Capturing and creating configurations with Workspace ONE UEM API's

API's in Workspace ONE UEM continue to be a popular topic when working with clients. API's allow you to integrate other products and services; while also giving you the flexibility to build your own toolsets if needed. Treating enterprise configurations as source code is one challenge I have been working on lately, and in this blog post we will look at creating Android profiles with the appropriate configuration with Workspace ONE UEM API's.






HTTP Verb Workspace ONE UEM API Endpoint
GET /profiles/{profileId}
POST /profiles/platforms/android/create



The table above lists the HTTP verb and API endpoints being used in this example.

If you have a development, user acceptance testing and production environment; you could capture the configuration used in development. Then post the configuration to the API endpoint in UAT and production. This should reduce mistakes when committing your changes, and allow you to store your configurations in a centralized software code management tool.  

Lets look at how to capture the profile. Below you see the cURL code snippet for a profile ID with a value of 86:

curl --location --request GET 'https://ws1.ryanpringnitz.com/API/mdm/profiles/86' \
--header 'Accept: application/json;version=2' \
--header 'Authorization: Basic SGF3YWlpNG1l' \
--header 'aw-tenant-code: a/D3ariE08ltuYjgecv2jnW/mi41in3lYUd9vHlK0hk=' \



The result set returns as JSON, and is as follows:

{
    "AndroidForWorkWifiList": [
        {
            "ServiceSetIdentifier": "devtest",
            "SecurityType": "WPA",
            "Password": "*****",
            "SetAsActiveNetwork": true,
            "HiddenNetwork": false,
            "EnterprisePassword": "*****"
        }
    ],
    "General": {
        "ProfileId": 86,
        "AfwOemSettingsEnabled": false,
        "AfwOemType": 0,
        "Name": "_Molokai Bank - Use Case XYZ",
        "Description": "Hifi Wifi",
        "ProfileScope": "Both",
        "Version": 3,
        "AssignmentType": "Auto",
        "EnableProvisioning": false,
        "IsActive": true,
        "IsManaged": true,
        "Password": "",
        "AllowRemoval": "Never",
        "AssignedSmartGroups": [
            {
                "SmartGroupId": 10,
                "Name": "_Molokai Bank - Use Case XYZ"
            }
        ],
        "ExcludedSmartGroups": [],
        "ManagedLocationGroupID": 570,
        "AssignedSchedule": [],
        "ProfileUuid": "e9b3ba21-a06b-4df4-8581-6741dd9e4b0a"
    }

}


Interesting. Lets break down some of the important details, especially as they could vary from environment to environment. The ManagedLocationGroupID has a numeric value of 570, the password is hidden, and we can see the profile is for Android devices. Every organization group (OG) in Workspace ONE UEM has a numeric value assigned to it. The value of 570 is important to note. If your development environment has different OG ID than your other environment, make sure to put the correct 'ManagedLocationGroupID value in its place. The password is not returned for security reasons, and this will need to be updated as well.

Let's look at creating this profile in another environment. Below you see the profiles already in a environment:



Here we have the JSON which will be included in the POST. I have updated the password values before issuing the cURL command:

{
  "AndroidForWorkWifiList": [
    {
      "ServiceSetIdentifier": "devtest",
      "SecurityType": "WPA",
      "Password": "12345678",
      "SetAsActiveNetwork": true,
      "HiddenNetwork": false,
      "EnterprisePassword": "12345678"
    }
  ],
  "General": {
    "ProfileId": 86,
    "AfwOemSettingsEnabled": false,
    "AfwOemType": 0,
    "Name": "_Molokai - Wifi Test",
    "Description": "",
    "ProfileScope": "Both",
    "Version": 1,
    "AssignmentType": "Auto",
    "EnableProvisioning": false,
    "IsActive": true,
    "IsManaged": true,
    "Password": "",
    "AllowRemoval": "Never",
    "ExcludedSmartGroups": [],
    "ManagedLocationGroupID": 570,
    "AssignedSchedule": [],
    "ProfileUuid": "e9b3ba21-a06b-4df4-8581-6741dd9e4b0a"
  }

}

After we send the POST request, the HTTP request returns a 200 numeric value, which indicates success. The cURL code issued to the API endpoint is below for reference:

curl -X POST 
--header 'Content-Type: application/json' \
--header 'Accept: application/json;version=2' \
--header 'Authorization: Basic SGF3YWlpNG1l' \
--header 'aw-tenant-code: a/D3ariE08ltuYjgecv2jnW/mi41in3lYUd9vHlK0hk=' \
-d '{ \ 
   "AndroidForWorkWifiList": [ \ 
     { \ 
       "ServiceSetIdentifier": "devtest", \ 
       "SecurityType": "WPA", \ 
       "Password": "12345678", \ 
       "SetAsActiveNetwork": true, \ 
       "HiddenNetwork": false, \ 
       "EnterprisePassword": "12345678" \ 
     } \ 
   ], \ 
   "General": { \ 
     "ProfileId": 86, \ 
     "AfwOemSettingsEnabled": false, \ 
     "AfwOemType": 0, \ 
     "Name": "_Molokai - Wifi Test", \ 
     "Description": "", \ 
     "ProfileScope": "Both", \ 
     "Version": 1, \ 
     "AssignmentType": "Auto", \ 
     "EnableProvisioning": false, \ 
     "IsActive": true, \ 
     "IsManaged": true, \ 
     "Password": "", \ 
     "AllowRemoval": "Never", \ 
     "ExcludedSmartGroups": [], \ 
     "ManagedLocationGroupID": 570, \ 
     "AssignedSchedule": [], \ 
     "ProfileUuid": "e9b3ba21-a06b-4df4-8581-6741dd9e4b0a" \ 
   } \ 

 }' 'https://ws1.ryanpringnitz.com/API/mdm/profiles/platforms/android/create'


Finally we see the profile is created in the environment, as expected:


In our software code management repository, we would commit the captured configuration. Then when committing changes to different environments (or recovering if the environment is lost), we would send the POST request. This allows us to create configurations in different environments.

Mahalo,
Ryan Pringnitz

Comments

Popular posts from this blog

Zimperium Delivery and Activation on Android Enterprise with Workspace ONE UEM Product Provisioning

Setup Single Sign-On with Workspace ONE & ServiceNow (Mobile Flows Series - Part 1)

Digital Workspace Mobile Threat Detection & Response with Workspace ONE & Zimperium - Integrating zConsole