You can configure external applications to use the core product functionality of Workspace ONE UEM by integrating REST APIs with the UEM infrastructure and facilitate connectivity. You can also select an OAuth token URL closest to your datacenter to authenticate API calls.

Getting Started with REST APIs

Using simplified REST software architecture, Workspace ONE UEM REST APIs currently support multiple functionalities, including organization group, console administration, mobile application, mobile device, email, enrollment user, profile, smart group, and user group management.

Using REST-based APIs provide several benefits to enterprises, including eliminated cost and time spent developing applications in-house. Workspace ONE UEM REST APIs are fully able and ready to integrate with enterprise servers, programs, and processes. Additionally, Workspace ONE UEM REST APIs are more efficient, can run smoothly and can be easily branded with enterprises. These APIs are intended for application developers, and this guide provides an understanding of design and architecture of the API library to facilitate custom development and integration with Workspace ONE UEM.

Access API Documentation

Access detailed API documentation by navigating to the Workspace ONE UEM API Help page.

Do this in SaaS environments by replacing the "cn" in your URL with "as" and then append /api/help after .com.

For example, API documentation for a SaaS environment's URL
https://cn4855.awmdm.com
is
https://as4855.awmdm.com/api/help

Datacenter and Token URLs for OAuth 2.0 Support

Workspace ONE UEM supports the OAuth 2.0 industry standard protocol for secure authentication and authorization for REST API calls.

Workspace ONE Token Service is the Token Issuer for OAuth authentication and is currently supported only in SaaS environments. The Token URLs are region-specific.

Table 1. Region-Specific Token URLs
Region Workspace ONE UEM SaaS Data Center Location Token URL
Ohio (United States) All UAT environment https://uat.uemauth.vmwservices.com/connect/token
Virginia (United States) United States https://na.uemauth.vmwservices.com/connect/token
Virginia (United States) Canada https://na.uemauth.vmwservices.com/connect/token
Frankfurt (Germany) United Kingdom https://emea.uemauth.vmwservices.com/connect/token
Frankfurt (Germany) Germany https://emea.uemauth.vmwservices.com/connect/token
Tokyo (Japan) India https://apac.uemauth.vmwservices.com/connect/token
Tokyo (Japan) Japan https://apac.uemauth.vmwservices.com/connect/token
Tokyo (Japan) Singapore https://apac.uemauth.vmwservices.com/connect/token
Tokyo (Japan) Australia https://apac.uemauth.vmwservices.com/connect/token
Tokyo (Japan) Hong Kong https://apac.uemauth.vmwservices.com/connect/token

Create an OAuth Client to Use for API Commands (SaaS)

You can create an OAuth client to use for API commands, supported in SaaS environments only. Create an OAuth client for your SaaS environment by taking the following steps.

  1. Navigate to Groups & Settings > Configurations.
  2. Enter OAuth in the search text box labeled 'Enter a name or category'.
  3. Select OAuth Client Management that appears in the results. The OAuth Client Management screen displays.
  4. Select the Add button.
  5. Enter the Name, Description, Organization Group, and Role.
    Note: For more information about specific REST API permissions for the role you select, see the section in this topic entitled Create a Role That Can Use REST APIs.
  6. Ensure that the Status is Enabled.
  7. Select Save.
  8. IMPORTANT: Copy the Client ID and Client Secret to clipboard and save them before you close this screen. Select the clipboard icon () to send the Client Secret to the clipboard.

    You cannot return here to retrieve these pieces of information after you select Close.

  9. Use the client ID, Client Secret, and Token URL to generate the access token in the following format:

    API call: POST {Region-Specific Token URL from section above}

    Key Value
    grant_type client_credentials
    client_id {CLIENT ID generated on UEM console}
    client_secret {CLIENT SECRET generated on UEM console}
  10. Use the access token returned to authorize future API requests to Workspace ONE UEM API servers. The access token must be provided in the request headers in the following format.

    API call: {UEM API}

    Key Value
    Authorization [Access Token}

Create a Role That Can Use REST APIs

Each API call you intend to make has a corresponding resource (or permission) that you must include in the role you assign to the OAuth Client. So the permissions to include in the role you assign line up with the kinds of API calls you are making.

Use the information in the following table to help you select which permissions you must include in the role you assign. Then visit Create Administrator Role for instructions on making that role.
Table 2. REST API Role Permissions
Category Name Description Read Only/ Edit
REST > Admins REST API System Groups Access to organization group information Edit
REST API System Admin Access to admin info Edit
REST API System Users Access to User Info Edit
REST API Admins Write Enables access to all write/update APIs in Admin users collection Edit
REST API Admins Execute Enables access to all execute APIs in Admin users collection Edit
REST API Admins Delete Enables access to all Delete APIs in Admin users collection Edit
REST API Admins Read Enables access to all READ only APIs in Admin users collection Read Only
REST > Apps REST API MAM Blob Upload download content Edit
Rest API MAM Apps Access to managed apps Edit
REST API Apps Write Enables access to all write/update APIs in Apps collection Edit
REST API Apps Execute Enables access to all execute APIs in Apps collection Edit
REST API Apps Delete Enables access to all Delete APIs in Apps collection Edit
REST API Apps Read Enables access to all READ only APIs in Apps collection Read Only
REST > Compliance Policy Rest API Compliance Policy Delete Enables access to all Delete APIs in Compliance Policy collection Edit
Rest API Compliance Policy Execute Enables access to all Execute APIs in Compliance Policy collection Edit
Rest API Compliance Policy Write Enables access to all Write APIs in Compliance Policy collection Edit
Rest API Compliance Policy Read Enables access to all READ only APIs Compliance Policy collection Read Only
REST > Custom Attributes Rest API Custom Attributes Execute Enables access to all execute APIs in Custom Attributes collection Edit
Rest API Custom Attributes Write Enables access to all write APIs in Custom Attributes collection Edit
Rest API Custom Attributes Delete Enables access to all Delete APIs in Custom Attributes collection Edit
Rest API Custom Attributes Read Enables access to all READ only APIs in Custom Attributes collection Read Only
REST > Devices REST API MDM Smart Groups Access to smart group info Edit
REST API MDM User Groups Access to User Groups Edit
REST API MDM Profiles Send Lock/Unlock Commands Edit
REST API MDM Devices send lock/unlock commands Edit
REST API BLOBS Write Enables access to all write/update only APIs in BLOBS collection Edit
REST API BLOBS Execute Enables access to all execute only APIs in BLOBS collection Edit
REST API BLOBS Delete Enables access to all delete only APIs in BLOBS collection Edit
REST API Devices Write Enables access to all write/update APIs in Devices collection Edit
REST API Devices Execute Enables access to all execute APIs in Devices collection Edit
REST API Devices Delete Enables access to all Delete APIs in Devices collection Edit
REST API Devices Advanced Enables access to all Advanced APIs in Devices collection Edit
REST API BLOBS Read Enables access to all read only APIs in BLOBS collection Read Only
REST API Devices Read Enables access to all READ only APIs in Devices collection Read Only
REST > REST Enterprise Integration REST API Enterprise Integration Read Enables access to all READ only APIs in Enterprise Integration Read Only
REST > Groups REST API Groups Write Enables access to all write/update APIs in Organization Group collection Edit
REST API Groups Execute Enables access to all execute APIs in Organization Group collection Edit
REST API Groups Delete Enables access to all Delete APIs in Organization Group collection Edit
REST API Smart Groups Write Enables access to all write APIs in Smart Groups collection Edit
REST API Smart Groups Execute Enables access to all execute APIs in Smart Groups collections Edit
REST API Smart Groups Delete Enables access to all Delete APIs in Smart Groups collection Edit
REST API User Groups Write Enables access to all write/update APIs in User Groups Edit
REST API User Groups Execute Enables access to all execute APIs in User Groups Edit
REST API User Groups Delete Enables access to all Delete APIs in User Groups Edit
REST API Cart Write REST API to save and edit Cart data Edit
REST API Cart Delete REST API to delete Cart data Edit
REST API Apple School Manager Write REST API to initiate Apple School Manager sync Edit
REST API Apple School Manager map REST API to map an enrollment user to a member from Apple School Manager Edit
REST API Class Assignments Save REST API call to save class assignments Edit
REST API Class Write REST API to save and edit class data Edit
REST API Class Delete REST API to delete class data Edit
REST API Education settings Write REST API to save and edit Education settings Edit
REST API Education settings Read REST API to view Education settings Edit
REST API Groups Read Enables access to all READ only APIs in Organization Group collection Read Only
REST API Smart Groups Read Enables access to all READ only APIs in Smart Groups collection Read Only
REST API User Groups Read Enables access to all READ only APIs in User Groups Read Only
REST API Apple School Manager Sync Read REST API to check the Apple School Manager sync status Read Only
REST API Apps For Device Read REST API to get a list of apps eligible for a device Read Only
REST API Class Read REST API to view class data Read Only
REST > Products Rest API Products Execute Enables access to all execute APIs in Products collection Edit
Rest API Products Write Enables access to all write APIs in Products collection Edit
Rest API Products Delete Enables access to all Delete APIs in Products collection Edit
Rest API Products Read Enables access to all READ only APIs in Products collection Read Only
REST > Profiles Updates Policy Write access Enables access to all WRITE APIs in Updates Policy collection Edit
Updates Policy Execute access Enables access to all EXECUTE APIs in Updates Policy collection Edit
Updates Policy Delete access Enables access to all DELETE APIs in Updates Policy collection Edit
Rest API Profiles Write Enables access to all write APIs in Profiles collection Edit
Rest API Profiles Execute Enables access to all execute APIs in Profiles collection Edit
Rest API Profiles Delete Enables access to all Delete APIs in Profiles collection Edit
Updates Policy Read access Enables access to all READ only APIs in Updates Policy collection Read Only
Rest API Profiles Read Enables access to all READ only APIs in Profiles collection Read Only
REST > Users REST API Users Write Enables access to all write/update APIs in Enrollment users collection Edit
REST API Users Execute Enables access to all execute APIs in Enrollment users collection Edit
REST API Users Delete Enables access to all Delete APIs in Enrollment users collection Edit
Rest API User Tokens Read Enables access to Enrollment user tokens for APIs in Enrollment User collection Read Only
REST API Users Read Enables access to all READ only APIs for Enrollment users collection Read Only