By Product Mobile Technical Guides

VMware AirWatch 101: AirWatch REST APIs


Do you ever wish the productivity apps your end-users love had more security features? VMware AirWatch REST APIs can help make this idea a reality by integrating AirWatch REST APIs with existing IT infrastructures and third-party applications. AirWatch API integration extends enterprise mobility management functionality to external programs, and is an efficient, cost-effective alternative to building in-house applications. No wonder REST APIs are a pillar of the AirWatch Developer’s Toolkit!

This post is most appropriate for the following audiences:

  • Anyone new to VMware AirWatch Enterprise Mobility Management
  • Anyone new to VMware AirWatch REST API capabilities

If you fall into one of these categories, keep reading to learn about:

  • Security features of AirWatch REST APIs
  • AirWatch REST APIs available for integration
  • Authentication Methods for AirWatch REST APIs
  • Getting Started configurations in the AirWatch Console

[box type=”info”] If you are already familiar with the topics listed above, and were looking for more technical resources, jump straight to the Learn More section and follow the recommended links[/box]

AirWatch REST API Security Features

  • Encrypted Communication –  REST API calls take place over HTTPS with a certificate signed by a publicly trusted CA.
  • Two-Factor Authentication – Along with the standard headers, API server authentication requires the following headers:
    • Authorization – Authorization header with base 64 encoding of API admin credentials.
    • aw-tenant-code – Header value same as API key randomly generated in the AirWatch Console.
  • Multiple Authentication Options – AirWatch API Admin can authenticate with the API server using Basic/ NTLM, Directory, or Certificate authentication.
  • Configurable API Admin Permissions – Default and custom admin roles can restrict the API admin to a limited set of API actions.
  • Advanced On-Premise Settings – On-premises deployments can restrict server throttling and set daily quotas to prevent API overflows and potential service crashes.

Available AirWatch REST APIs

Integrate VMware AirWatch’s REST APIs  with third party applications, programs, and processes, and take enterprise mobility management beyond the VMware AirWatch solution.

Authentication Methods for AirWatch REST APIs

VMware AirWatch supports multiple ways for Console Admin Users to authenticate into the API server:

Basic Authentication

Authentication into the API server uses a generic username and password. Implementation is simple. However, this authentication model does not integrate with existing corporate user accounts.[learn_more caption=” Basic Authentication Authorization Header”] The authorization header should hold the value in the following example format:

 GET https://host/api/mdm/devices/bulksettings HTTP/1.1     User-Agent: Fiddler aw-tenant-code: 1FC5H4JAAAG5A4SQAMQA     Host –     Authorization – Basic bW9oYW46bW9oYW4=[/learn_more]

Certificate Authentication

Uses a self-signed certificate generated by the AirWatch Console for API Server authentication. AirWatch certificate-based API authentication accepts incoming requests with CMS signatures and CMSURL  authentication schemes.[learn_more caption=”CMS Signatures Authorization Header”] Expects the signature against the message content, and takes the following format.

 Authorization:CMS’< Version >< CREDENTIALS >

 < Version > information.

 < CREDENTIALS > is the Base64 Encoded data of “message content” signed with client certificate using    PKCS9 signing.[/learn_more][learn_more caption=”CMSURL Scheme Authorization Header”]Expects the signature against the application path in the URL, and takes the following format.

 Authorization:CMSURL’< Version >< CREDENTIALS >

 < Version > information.

 < CREDENTIALS > is the Base64 Encoded data of “canonical URI resource encoded using UTF-8 format”  signed with client certificate using PKCS9 signing.[/learn_more]

Directory-Based Authentication

Authentication into the API server uses existing corporate credentials. This method integrates existing corporate accounts from Directory Services with AirWatch user and admin accounts.

Enable AirWatch REST APIs

To enable API access in the AirWatch Console:

  1. Log into the AirWatch Console.
  2. Navigate to Groups & SettingsAll Settings > System > Advanced > API > REST API.
  3. Configure the General, Authentication, and the Advanced tab.

[learn_more caption=”a. Configure General tab settings.”]

AirWatch Console screenshot of AirWatch REST API enablement settings

  • Enable API Access – Select Enabled to generate the API authentication key.
  • Add – Select to generate multiple the API key for one or multiple servers. Then, configure the related settings.


  • Service – Enter one or multiple service(s) and generate their independent API keys.
  • Account Type – Select the type of the account. To access the Mobile Content Management Personal Content APIs,  select Enrollment User.
  • Description – Provide a short description for the service and generated API key.
  • Whitelisted Domains – Specify the domains where the API key is valid.[/three_fourth_last]

[/learn_more][learn_more caption=”b. Configure the Authentication Tab”]Enable Basic, Directory, or Certificate based authentication.

AirWatch Console screenshot of AirWatch REST API authentication settings

[/learn_more][learn_more caption=”c. Configure the Advanced tab.”]At the Global Organization Group level, specify default service throttling and daily quota values.

  • Server Throttling – Set the server bandwidth throttling. When server reaches the specified throttling limit, it offloads new requests and not respond to them.
  • Daily Quota – Set the number of API calls to be sent per day.[/learn_more]

Configure API Access

After enabling APIs, configure API access. First, create a dedicated administrator account for API authentication. Then, select an authentication method. Finally, provision roles with specific API privileges to the administrator.

  1. Navigate to Accounts > Administrators > List View.
  2. Click Add> Add Admin.
  3.  Configure the following tabs:[learn_more caption=”a. On the Basic tab, complete the required fields to create a dedicated admin for API access.”] AirWatch Console screenshot of adding a REST API Admin[/learn_more] [learn_more caption=”b. Click the Roles tab, and specify the admin role’s API authentication permissions.”]Screenshot of AirWatch Console Admin Role Settings[/learn_more][learn_more caption=”c. On the API tab, select the Authentication method from the drop-down menu.”]Console screenshot of adding a certificate to enable AirWatch REST APIsIf configuring certificate authentication, select Certificates from the Authentication drop-down menu, and enter the same password provided on the Basic tab for Certificate Password.[/learn_more]
  4. Select Save to create the API Admin Account with defined access permissions.


Use VMware AirWatch REST APIs as an efficient way to leverage core enterprise mobility management functionality in enterprise servers, programs, and processes. These APIs facilitate custom application development and integration with AirWatch.

Learn More

  • API Help Page – Learn about REST APIs setup and view comprehensive documentation Navigate to  https://{apiURL}/api/help and authenticate using  API admin credentials.
  • Hands-On Lab – Select Module 5, Introduction to AirWatch REST APIs. Complete the exercises in roughly 30 minutes.
  • VMware AirWatch REST API Guide – Access technical reference material in the manual.

With contributions from:

Hannah Jernigan, Technical Writer, End User Computing Technical Marketing, VMware

Related Articles