You can configure external applications to use the core product functionality of Workspace ONE UEM by integrating REST APIs with the UEM infrastructure and facilitate connectivity. You can also select an OAuth token URL closest to your data center to authenticate API calls.
Getting Started with REST APIs
Using simplified REST software architecture, Workspace ONE UEM REST APIs currently support multiple functionalities, including organization group, console administration, mobile application, mobile device, email, enrollment user, profile, smart group, and user group management.
Using REST-based APIs provide several benefits to enterprises, including eliminated cost and time spent developing applications in-house. Workspace ONE UEM REST APIs are fully able and ready to integrate with enterprise servers, programs, and processes. Workspace ONE UEM REST APIs are more efficient, can run smoothly, and can be easily branded with enterprises. These APIs are for application developers. This guide provides an understanding of design and architecture of the API library and facilitates custom development and integration with Workspace ONE UEM.
Accessing API Documentation
Review detailed API documentation by navigating to the Workspace ONE UEM API Help page.
In the address bar of your browser, replace the "cn" in the URL with "as" and then append /api/help
after .com.
https://cn4855.awmdm.com...is...
https://as4855.awmdm.com/api/help
Datacenter and Token URLs for OAuth 2.0 Support
Workspace ONE UEM supports the OAuth 2.0 industry standard protocol for secure authentication and authorization for REST API calls.
Workspace ONE Token Service is the Token Issuer for OAuth authentication and is supported only in SaaS environments. The Token URLs are region-specific.
Region | Workspace ONE UEM SaaS Data Center Location | Token URL |
---|---|---|
Ohio (United States) | All UAT environment | https://uat.uemauth.vmwservices.com/connect/token |
Virginia (United States) | United States | https://na.uemauth.vmwservices.com/connect/token |
Virginia (United States) | Canada | https://na.uemauth.vmwservices.com/connect/token |
Frankfurt (Germany) | United Kingdom | https://emea.uemauth.vmwservices.com/connect/token |
Frankfurt (Germany) | Germany | https://emea.uemauth.vmwservices.com/connect/token |
Tokyo (Japan) | India | https://apac.uemauth.vmwservices.com/connect/token |
Tokyo (Japan) | Japan | https://apac.uemauth.vmwservices.com/connect/token |
Tokyo (Japan) | Singapore | https://apac.uemauth.vmwservices.com/connect/token |
Tokyo (Japan) | Australia | https://apac.uemauth.vmwservices.com/connect/token |
Tokyo (Japan) | Hong Kong | https://apac.uemauth.vmwservices.com/connect/token |
Create an OAuth Client to Use for API Commands (SaaS)
You can create an OAuth client to use for API commands, supported in SaaS environments only. Create an OAuth client for your SaaS environment by taking the following steps.
- Navigate to .
- Enter
OAuth
in the search text box labeled 'Enter a name or category'. - Select OAuth Client Management that appears in the results. The OAuth Client Management screen displays.
- Select the Add button.
- Enter the Name, Description, Organization Group, and Role.
Note: For more information about specific REST API permissions for the role you select, see the section in this topic entitled Create a Role That Can Use REST APIs.
- Ensure that the Status is Enabled.
- Select Save.
- IMPORTANT: Copy the Client ID and Client Secret to clipboard and save them before you close this screen. Select the Copy icon () to send the Client Secret to the clipboard.
You cannot return here to retrieve these pieces of information after you select Close.
- Use the client ID, Client Secret, and Token URL to generate the access token in the following format:
API call: POST {Region-Specific Token URL from section above}
Key Value grant_type client_credentials client_id {CLIENT ID generated on UEM console} client_secret {CLIENT SECRET generated on UEM console} - Use the access token returned to authorize future API requests to Workspace ONE UEM API servers. You must format the access token in the request headers in the following way.
API call: {UEM API}
Key Value Authorization [Access Token}
Create a Role That Can Use REST APIs
Each API call has a corresponding resource (or permission) that you must include in the role you assign to the OAuth Client. So the permissions to include in the role you assign line up with the kinds of API calls you are making.
Category | Name | Description | Read Only/ Edit |
---|---|---|---|
REST > Admins | REST API System Groups | Access to organization group information | Edit |
REST API System Admin | Access to admin info | Edit | |
REST API System Users | Access to User Info | Edit | |
REST API Admins Write | Enables access to all write/update APIs in Admin users collection | Edit | |
REST API Admins Execute | Enables access to all execute APIs in Admin users collection | Edit | |
REST API Admins Delete | Enables access to all Delete APIs in Admin users collection | Edit | |
REST API Admins Read | Enables access to all READ only APIs in Admin users collection | Read Only | |
REST > Apps | REST API MAM Blob | Upload download content | Edit |
REST API MAM Apps | Access to managed apps | Edit | |
REST API Apps Write | Enables access to all write/update APIs in Apps collection | Edit | |
REST API Apps Execute | Enables access to all execute APIs in Apps collection | Edit | |
REST API Apps Delete | Enables access to all Delete APIs in Apps collection | Edit | |
REST API Apps Read | Enables access to all READ only APIs in Apps collection | Read Only | |
REST > Compliance Policy | REST API Compliance Policy Delete | Enables access to all Delete APIs in Compliance Policy collection | Edit |
REST API Compliance Policy Execute | Enables access to all Execute APIs in Compliance Policy collection | Edit | |
REST API Compliance Policy Write | Enables access to all Write APIs in Compliance Policy collection | Edit | |
REST API Compliance Policy Read | Enables access to all READ only APIs Compliance Policy collection | Read Only | |
REST > Custom Attributes | REST API Custom Attributes Execute | Enables access to all execute APIs in Custom Attributes collection | Edit |
REST API Custom Attributes Write | Enables access to all write APIs in Custom Attributes collection | Edit | |
REST API Custom Attributes Delete | Enables access to all Delete APIs in Custom Attributes collection | Edit | |
REST API Custom Attributes Read | Enables access to all READ only APIs in Custom Attributes collection | Read Only | |
REST > Devices | REST API MDM Smart Groups | Access to smart group info | Edit |
REST API MDM User Groups | Access to User Groups | Edit | |
REST API MDM Profiles | Send Lock/Unlock Commands | Edit | |
REST API MDM Devices | Send lock/unlock commands | Edit | |
REST API BLOBS Write | Enables access to all write/update only APIs in BLOBS collection | Edit | |
REST API BLOBS Execute | Enables access to all execute only APIs in BLOBS collection | Edit | |
REST API BLOBS Delete | Enables access to all delete only APIs in BLOBS collection | Edit | |
REST API Devices Write | Enables access to all write/update APIs in Devices collection | Edit | |
REST API Devices Execute | Enables access to all execute APIs in Devices collection | Edit | |
REST API Devices Delete | Enables access to all Delete APIs in Devices collection | Edit | |
REST API Devices Advanced | Enables access to all Advanced APIs in Devices collection | Edit | |
REST API BLOBS Read | Enables access to all read only APIs in BLOBS collection | Read Only | |
REST API Devices Read | Enables access to all READ only APIs in Devices collection | Read Only | |
REST > REST Enterprise Integration | REST API Enterprise Integration Read | Enables access to all READ only APIs in Enterprise Integration | Read Only |
REST > Groups | REST API Groups Write | Enables access to all write/update APIs in Organization Group collection | Edit |
REST API Groups Execute | Enables access to all execute APIs in Organization Group collection | Edit | |
REST API Groups Delete | Enables access to all Delete APIs in Organization Group collection | Edit | |
REST API Smart Groups Write | Enables access to all write APIs in Smart Groups collection | Edit | |
REST API Smart Groups Execute | Enables access to all execute APIs in Smart Groups collections | Edit | |
REST API Smart Groups Delete | Enables access to all Delete APIs in Smart Groups collection | Edit | |
REST API User Groups Write | Enables access to all write/update APIs in User Groups | Edit | |
REST API User Groups Execute | Enables access to all execute APIs in User Groups | Edit | |
REST API User Groups Delete | Enables access to all Delete APIs in User Groups | Edit | |
REST API Cart Write | REST API to save and edit Cart data | Edit | |
REST API Cart Delete | REST API to delete Cart data | Edit | |
REST API Apple School Manager Write | REST API to initiate Apple School Manager sync | Edit | |
REST API Apple School Manager map | REST API to map an enrollment user to a member from Apple School Manager | Edit | |
REST API Class Assignments Save | REST API call to save class assignments | Edit | |
REST API Class Write | REST API to save and edit class data | Edit | |
REST API Class Delete | REST API to delete class data | Edit | |
REST API Education settings Write | REST API to save and edit Education settings | Edit | |
REST API Education settings Read | REST API to view Education settings | Edit | |
REST API Groups Read | Enables access to all READ only APIs in Organization Group collection | Read Only | |
REST API Smart Groups Read | Enables access to all READ only APIs in Smart Groups collection | Read Only | |
REST API User Groups Read | Enables access to all READ only APIs in User Groups | Read Only | |
REST API Apple School Manager Sync Read | REST API to check the Apple School Manager sync status | Read Only | |
REST API Apps For Device Read | REST API to get a list of apps eligible for a device | Read Only | |
REST API Class Read | REST API to view class data | Read Only | |
REST > Products | REST API Products Execute | Enables access to all execute APIs in Products collection | Edit |
REST API Products Write | Enables access to all write APIs in Products collection | Edit | |
REST API Products Delete | Enables access to all Delete APIs in Products collection | Edit | |
REST API Products Read | Enables access to all READ only APIs in Products collection | Read Only | |
REST > Profiles | Updates Policy Write access | Enables access to all WRITE APIs in Updates Policy collection | Edit |
Updates Policy Execute access | Enables access to all EXECUTE APIs in Updates Policy collection | Edit | |
Updates Policy Delete access | Enables access to all DELETE APIs in Updates Policy collection | Edit | |
REST API Profiles Write | Enables access to all write APIs in Profiles collection | Edit | |
REST API Profiles Execute | Enables access to all execute APIs in Profiles collection | Edit | |
REST API Profiles Delete | Enables access to all Delete APIs in Profiles collection | Edit | |
Updates Policy Read access | Enables access to all READ only APIs in Updates Policy collection | Read Only | |
REST API Profiles Read | Enables access to all READ only APIs in Profiles collection | Read Only | |
REST > Users | REST API Users Write | Enables access to all write/update APIs in Enrollment users collection | Edit |
REST API Users Execute | Enables access to all execute APIs in Enrollment users collection | Edit | |
REST API Users Delete | Enables access to all Delete APIs in Enrollment users collection | Edit | |
REST API User Tokens Read | Enables access to Enrollment user tokens for APIs in Enrollment User collection | Read Only | |
REST API Users Read | Enables access to all READ only APIs for Enrollment users collection | Read Only |