How to proxy your Workspace ONE UEM traffic to Fiddler, and retrieve the Android Enterprise access token

Workspace ONE allows you to present the exact user experience your use case requires. One of the things that Workspace ONE UEM does a great job with is interacting with various API's across all the major operating systems. There can be times when you might wish to interact with those API's directly. Some examples of the types of API's that could be helpful would include: Google's Play EMM API or the Android Management API.



A scenario where this could be useful is when you want to retrieve a set of data that isn't currently captured by Workspace ONE UEM. If there is something you wish Workspace ONE captured, don't hesitate to submit a Feature Request on the crowdsourced portal. In the meantime, this blog will cover how to update the access token used with Android Enterprise, and how to retrieve the access token with Fiddler. 

Configure on-premise environment to proxy traffic:
  1. Open Fiddler, and make sure it is capturing traffic. For reference on how to configure Fiddler and Microsoft Windows to proxy traffic see below;

    Set Internet Options to proxy traffic back to 127.0.0.1 and the port Fiddler is listening on.
    Fiddler is set to listen on the same port used in Internet Options

    Ensure Fiddler is capturing HTTPS traffic, ignoring certificate errors, listening for ssl2, ssl3, tls1.0, tls1.1, and tls1.2 traffic. 

  2. Login to Workspace ONE UEM console



  3. Navigate to Groups & Settings -> All Settings -> Installation -> Proxy



  4. Configure the SOCKS5 Proxy Settings, Console Proxy Settings, and Device Services Proxy Settings to use your Fiddler proxy
  5. Click 'Save'
  6. Open Microsoft Windows Services (services.msc); restart IIS and the AirWatch Messaging Service
  7. All Set! Workspace ONE UEM traffic will now be visible in Fiddler

At this point, you can begin using Fiddler to inspect traffic. I had a particular scenario where I needed to interact with the Google Play EMM API, so I will now cover how to renew the access token with Workspace ONE UEM.

Update Google EMM API access token
  1. Login to Workspace ONE UEM console



  2. Navigate to Apps & Books -> Native -> Public and click 'Add Application'
  3. Click the dropdown and select 'Android', followed by 'Import from Play'



  4. In the next screen that appears, click cancel.



  5. If you had Fiddler open, take a look at some of the events. What we see here is Workspace ONE UEM reach out to Google to get groupLicenses about the EMM account. Google returns a 401 unauthorized response. Workspace ONE UEM fetches a new OAuth token. Then attempts to get the groupLicenses once again.



  6.  Click on the event with the OAuth token. Then on the lower-right side of FIddler, you can view the response by clicking on 'TextView'



  7.  There it is, the updated OAuth access token. This a short-lived access token, that will allow you to interact with the EMM API's. The number 3599 indicates the token will expire in 59 minutes and 59 seconds.

Don't forget to reset your proxy settings in the Workspace ONE UEM console and Windows Internet Options before closing Fiddler. If the settings are not reverted, and Fiddler is closed; the console will be unable to proxy traffic to Fiddler. This will result in odd behavior such as the management console failing to load.

Comments

Popular posts from this blog

How to use Fiddler Everywhere to inspect Android network traffic to troubleshoot SAML authentication issues

Zimperium Delivery and Activation on Android Enterprise with Workspace ONE UEM Product Provisioning

Clean up duplicate identities and users from Workspace ONE using REST API's and PowerShell