VMware AirWatch 101: AirWatch REST APIs

VMware AirWatch 101: AirWatch REST APIs

This post was originally published on this site ---

With contributions from:

Hannah Jernigan, Technical Writer, End User Computing Technical Marketing, VMware

Do you ever wish the productivity apps your end-users love had more security features? VMware AirWatch REST APIs can help make this idea a reality by integrating AirWatch REST APIs with existing IT infrastructures and third-party applications. AirWatch API integration extends enterprise mobility management functionality to external programs, and is an efficient, cost-effective alternative to building in-house applications. No wonder REST APIs are a pillar of the AirWatch Developer’s Toolkit!

This post is most appropriate for the following audiences:

  • Anyone new to VMware AirWatch Enterprise Mobility Management
  • Anyone new to VMware AirWatch REST API capabilities

If you fall into one of these categories, keep reading to learn about:

  • Security features of AirWatch REST APIs
  • AirWatch REST APIs available for integration
  • Authentication Methods for AirWatch REST APIs
  • Getting Started configurations in the AirWatch Console
If you are already familiar with the topics listed above, and were looking for more technical resources, jump straight to the Learn More section and follow the recommended links

AirWatch REST API Security Features

  • Encrypted Communication –  REST API calls take place over HTTPS with a certificate signed by a publicly trusted CA.
  • Two-Factor Authentication – Along with the standard headers, API server authentication requires the following headers:
    • Authorization – Authorization header with base 64 encoding of API admin credentials.
    • aw-tenant-code – Header value same as API key randomly generated in the AirWatch Console.
  • Multiple Authentication Options – AirWatch API Admin can authenticate with the API server using Basic/ NTLM, Directory, or Certificate authentication.
  • Configurable API Admin Permissions – Default and custom admin roles can restrict the API admin to a limited set of API actions.
  • Advanced On-Premise Settings – On-premises deployments can restrict server throttling and set daily quotas to prevent API overflows and potential service crashes.

Available AirWatch REST APIs

Integrate VMware AirWatch’s REST APIs  with third party applications, programs, and processes, and take enterprise mobility management beyond the VMware AirWatch solution.

Authentication Methods for AirWatch REST APIs

VMware AirWatch supports multiple ways for Console Admin Users to authenticate into the API server:

Basic Authentication

Authentication into the API server uses a generic username and password. Implementation is simple. However, this authentication model does not integrate with existing corporate user accounts.

Basic Authentication Authorization Header

 The authorization header should hold the value in the following example format:

 GET https://host/api/mdm/devices/bulksettings HTTP/1.1

 User-Agent: Fiddler aw-tenant-code: 1FC5H4JAAAG5A4SQAMQA

 Host – host.com

 Authorization – Basic bW9oYW46bW9oYW4=

Certificate Authentication

Uses a self-signed certificate generated by the AirWatch Console for API Server authentication. AirWatch certificate-based API authentication accepts incoming requests with CMS signatures and CMSURL  authentication schemes.

CMS Signatures Authorization Header

 Expects the signature against the message content, and takes the following format.

 Authorization:CMS’< Version >< CREDENTIALS >

 < Version > information.

 < CREDENTIALS > is the Base64 Encoded data of “message content” signed with client certificate using    PKCS9 signing.

CMSURL Scheme Authorization Header

Expects the signature against the application path in the URL, and takes the following format.

 Authorization:CMSURL’< Version >< CREDENTIALS >

 < Version > information.

 < CREDENTIALS > is the Base64 Encoded data of “canonical URI resource encoded using UTF-8 format”  signed with client certificate using PKCS9 signing.

Directory-Based Authentication

Authentication into the API server uses existing corporate credentials. This method integrates existing corporate accounts from Directory Services with AirWatch user and admin accounts.

Enable AirWatch REST APIs

To enable API access in the AirWatch Console:

  1. Log into the AirWatch Console.
  2. Navigate to Groups & SettingsAll Settings > System > Advanced > API > REST API.
  3. Configure the General, Authentication, and the Advanced tab.

a. Configure General tab settings.

AirWatch Console screenshot of AirWatch REST API enablement settings

  • Enable API Access – Select Enabled to generate the API authentication key.
  • Add – Select to generate multiple the API key for one or multiple servers. Then, configure the related settings.
  • Service – Enter one or multiple service(s) and generate their independent API keys.
  • Account Type – Select the type of the account. To access the Mobile Content Management Personal Content APIs,  select Enrollment User.
  • Description – Provide a short description for the service and generated API key.
  • Whitelisted Domains – Specify the domains where the API key is valid.

b. Configure the Authentication Tab

Enable Basic, Directory, or Certificate based authentication.

AirWatch Console screenshot of AirWatch REST API authentication settings

c. Configure the Advanced tab.

At the Global Organization Group level, specify default service throttling and daily quota values.

  • Server Throttling – Set the server bandwidth throttling. When server reaches the specified throttling limit, it offloads new requests and not respond to them.
  • Daily Quota – Set the number of API calls to be sent per day.

Configure API Access

After enabling APIs, configure API access. First, create a dedicated administrator account for API authentication. Then, select an authentication method. Finally, provision roles with specific API privileges to the administrator.

  1. Navigate to Accounts > Administrators > List View.
  2. Click Add> Add Admin.
  3.  Configure the following tabs:

    a. On the Basic tab, complete the required fields to create a dedicated admin for API access.

     AirWatch Console screenshot of adding a REST API Admin

    b. Click the Roles tab, and specify the admin role’s API authentication permissions.

    Screenshot of AirWatch Console Admin Role Settings

    c. On the API tab, select the Authentication method from the drop-down menu.

    Console screenshot of adding a certificate to enable AirWatch REST APIsIf configuring certificate authentication, select Certificates from the Authentication drop-down menu, and enter the same password provided on the Basic tab for Certificate Password.

  4. Select Save to create the API Admin Account with defined access permissions.

Summary

Use VMware AirWatch REST APIs as an efficient way to leverage core enterprise mobility management functionality in enterprise servers, programs, and processes. These APIs facilitate custom application development and integration with AirWatch.

Learn More

  • API Help Page – Learn about REST APIs setup and view comprehensive documentation Navigate to  https://{apiURL}/api/help and authenticate using  API admin credentials.
  • Hands-On Lab – Select Module 5, Introduction to AirWatch REST APIs. Complete the exercises in roughly 30 minutes.
  • VMware AirWatch REST API Guide – Access technical reference material in the manual.

The post VMware AirWatch 101: AirWatch REST APIs appeared first on VMware End-User Computing Blog.

Leave a Reply

Your email address will not be published. Required fields are marked *