Language Selection

Your selected language is currently:

English
    Technical blog post

    Workspace ONE UEM provides a collection of APIs that allow IT infrastructures and third-party applications to use product functionalities. Leveraging REST-based APIs offers several benefits for enterprises, including eliminating cost and time spent developing applications in-house. This post will demonstrate how you can authenticate and access Workspace ONE APIs.

    This post is most appropriate for the following audiences:

    • Anyone new to VMware Workspace ONE
    • Anyone new to VMware Workspace ONE REST APIs
    • Anyone with basic PowerShell expertise

    About Workspace ONE API

    Workspace ONE UEM API supports multiple types of authentications. The authentication credentials are sent in the Authorization API request header, including:

    • Basic authentication
    • Certificate authentication
    • OAuth authentication (recommended)

    To access detailed API documentation, navigate to the Workspace ONE UEM API help page using the following:

    • https://[your_console_domain]/api/help

    To find your REST API URL, navigate to System Settings.

    code table

    API key

    All types of API authentication require an additional API key generated by an administrator to be sent with the request. This key is sent as “aw-tenant-code” in the request header.

    To get the Workspace ONE API key, go to System Settings. You can create a new API key or copy an existing one.

    Rest API settings

    Basic authentication

    This type of authentication requires Base64 encoded username and password of an admin account created on a Workspace ONE console with API access.

    Follow these steps to create a basic authorization header using PowerShell:

    Powershell code

    Once complete, you can use the authorization and API key in the request header to perform an API action. The header structure will be similar to the following:

    Powershell code

    Certificate authentication

    This type of authentication provides API access using a self-signed certificate generated for admin users of the Workspace ONE admin console.

    Certificate authentication supports two types of authentication schemes:

    • CMS: Request message content should be signed with a client certificate using PKCS9 signing.
    • CMSURL: Request canonical URI resource encoded using UTF-8 format and signed with client certificate using PKCS9 signing.

    The authentication scheme should be part of the authorization header. Also, the format of the authorization header is as follows:

    Authorization: CMSURL’<Version> <CREDENTIALS>

    • <Version>: information, usually 1.
    • <CREDENTIALS>: is the Base64 Encoded data of “canonical URI resource encoded using UTF-8 format” signed with client certificate using PKCS9 signing.

    In this tutorial, we will use the CMSURL scheme.

    Generate an admin client certificate

    • Log in to the Workspace One UEM Console and go to admin edit mode.

    List view

    • When the edit modal is open, click on API tab

    Add/edit admin page

    • Now, export the client certificate.

    API page

    Create an authorization header using the CMSURL scheme

    The following is the PowerShell code to generate the authorization header.

    CMSURL scheme code

    Once complete, you can use the authorization and API key in the request header to perform an API action. The header structure will be similar to the following:

    Powershell code

    OAuth authentication

    This type of authentication is the recommended form of authentication.

    It requires a bearer token in the authorization header to authenticate to the API. You will need a client ID and a client secret to generate a token.

    • Go to OAuth Client Management in Workspace ONE.

    Configurations page

    • Register a new OAuth client.

    Register a new client

    After saving the client, copy the client ID and client secret and save them in a safe place, as once you close the modal, you cannot retrieve the client secret again.

    • Get the access token.

    The access token URL depends on your Workspace ONE region. Click here to access a VMware article that lists all access token URLs.

    Now, we will demonstrate how to get an access token using PowerShell:

    Powershell code

    Once complete, you can use the authorization and API key in the request header to perform an API action. The header structure will be similar to the following: 

    Powershell code

    Full source codes with the execution of an API request are in the following GitHub Repository. 

    Conclusion 

    OAuth authentication is the recommended method among the different authentication types for your production applications that leverage Workspace ONE APIs. 

    Learn more about how Unisys can help you manage and secure all enterprise devices with Modern Device Management

    Personalize your IT service delivery with persona mapping

    Personalize your IT service delivery with persona mapping

    Read more
    Transforming workforce management through talent marketplaces

    Transforming workforce management through talent marketplaces

    Read more
    Persona-powered onboarding for better employee engagement and retention

    Persona-powered onboarding for better employee engagement and retention

    Read more