no run-script, no `/remote_sessions`, no agent/command
endpoint exists anywhere in the spec.
## The decisive detail — `/policy_folders` is organization, not policy content
`POST /policy_folders` request body accepts only **three fields**:
```
customer_id # which customer the folder belongs to
name # folder name
parent_id # parent folder (for nesting)
```
So you can create/rename/nest/delete the **policy-folder tree** and tie a folder to a customer —
but there is **no field** for the policy's content (monitors, scripts, patch schedule, AV/
Bitdefender), and **no way to assign a policy to an asset** via the API. RMM policy *definition*
and *assignment* remain UI-only.
## Gotcha — token scope
`GET /policy_folders` returned **HTTP 401** with the same API token that returns 200 for
assets/patches/alerts → the endpoint exists but the token lacks the **policy permission scope**.
Enable it per-token in **Syncro Admin → API Tokens** before even the folder CRUD will work.
## What you CAN automate against Syncro RMM today
- **Read** asset inventory, **Windows patch status**, and **installed applications** per device
(reporting, drift detection, "who's missing patch X").
- **RMM alerts:** list / create / mute / clear.
- **Policy folders:** create/rename/nest/delete (e.g. auto-create a folder per new customer) —
*after* enabling the token's policy scope.
## What you CANNOT (must use the Syncro UI / agent, or GuruRMM)
- Run scripts / send remote commands / open remote sessions on agents.
- Deploy software (e.g. Bitdefender), trigger patch installs, reboot.
- Create/edit policy **content** (monitors, scripts, patch policy, AV) or assign policies to assets.
## Next steps (if we want to act on this)
- Decide whether to enable the policy scope on a dedicated token and script the folder hierarchy.
- For programmatic endpoint actions (scripts/commands/deploy), route through **GuruRMM**, not Syncro.
- Fold the API-capability boundary into the `/syncro` skill once reviewed (Mike: hold for now).