In the services industry, we sometimes run into “fun.” One of these “fun” situations is when someone rolls out a platform. They may have used VMware Professional Services or attempted it on their own and something wasn’t considered. I recently ran into one of these situations and sadly VMware Support told them “You can’t do that” or “you have to re-enroll EVERYONE.” We now have a gateway of empowerment in the Workspace ONE API.
Let’s forget the idea that this is REALLY bad. Let’s focus on from a technical perspective that telling someone to start over from scratch just isn’t the best situation for anyone. This client, which honestly is one of the nicest groups of people was really in a bind. This is a great case study of being told no, and turning it into a maybe?! Today, we are going to go over the issue, show how we solved it with the Workspace ONE API, and share out the code as a reminder. Never let any vendor or anyone for that matter box you into a corner.
The Problem
When we look at Workspace ONE UEM rollout methodologies, staging accounts are a fairly common scenario for corporate-owned devices.
You build your DEP profile (which is a topic I have covered before) and you disable authentication, you typically setup a section that looks like this (I know this is for automated enrollment, but it’s basically the same idea) or YOU might have used automated enrollment. Most of the ideas and concepts are a big problem.
It’s not a completely uncommon issue but is one that can cause major problems for users. The end result is hundreds if not thousands of devices that are enrolled to the same account.
Now, if you reach out to VMware Support (like my client did), they will likely tell you that you have to re-enroll everyone!
Is There a Solution?
The underlying issue is that you now have a device enrolled as a staging account of some sort. This can be problematic in general because you lose your ability to personalize. Before, discussing the solution. Let’s introduce ourselves to the API documentation aka https://as1688.awmdm.com/API/help (This exists on every tenant).
This interactive documentation site lets you search for terms and open directly into API commands, which I use fairly regularly when trying to figure out an issue. I teach young engineers to do this all of the time:
I’ve written about using the APIs in the past. I’m a huge supporter of it and what I am here to tell you today is that YES you can fix this customer issue with the API and not just RE-ENROLL everyone like they were told. We should never accept at base value what any vendor tells us. Pushing the envelope and digging deeper is the difference between an administrator and an engineer. Let’s get into the code of my solution that I wrote for them.
Examining my New Workspace ONE Device Migration API Tool
The first part of my API tool that we will look at is the authentication into the API, which is really the best place to start.
Authenticating to the Workspace ONE API
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$Username = Read-Host -Prompt 'Enter the Username'
$Password = Read-Host -Prompt 'Enter the Password' -AsSecureString
$apikey = Read-Host -Prompt 'Enter the API Key'
#Convert the Password
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($Password)
$UnsecurePassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
#Base64 Encode AW Username and Password
$combined = $Username + ":" + $UnsecurePassword
$encoding = [System.Text.Encoding]::ASCII.GetBytes($combined)
$cred = [Convert]::ToBase64String($encoding)
$script:header = @{
"Authorization" = "Basic $cred";
"aw-tenant-code" = $apikey;
"Content-Type" = "application/json";}
##Prompt for the API hostname##
$apihost = Read-Host -Prompt 'Enter your API server hostname'This piece of code does a few things:
- We will use TLS 1.2
- What is your username, password, and API key?
- Creates your authorization header
- Collects the API server name
Once we finish that portion, we can now move onto doing some real work!
Capturing Data to Migrate a Device
Once we have built our headers, we can start asking the administrator some questions to set the stage for the migration:
##Prompt for the serial number##
$serialnumber = Read-Host -Prompt 'Enter the serial number for the device you want to migrate'
##Prompt for the Username you want to migrate to##
$username = Read-Host -Prompt 'Enter the username for the device you want to migrate'
##Get the Device ID with the Serial Number##
$deviceresults = Invoke-RestMethod -Headers $header -method Get "https://$apihost/API/mdm/devices?searchby=SerialNumber&id=$serialnumber"
$deviceid = $deviceresults.id.value
##Get the User ID##
$userresults = Invoke-RestMethod -headers $header -Uri "https://$apihost/API/system/users/search?username=$username"
$userid = $userresults.users.id.valueThis code does a few things also:
- Prompts for the serial number of the device
- Prompts for the username that we are moving the device to
- Uses the serial number to get the device ID (unique identifier of the device) and user ID (unique identifier of the user)
The Migration Begins!
Now that we have all of the information that we need, we can start to migrate devices!
##Migrate the Device##
Invoke-RestMethod -Headers $header -method Patch https://$apihost/API/mdm/devices/$deviceid/enrollmentuser/$userid
##Query and Sync Device##
Invoke-Restmethod -Method Post -Uri "https://$apihost/api/mdm/devices/$deviceid/commands?command=SyncDevice" -ContentType "application/json" -Header $header
Invoke-Restmethod -Method Post -Uri "https://$apihost/api/mdm/devices/$deviceid/commands?command=DeviceQuery" -ContentType "application/json" -Header $header
##Sync VPP Assets when Finished##
$groupid = Read-Host -Prompt 'Enter the Group ID where your VPP is Setup'
Invoke-RestMethod -Headers $header -method Put https://$apihost/API/mam/apps/purchased/VppSyncAssets/$groupidSo what does this do?!
- It runs a command to re-assign the enrollment user of the device to the username you specified
- Forces the device to check-in and sync
- Re-synchronizes VPP Assets (this was determined to be required after a ton of testing).
The full script can be found here
Final Thoughts
I basically hit on my points throughout the article. Sometimes people go off what they think they know but aren’t always 100%. With all of our vendors, it should always be trust but verify. The entire point of an API is to push the limits and to do things you cannot do through normal methods. The API is a whole new world for us now. A little bit of effort and creativity can save you hundreds of hours of effort.
7 thoughts on “Mobile Jon: Field Medic Using the Workspace ONE API to Fix Real-World Issues”
This is great and will help a lot of admins out. I had to do a similar process a few years ago and accomplished it with Python. We’ve since moved to zero-touch enrollment where users enter their credentials during DEP/ADE and the device gets assigned to them that way. When we were transitioning between the two, I used Okta Workflows to build an automation that linked Workspace ONE and a Google Sheet, so that our service desk could put a username and serial number into the Google Sheet, and Okta would make the appropriate API calls to reassign the device.
I have two versions of this. Another version takes all devices in a smart group and moves them as well. It�s a little tricky because of pagination issues now but works well
I cant wait to see if this works for us we about to do a domain migration and dont want to re-enrolle every device win and mac
Reach out if you need help
Hey Jon, Is this Mac only or Windows too?
It has only been tested on iOS. It could in theory also work on other platforms if supported. I know it doesn�t work on android
Pingback: Service – Week 41-2022 VMware Enduser Computing Updates – Julius Lienemann