How to proxy your Workspace ONE UEM traffic to Fiddler, and retrieve the Android Enterprise access token

Workspace ONE allows you to present the exact user experience your use case requires. One of the things that Workspace ONE UEM does a great job with is interacting with various API's across all the major operating systems. There can be times when you might wish to interact with those API's directly. Some examples of the types of API's that could be helpful would include: Google's Play EMM API or the Android Management API.



A scenario where this could be useful is when you want to retrieve a set of data that isn't currently captured by Workspace ONE UEM. If there is something you wish Workspace ONE captured, don't hesitate to submit a Feature Request on the crowdsourced portal. In the meantime, this blog will cover how to update the access token used with Android Enterprise, and how to retrieve the access token with Fiddler. 

Configure on-premise environment to proxy traffic:
  1. Open Fiddler, and make sure it is capturing traffic. For reference on how to configure Fiddler and Microsoft Windows to proxy traffic see below;

    Set Internet Options to proxy traffic back to 127.0.0.1 and the port Fiddler is listening on.
    Fiddler is set to listen on the same port used in Internet Options

    Ensure Fiddler is capturing HTTPS traffic, ignoring certificate errors, listening for ssl2, ssl3, tls1.0, tls1.1, and tls1.2 traffic. 

  2. Login to Workspace ONE UEM console



  3. Navigate to Groups & Settings -> All Settings -> Installation -> Proxy



  4. Configure the SOCKS5 Proxy Settings, Console Proxy Settings, and Device Services Proxy Settings to use your Fiddler proxy
  5. Click 'Save'
  6. Open Microsoft Windows Services (services.msc); restart IIS and the AirWatch Messaging Service
  7. All Set! Workspace ONE UEM traffic will now be visible in Fiddler

At this point, you can begin using Fiddler to inspect traffic. I had a particular scenario where I needed to interact with the Google Play EMM API, so I will now cover how to renew the access token with Workspace ONE UEM.

Update Google EMM API access token
  1. Login to Workspace ONE UEM console



  2. Navigate to Apps & Books -> Native -> Public and click 'Add Application'
  3. Click the dropdown and select 'Android', followed by 'Import from Play'



  4. In the next screen that appears, click cancel.



  5. If you had Fiddler open, take a look at some of the events. What we see here is Workspace ONE UEM reach out to Google to get groupLicenses about the EMM account. Google returns a 401 unauthorized response. Workspace ONE UEM fetches a new OAuth token. Then attempts to get the groupLicenses once again.



  6.  Click on the event with the OAuth token. Then on the lower-right side of FIddler, you can view the response by clicking on 'TextView'



  7.  There it is, the updated OAuth access token. This a short-lived access token, that will allow you to interact with the EMM API's. The number 3599 indicates the token will expire in 59 minutes and 59 seconds.

Don't forget to reset your proxy settings in the Workspace ONE UEM console and Windows Internet Options before closing Fiddler. If the settings are not reverted, and Fiddler is closed; the console will be unable to proxy traffic to Fiddler. This will result in odd behavior such as the management console failing to load.

Location: Kōkeʻe State Park, Hanapepe, HI 96716, USA

Comments

Post a Comment

Popular posts from this blog

Delivering Managed Configurations (key/value pairs) to Android applications with Workspace ONE UEM profiles

Image
Applications often have secrets that should not be hardcoded in the source code. This poses a challenge for developers, as ProGuard can change classes and method names, it won't help with secrets. Examples of secrets that can be removed from application source code include an API key or a OAuth refresh token. Another capability is for the MDM to dynamically deliver values to the application, such as the current logged in user, device serial number, or organization group. Google has made it more challenging to access non-resettable device identifiers like the serial number in recent years, and this remains a viable solution to provide non-resettable device identifiers (and other values) to applications running on the device. So how do we do it? Workspace ONE UEM can deliver profiles to devices. Profiles can configure a number of settings, in addition to delivering key/value pairs to your applications.  Google refers to these key/value pairs as Managed Configurations, aka application
Read more

How to use Square's OkHttp Java library to access Workspace ONE UEM API's

Image
Digital workspace solutions often require consuming other services. When doing so, you may work with things like; REST API endpoints, Webhooks, gRPC, GraphQL - the list goes on. You can interact with these in a number of ways, but one way I've come to appreciate is with Java. It has been especially helpful when I've wanted to work with libraries like Appium, Selenium, OKHttp, or the Workspace ONE UEM SDK in a workflow. With that, I thought it would be helpful to share how to work with Workspace ONE UEM API's using Java. In this blog post, we will cover; Basics of JetBrain's IntelliJ IDE, touching on Apache Maven Using  Square's OkHttp   library  to call Workspace ONE UEM API's Why Java? Java is used by many and supported by most (Docker, Kubernetes, static code analysis tools, cloud service providers, Android, Windows, macOS, Tanzu Application Service, etc). Many languages compile to j ava
Read more

How to use Powershell with the Workspace ONE UEM API to search for users

Image
Using API's has been infinitely helpful in integrating Workspace ONE UEM with other enterprise services and applications. A question was asked recently about forming the correct HTTP header using Powershell, and returning the users in the users. Below is an example Powershell script I was able to create for this example. Make sure to include base64 encoded credentials in a folder (c:\creds\b64.txt in the example), and to update the $apiKey variable with an API key. #Workspace ONE UEM Environment Address / Authentication  $addy   =   "https://ws1.molokaibank.com" $b64   =   Get-Content   -Path   "c:\creds\b64.txt" $apiKey   =   "apikey" $b64EncodedAuth   =   " $b64 " # Header $content   =   "application/json"   $authHeader   =   "Basic "   +   $b64EncodedAuth $header   =  @{ "Authorization"   =   $authHeader ;  "aw-tenant-code"   =   $apiKey ;  "Accept"   =   $content ; 
Read more