The BlackBerry UEM Web Services provide a RESTful endpoint structure that is accessed using HTTP. Requests are formatted in JSON and return JSON-formatted responses.
You need the following information to use the BlackBerry UEM REST API:
Resources represent the high-level entities of the service. They contain the methods and business logic to interact with the service.
The data types represent the payloads (both request and response) of the resource methods. Note that fields that are not assigned a value are not returned in the response and the client should be programmed to check for null values.
The API is secured by both user authentication as well as user authorization. This two-layer security guarantees that only authenticated user have access to the system and that only properly authorized users have access to certain parts of the system.
There are two authentication type supported.
See the Request Authentication Header example below to learn how to request and utilize the authentication header required to make requests.
See the REST API OAuth Reference for examples and how to configure and deploy OAuth applications.
Many 400 and 500 level responses from the server will provide the following Error payload to help you better understand the error condition, when possible. In those cases the Content-Type
response header will be application/vnd.blackberry.error-v1+json
.
Sample error response body:
{ "id" : "APPLICATION_NOT_FOUND", "subStatusCode" : 113, "message" : "Application not found." }
Sample not authorized response body:
{ "id" : "NOT_AUTHORIZED", "subStatusCode" : 403, "message" : "Not authorized to complete the request." }
To better provide dynamic functionality to the APIs, a number of components within UEM are exposed via a generic interface. This allows UEM to expose new metadata without changes to the APIs. An example of this is UEM Profiles. BlackBerry is constantly adding new Profile types and expanding existing Profile types. Providing a generic API and metadata allows developers the ability to discover new features and functionality dynamically in their applications.
With this new model comes a new API that will expose these entities in a common and generic way. It can be a bit overwhelming at first to work with metadata and generic APIs, but the benefit far outweighs the initial ramp up time.
When dealing with generic entities it is important to understand the difference between an Entity Definition and an Entity.
Entity Definition | An Entity Definition is the description of the Entity. It describes the properties, types, sizes, constraints, UI representations, etc. All Entities have an Entity Definition they are defined from. |
Entity | An Entity is an instance of an Entity Definition. For example, an Email Profile is defined as an Entity Definition. All instances of the Email Profile are considered Entities. |
It is important to understand an entity's settings and its relationship to other entities. It is recommended to review the entity definition before creating or updating an entity instance. Each setting has a data type that defines the allowable values for the setting. Please see the Entity data types section for a detailed description of all the data types. Note the following:
The following example shows how to return the set of supported entities. This list can change based on the version and updates to UEM, so it is important to call this API on your specific UEM instance to get the most up to date list. We will support all entities that relate to MDM profiles with CRUD operations for profiles and associated entities within those profiles.
curl -s -k https://server01:18084/SRP00000/api/v1/entityDefs \ -H "Authorization: {insert value from /SRP00000/api/v1/util/authorization call}" \ -H "Accept: application/vnd.blackberry.entitydefinitions-v1+json"
Click here to see an example response to the API call.
The following table lists the entity definitions that are currently supported. Support for additional entity definitions will be added in future releases.
Entity Definition ID | Description |
---|---|
com.blackberry.mdm.common.entity.profile.DynamicsSecurityProfile |
This entityDefId corresponds to the BlackBerry Dynamics profile. Supported operations for this entity: |
com.blackberry.mdm.common.entity.profile.MobileThreatDetection |
This entityDefId corresponds the CylancePROTECT profile. Supported operations for this entity: The following operations are supported only when the licensed CylancePROTECT service is enabled: |
com.blackberry.mdm.common.entity.ApprovedDeveloperCertificate |
This entityDefId corresponds to managing the approved apps list for CylancePROTECT features by specifying developer certificates. Supported operations for this entity: The following operations are supported only when the licensed CylancePROTECT service is enabled: |
com.blackberry.mdm.common.entity.ApprovedApplication |
This entityDefId corresponds to managing the approved apps list for CylancePROTECT features by specifying app details. Supported operations for this entity: The following operations are supported only when the licensed CylancePROTECT service is enabled: |
com.blackberry.mdm.common.entity.mobilethreatdefence.RestrictedDeveloperCertificate |
This entityDefId corresponds to managing the restricted apps list for CylancePROTECT features by specifying developer certificates. Supported operations for this entity: The following operations are supported only when the licensed CylancePROTECT service is enabled: |
com.blackberry.mdm.common.entity.mobilethreatdefence.RestrictedApplication |
This entityDefId corresponds to managing the restricted apps list for CylancePROTECT feature by specifying app details. Supported operations for this entity: The following operations are supported only when the licensed CylancePROTECT service is enabled: |
com.blackberry.mdm.common.entity.MtdGeneralSettings |
This entityDefId corresponds to the general settings for certain CylancePROTECT features. Supported operations for this entity: The following operations are supported only when the licensed CylancePROTECT service is enabled: |
com.blackberry.mdm.common.entity.MtdSafeBrowsingSettings |
This entityDefId corresponds to the settings for the CylancePROTECT safe browsing feature. Supported operations for this entity: The following operations are supported only when the licensed CylancePROTECT service is enabled: |
com.blackberry.mdm.common.entity.AuthDelegate |
This entityDefId corresponds to the authentication delegates configured in a BlackBerry Dynamics profile. Supported operations for this entity: |
com.blackberry.mdm.common.entity.Application |
This entityDefId corresponds to applications that are linked from other entities, for example, the MtdSafeBrowsingSettings entity. Supported operations for this entity: |
com.blackberry.mdm.common.entity.AppStore |
This entityDefId corresponds to an application store that is linked from other entities, for example, the Application entity. Supported operations for this entity: |
To make the process of creating an entity easier, an entity instance template can be downloaded that includes all of the fields with prepopulated default values. Once the template is retrieved, any updates can be applied to the response, and can then be sent back to the create method that is documented below.
curl -s -k https://server01:18084/SRP00000/api/v1//entities/{entityDefId}/template \ -H "Authorization: {insert value from /SRP00000/api/v1/util/authorization call}" \ -H "Accept: application/vnd.blackberry.entityinstance-v1+json"
To create an instance of an entity definition, you must provide all of the required fields as defined in the entity definition. As per the documentation above, getting an entity instance template and applying updates is the preferred method to create an entity.
curl -s -k https://server01:18084/SRP00000/api/v1//entities/{entityDefId} \ -H "Authorization: {insert value from /SRP00000/api/v1/util/authorization call}" \ -H "Content-Type: application/vnd.blackberry.entityinstance-v1+json" \ -d '{ "entityDefId": "com.blackberry.mdm.common.entity.profile.DynamicsSecurityProfile", "settings": { "allPwdAndroidFingerprintAndroidFingerprintColdStart": true, "allPwdFormatMaxRepeatX": 3, "allWearableAllowAutoReconnect": true, "allPwdBiometricsXTOUCHRequirePasswordNotTouchIDPeriod": 1, "allPwdFormatIsAlphaNum": true, "allWearableAllow": true, "allPwdDisallowNumericSequence": true, "allDataLeakagePreventionPreventScreenCapture": true, "allDataLeakagePreventionPreventiOSScreenRecordingSharing": true, "allAllowedCertsUsePkcs12CertEnabled": true, "allPwdExpirationX": 60, "allPwdAndroidFingerprint": true, "allPwdBiometricsXTOUCHFACEColdStart": false, ... } }'
The following examples outline how to execute initial use cases to exercise the API.
The following request verifies that the server is up and running. This API is not authenticated.
curl -s -k https://server01:18084/SRP00000/api/v1/util/ping
The following request generates the authentication header used in subsequent requests. This API is not authenticated.
curl -s -k https://server01:18084/SRP00000/api/v1/util/authorization \ -H "Content-Type: application/vnd.blackberry.authorizationrequest-v1+json" \ -d '{ "provider" : "LOCAL", "username" : "pmorley", "password" : "cGFzc3dvcmQ=" }'
The following example shows how to set a custom correlation-id in the request header
curl -s -k https://server01:18084/SRP00000/api/v1/groups \ -H "Authorization: {insert value from /SRP00000/api/v1/util/authorization call}" \ -H "Accept: application/vnd.blackberry.groups-v1+json" \ -H "Correlation-Id: customCorrelationId"
The following example shows how to request a specific Profile by name.
curl -s -k https://server01:18084/SRP00000/api/v1/profiles?query=name=test \ -H "Authorization: {insert value from /SRP00000/api/v1/util/authorization call}" \ -H "Accept: application/vnd.blackberry.profiles-v1+json"
The following example shows how to request all the groups
curl -s -k https://server01:18084/SRP00000/api/v1/groups \ -H "Authorization: {insert value from /SRP00000/api/v1/util/authorization call}" \ -H "Accept: application/vnd.blackberry.groups-v1+json"
Using the responses from the previous two calls the Profile can be assigned to a specific Group
curl -s -k https://server01:18084/SRP00000/api/v1/profiles/{profileGuid}/groups \ -H "Authorization: {insert value from /SRP00000/api/v1/util/authorization call}" \ -H "Content-Type: application/vnd.blackberry.groups-v1+json" \ -d '{ "groups" : [ { "guid" : "{Group GUID to assign from previous call}" } ] }'
To access On-Premise web services using BlackBerry Infrastructure proxy, you must provide the extra proxy information in the request
curl --proxy http://proxyserverhost:proxyserverport \ --proxy-header "Tenant-Id: SRP00000" \ --proxy-header "Origin-Server-Id: bws" \ -s -k https://server01:18084/SRP00000/api/v1/util/ping
The following PowerShell examples show how to execute basic use cases and exercise the API.
PowerShell Examples