Preparing for VMware Workspace ONE UEM integration

Procedure

1. Enable API access on the VMware Workspace ONE UEM console.
   1. Sign into the Workspace ONE UEM console, and select any level of organization group (OG) from the hierarchy structure.
      Mobile Security supports not only the "Customer" type OG, but also all other levels of OGs.

   Important Workspace ONE UEM integration is associated with OGs. Once the integration is completed, only administrator accounts within the selected OG will have permission to edit the integration settings.

   1. Go to GROUPS & SETTINGS → All Settings.
   2. On the Settings screen, go to System → Advanced → API → REST API.
   3. On the General tab, select ENABLED for Enable API Access.
      Enabling API access automatically generates an API key for the OG, which is necessary for API authentication.
   4. On the Authentication tab, select Override for Current Settings and select ENABLED for Basic if the previously selected OG is the "Customer" type OG; select Inherit for Current Settings if the previously selected OG is a child OG of the "Customer" type OG.

      Note Mobile Security does not support certificate-based or directory-based API authentication.

      APIs get authenticated using basic account credentials (user name and password).
2. Create an account with the required API permissions.
   You can either add an account with the Console Administrator role, or add an account with a custom role that has been granted minimum required permissions.

   Note The Console Administrator role allows comprehensive access in the console. With this role, you do not need to assign the role any new permissions required by new features released in the future. A custom role with minimum required permissions offers better security. However, custom roles must be manually maintained over time and updated with new features.

   • To add an account with the Console Administrator role, perform the following steps:
     1. On the VMware Workspace ONE UEM console, go to ACCOUNTS → Administrators → List View.
     2. Select Add and then Add Admin.
     3. On the Add Admin screen, select Basic and click Next.
     4. On the Definition tab, specify all required fields including username, password, first name, last name, and email address and click Next.
     5. On the Roles tab, choose the specific OG you selected in step 1, select Console Administrator from the Role drop-down list, and click Next.
     6. On the Details and Settings tabs, specify additional information if necessary, and click Save.
        The Mobile Agent can be deployed to the devices of any user groups or smart groups within the selected OG, as well as any of its child OGs.
   • To add an account with a custom role granted minimum required permissions, perform the following steps:
     1. On the VMware Workspace ONE UEM console, go to ACCOUNTS → Administrators → Roles.
     2. On the Roles screen, click ADD ROLE, and create a custom administrator role and grant minimum required permissions to the role.

        Tip To quickly assign all required permissions to the categories falling under Accounts, click the circular icon to the right of these categories and select Read under Choose Edit Mode.

        Minimum permissions required to complete the integration

        Category	Name	Read	Edit
        Accounts → Administrators → Admin Groups	Members
        	View
        Accounts → Users → Accounts	Add Device
        	Batch Import
        	Migration
        	Search
        	User Detail
        	View
        Accounts → Users → User Groups	Members
        	View
        API → REST	Admins
        	Apps
        	Devices
        	Groups
        	Users
        Apps & Books	Application Publish
        	Public Apps
        	Purchased Applications
        Device Management → Device Details	Enterprise Wipe
        	Lock
        Settings → System	General
        	View

     3. Go to ACCOUNTS → Administrators → List View, and add an account with the newly created role.