VMware AirWatch 101: Overview of AirWatch REST APIs

Do you ever wish the productivity apps your end-users love had more security features? VMware AirWatch REST APIs can help make this idea a reality by integrating AirWatch REST APIs with existing IT infrastructures and third-party applications. AirWatch API integration extends enterprise mobility management functionality to external programs, and is an efficient, cost-effective alternative to building in-house applications. No wonder REST APIs are a pillar of the AirWatch Developer’s Toolkit!

This post is most appropriate for the following audiences:

Anyone new to VMware AirWatch Enterprise Mobility Management
Anyone new to VMware AirWatch REST API capabilities

If you fall into one of these categories, keep reading to learn about:

Security features of AirWatch REST APIs
AirWatch REST APIs available for integration
Authentication Methods for AirWatch REST APIs
Getting Started configurations in the AirWatch Console

[box type=”info”] If you are already familiar with the topics listed above, and were looking for more technical resources, jump straight to the Learn More section and follow the recommended links[/box]

AirWatch REST API Security Features

Encrypted Communication – REST API calls take place over HTTPS with a certificate signed by a publicly trusted CA.
Two-Factor Authentication – Along with the standard headers, API server authentication requires the following headers:
- Authorization – Authorization header with base 64 encoding of API admin credentials.
- aw-tenant-code – Header value same as API key randomly generated in the AirWatch Console.
Multiple Authentication Options – AirWatch API Admin can authenticate with the API server using Basic/ NTLM, Directory, or Certificate authentication.
Configurable API Admin Permissions – Default and custom admin roles can restrict the API admin to a limited set of API actions.
Advanced On-Premise Settings – On-premises deployments can restrict server throttling and set daily quotas to prevent API overflows and potential service crashes.

Available AirWatch REST APIs

Integrate VMware AirWatch’s REST APIs with third party applications, programs, and processes, and take enterprise mobility management beyond the VMware AirWatch solution.

Authentication Methods for AirWatch REST APIs

VMware AirWatch supports multiple ways for Console Admin Users to authenticate into the API server:

Basic Authentication

Authentication into the API server uses a generic username and password. Implementation is simple. However, this authentication model does not integrate with existing corporate user accounts.[learn_more caption=” Basic Authentication Authorization Header”] The authorization header should hold the value in the following example format:

 GET https://host/api/mdm/devices/bulksettings HTTP/1.1

 User-Agent: Fiddler aw-tenant-code: 1FC5H4JAAAG5A4SQAMQA

 Host – host.com

 Authorization – Basic bW9oYW46bW9oYW4=[/learn_more]

Certificate Authentication

Uses a self-signed certificate generated by the AirWatch Console for API Server authentication. AirWatch certificate-based API authentication accepts incoming requests with CMS signatures and CMSURL authentication schemes.[learn_more caption=”CMS Signatures Authorization Header”] Expects the signature against the message content, and takes the following format.

Authorization:CMS’< Version >< CREDENTIALS >

< Version > information.

< CREDENTIALS > is the Base64 Encoded data of “message content” signed with client certificate using PKCS9 signing.[/learn_more][learn_more caption=”CMSURL Scheme Authorization Header”]Expects the signature against the application path in the URL, and takes the following format.

Authorization:CMSURL’< Version >< CREDENTIALS >

< Version > information.

< CREDENTIALS > is the Base64 Encoded data of “canonical URI resource encoded using UTF-8 format” signed with client certificate using PKCS9 signing.[/learn_more]

Directory-Based Authentication

Authentication into the API server uses existing corporate credentials. This method integrates existing corporate accounts from Directory Services with AirWatch user and admin accounts.

Enable AirWatch REST APIs

To enable API access in the AirWatch Console:

Log into the AirWatch Console.
Navigate to Groups & Settings> All Settings > System > Advanced > API > REST API.
Configure the General, Authentication, and the Advanced tab.

[learn_more caption=”a. Configure General tab settings.”]

Enable API Access – Select Enabled to generate the API authentication key.
Add – Select to generate multiple the API key for one or multiple servers. Then, configure the related settings.

[three_fourth_last]

Service – Enter one or multiple service(s) and generate their independent API keys.
Account Type – Select the type of the account. To access the Mobile Content Management Personal Content APIs, select Enrollment User.
Description – Provide a short description for the service and generated API key.
Whitelisted Domains – Specify the domains where the API key is valid.[/three_fourth_last]

[/learn_more][learn_more caption=”b. Configure the Authentication Tab”]Enable Basic, Directory, or Certificate based authentication.

[/learn_more][learn_more caption=”c. Configure the Advanced tab.”]At the Global Organization Group level, specify default service throttling and daily quota values.

Server Throttling – Set the server bandwidth throttling. When server reaches the specified throttling limit, it offloads new requests and not respond to them.
Daily Quota – Set the number of API calls to be sent per day.[/learn_more]

Configure API Access

After enabling APIs, configure API access. First, create a dedicated administrator account for API authentication. Then, select an authentication method. Finally, provision roles with specific API privileges to the administrator.

Navigate to Accounts > Administrators > List View.
Click Add> Add Admin.
Configure the following tabs:[learn_more caption=”a. On the Basic tab, complete the required fields to create a dedicated admin for API access.”] [/learn_more] [learn_more caption=”b. Click the Roles tab, and specify the admin role’s API authentication permissions.”][/learn_more][learn_more caption=”c. On the API tab, select the Authentication method from the drop-down menu.”]If configuring certificate authentication, select Certificates from the Authentication drop-down menu, and enter the same password provided on the Basic tab for Certificate Password.[/learn_more]
Select Save to create the API Admin Account with defined access permissions.

Summary

Use VMware AirWatch REST APIs as an efficient way to leverage core enterprise mobility management functionality in enterprise servers, programs, and processes. These APIs facilitate custom application development and integration with AirWatch.

Learn More

API Help Page – Learn about REST APIs setup and view comprehensive documentation Navigate to https://{apiURL}/api/help and authenticate using API admin credentials.
Hands-On Lab – Select Module 5, Introduction to AirWatch REST APIs. Complete the exercises in roughly 30 minutes.
VMware AirWatch REST API Guide – Access technical reference material in the manual.

With contributions from:

Hannah Jernigan, Technical Writer, End User Computing Technical Marketing, VMware

AirWatch REST API Security Features

Available AirWatch REST APIs

Authentication Methods for AirWatch REST APIs

Basic Authentication

Certificate Authentication

Directory-Based Authentication

Enable AirWatch REST APIs

Configure API Access

Summary

Learn More

Related Articles

Beware of CryptoChameleon, the new phishing threat that uses social engineering to trick victims

7 critical areas of your mobile security plan to lock down in 2024

The evolution of COPE Android devices and Workspace ONE

Delivering security everywhere to enable work from anywhere: Workspace ONE announcements from RSA 2023

VMware Workspace ONE Mobile Threat Defense wins gold, VMware wins 11 awards at the 2023 Cybersecurity Excellence Awards