How to Turn Dumb Groups into Smart Groups with the Workspace ONE API

Last week, I covered an interesting yet real use-case for the Workspace ONE API with migrating devices to a different user. The great thing about APIs is they can solve a multitude of problems. This week, I wanted to cover another API tool that I built recently for fixing smart groups gone awry. We are going to cover the problem itself, some of the ways you could fix it, and the API tool that I wrote to address the problem. Let’s get into it because I think this is going to be helpful for some of you on the ground.

The Problem

So, many times we inherit an environment that was done in an “interesting” fashion, or we took a shot at setting up a new environment with very little Workspace ONE knowledge. One of the biggest mistakes is profile and app assignment that is a bit convoluted. Let’s take this example:

Sure, it’s easy to create smart groups, but it’s hard to create them WELL. On a smart group, we have two different ways of skinning a cat:

  1. Leveraging “Criteria” which are things like rules, AD groups, etc to dynamically carve out the devices that you ACTUALLY want to include in a profile.
  2. A more manual approach where you put a manual collection of users/devices into that smart group.

You can see below in the screenshot for option one that it makes me so much more happy:

You can see we leveraged a “User Group” which is basically an Active Directory group to build something simple with minimal effort. Sometimes this means you will have to create more groups in AD, but overall, its more pliable and usable. Either way, you’re sort of stuck now with these old smart groups and you need to figure out a way forward. Let’s introduce this week’s API tool that helps you get there!

Examining my New Workspace Smart Group Device Collection API Tool

The first part of my API tool that we will look at is the authentication into the API, which is really the best place to start.

Authenticating to the Workspace ONE API

$Username = Read-Host -Prompt 'Enter the Username'
    $Password = Read-Host -Prompt 'Enter the Password' -AsSecureString
    $apikey = Read-Host -Prompt 'Enter the API Key'

    #Convert the Password
    $BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($Password)
    $UnsecurePassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)

    #Base64 Encode AW Username and Password
    $combined = $Username + ":" + $UnsecurePassword
    $encoding = [System.Text.Encoding]::ASCII.GetBytes($combined)
    $cred = [Convert]::ToBase64String($encoding)
    $script:header = @{
    "Authorization"  = "Basic $cred";
    "aw-tenant-code" = $apikey;
    "Content-Type"   = "application/json";}
    ##Prompt for the API hostname##
$apihost = Read-Host -Prompt 'Enter your API server hostname'

If you read last week’s article this is exactly the same. No need to reinvent the wheel because the logic works well. Of course, if it’s your own environment, you can hardcode certain things if you want like the API host and API key.

As mentioned last week, this piece of code does a few things:

  • We will use TLS 1.2
  • What is your username, password, and API key?
  • Creates your authorization header
  • Collects the API server name

Once we finish that portion, we can now move onto doing some real work!

Collecting the Smart Group Information

Let’s break this down piece by piece so we can explain it properly.

The first thing we will do is prompt the administrator to enter in the smart group we want to export devices to. It’s pretty simple at this juncture:

$group = Read-Host -Prompt 'Enter the Smart Group you want to export devices to CSV'
try {

  $sresult = Invoke-RestMethod -Method Get -Uri $apihost/api/mdm/smartgroups/search?name=$group -ContentType "application/json" -Header $header

catch {
  Write-Host "An error occurred when logging on $_"

This next piece of code is used to capture their selection. Basically, they will be prompted to select an option from their search results. Once they have done so, we will invoice an API command to capture their devices into a variable: $devices which will be used to get more detailed device information.

You can also use this same code to easily do the same thing for users by changing it to $devices = $ instead of DeviceAdditions. Relatively simple overall.

$menu = @{}
for ($i=1;$i -le $sresult.smartgroups.count; $i++) 
{ Write-Host "$i. Group: $($sresult.smartgroups[$i-1].name), id: $($sresult.smartgroups[$i-1].smartgroupid)"
[int]$id = Read-Host 'Enter selection'
$sgid = $menu.Item($id)
$sgname = $menu.Item($id)
$userlist = Invoke-RestMethod -Headers $header -Credential $Credentials https://$apihost/API/mdm/smartgroups/$sgid
$devices = $

This is what that selection window looks like:

Collecting Device Information and Building the CSV

Once you have built your array of devices or users, we will simply pass that collection to one last API call to get detailed device information and export it to CSV:

$devicelist = foreach ($device in $devices) {Invoke-RestMethod https://$apihost/API/mdm/devices/$device -Headers $header}
$devicelist | export-csv c:\temp\$sgname.csv 

Once you have that information, you can do anything you want really. My recommendation would be to use that to create an AD group like this below:

##Create the AD Group##
New-ADGroup -Name "Good Group" -SamAccountName GoodGroup -GroupCategory Security -GroupScope Global -DisplayName "Good Group" -Path "CN=Users, DC=Synterex, DC=com" -Description "Group of Members from WS1 Smart Group"

##Add Members to Smart Group##
Import-CSV C:\temp\goodgroup.csv | foreach {Add-ADGroupMember -Identity GoodGroup -Members $_.username}

That basically just takes the CSV that you built and uses it to add members to the new AD group, which you can then sync into Workspace ONE for fancy things!

Final Thoughts

This article isn’t too exciting from a code perspective, but the end result is. This is another great example of extending capabilities that aren’t available in the GUI to solve problems. This type of issue if done manually would take hours of work to convert a list of smart group devices or users to a dynamic solution.

The Workspace ONE API is a powerful tool that should be used in creative ways to deliver amazing results. Remember when it comes to smart groups: DO NOT MAKE THEM DUMB. Leverage Active Directory to let Microsoft do the heavy lifting while you deliver great value in other areas.

Leave a Reply

Scroll to Top
%d bloggers like this: