- Home
- Resources
- Users
Provides user management functions.
GET /{tenantGuid}/api/v1/users
- Available Since:
- 12.7.0
Search for users.
Samples
Sample 1 request
Get the first 100 users sorted by display name in ascending order.
GET /SRP00000/api/v1/users
Sample 1 response body
{
"users": [ {
"links" : [ {
"rel" : "groups",
"href" : "https://server01:18084/SRP00000/api/v1/users/2d2d3a7f-076d-46f9-8c25-56cb8eba2800/groups"
}, {
"rel" : "profiles",
"href" : "https://server01:18084/SRP00000/api/v1/users/2d2d3a7f-076d-46f9-8c25-56cb8eba2800/profiles"
}, {
"rel" : "sharedDeviceGroup",
"href" : "https://server01:18084/SRP00000/api/v1/sharedDeviceGroups/361287bf-d2b9-4a3a-80db-0da4c80de5f2"
} ],
"guid" : "2d2d3a7f-076d-46f9-8c25-56cb8eba2800",
"username" : "jromphf",
"displayName" : "Jake Romphf",
"ecoid" : "AVv6xMm3ZmlWP/j2LC/qHzo=",
"firstName" : "Jake",
"lastName" : "Romphf",
"emailAddress" : "jromphf@example.com",
"created": "2019-01-14T16:40:03.54Z",
"company" : "BlackBerry Limited",
"title" : "Associate",
"department" : "Sales",
"officePhoneNumber" : "(519) 555-0100",
"homePhoneNumber" : "(519) 555-0101",
"mobilePhoneNumber" : "(519) 555-0102",
"streetAddress" : "2240 University Avenue",
"poBox" : "555",
"city" : "Waterloo",
"state" : "Ontario",
"postalCode" : "N2K 0A9",
"country" : "Canada"
}, {
"links" : [ {
"rel" : "groups",
"href" : "https://server01:18084/SRP00000/api/v1/users/6dd3a8e2-3f24-48c6-961a-949794f4b554/groups"
}, {
"rel" : "profiles",
"href" : "https://server01:18084/SRP00000/api/v1/users/6dd3a8e2-3f24-48c6-961a-949794f4b554/profiles"
} ],
"guid" : "6dd3a8e2-3f24-48c6-961a-949794f4b554",
"username" : "pmorley",
"displayName" : "Paul Morley",
"firstName" : "Paul",
"lastName" : "Morley",
"emailAddress" : "pmorley@example.com",
"directoryId" : "e7aad64542784faeab305304abea36fa",
"ecoid" : "AVv1xMm2ZmlWP/j6LC/qHzo=",
"created": "2018-02-01T09:46:08.514Z",
"admin" : "true"
} ]
}
Sample 2 request
Get the first 50 users that have a display name that starts with "M", sorted by username in descending order. If 50 users
are returned, there may be more matches that weren't returned. You can get the next "page" of users by sending the same
request but also specifying offset=50
. If 50 users are returned again, you can get the third "page" of users
by modifying the request again and specifying offset=100
, and so on.
GET /SRP00000/api/v1/users?query=displayName=m*&max=50&sortBy=username%20DESC
Sample 2 response body
{
"users": [ {
"links" : [ {
"rel" : "groups",
"href" : "https://server01:18084/SRP00000/api/v1/users/6dd3a8e2-3f24-48c6-961a-949794f4b554/groups"
}, {
"rel" : "profiles",
"href" : "https://server01:18084/SRP00000/api/v1/users/6dd3a8e2-3f24-48c6-961a-949794f4b554/profiles"
} ],
"guid" : "6dd3a8e2-3f24-48c6-961a-949794f4b554",
"username" : "pmorley",
"displayName" : "Paul Morley",
"firstName" : "Paul",
"lastName" : "Morley",
"emailAddress" : "pmorley@example.com",
"directoryId" : "e7aad64542784faeab305304abea36fa",
"ecoid" : "AVv6xMm3ZmlWP/j2LC/qHzo=",
"created": "2018-02-01T09:46:08.514Z",
"admin" : "true"
} ]
}
Request Parameters
Name |
Location |
Description |
Type |
includeTotal |
query |
If you want the total number of users matching the search included in the response (which may be different from
the number of users returned) set this to true; otherwise set to false. By default the total will not be
included in the response. |
boolean |
max |
query |
The maximum number of user results to get, between 1 and 1000 inclusive. If not specified, a value of 100 will
be used. |
int |
offset |
query |
The number of matching users to exclude from the beginning of the list of users in the response; greater than or
equal to 0. If not specified, a value of 0 will be used to indicate that no matches should be excluded. Used in
order to get "pages" of results. For example, to get the first 50 matching users, specify max=50
(and optionally offset=0 ); and to get the next 50 matching users specify max=50 and
offset=50 , and so on. |
int |
query |
query |
Query parameter for filtering the results. The format is <field name>=<query value> ,
for example emailAddress=pmorley@example.com . Multiple field-value pairs can be provided in the
query with each pair separated with a comma, in which case only users matching all of the criteria provided will
be included in the response. Querying for empty/null values is not supported.
By default, a case-insensitive exact match will be performed for each field in the query.
For fields that support prefix (i.e. starts with) matching, append an asterisk ("*") to the end of the value.
For example, to
find users that have a display name that start with "M", specify displayName=m* . To match an
asterisk at the end of a string instead of prefix matching, the asterisk must be escaped with a backslash.
For fields that support contains matching, the value should be wrapped up using (*) symbols.
For example, to find users that have a display name that contains "user" value, specify
displayName=*user* .
To match an asterisk in the beginning and at the end of a string instead of contains matching, the asterisks
must be escaped with a backslash. For example: displayName=\*user\* .
To use prefix matching instead of contains for the string that start with asterisk symbol, the following pattern
should be used: displayName=\*user* .
Special characters (comma, backslash, plus) in query values must be escaped with a backslash.
The following table describes the fields that can be used in the query.
Field |
Type |
Description |
Supports prefix matching |
Supports contains matching |
appConfigGuid |
string |
GUID of an application configuration of directly-assigned application. |
No |
No |
directoryId |
string |
Unique identifier of the user in a company directory. |
No |
No |
displayName |
string |
Display name of the user. |
Yes |
Yes |
firstName |
string |
First name of the user. |
Yes |
Yes |
lastName |
string |
Last name of the user. |
Yes |
Yes |
dynamicsContainerId |
string |
GUID of a Dynamics container. If field is specified then any other query fields are ignored. |
No |
No |
ecoid |
string |
Eco id of the user. |
No |
No |
effectiveAppConfigGuid |
string |
GUID of an effective application configuration of directly or indirectly assigned application. |
No |
No |
emailAddress |
string |
Email address of the user. |
Yes |
Yes |
groupGuid |
string |
GUID of a directly-assigned group. |
No |
No |
guid |
string |
GUID of the user. |
No |
No |
isAdmin |
boolean |
Filter based on whether user is admin or not. If field is not specified then all the users will be
returned |
No |
No |
profileGuid |
string |
GUID of a directly-assigned profile. |
No |
No |
username |
string |
Username of the user. |
Yes |
No |
|
|
queryOperator |
query |
The field to specify the query operator.
Operator |
Description |
AND |
The 'AND' logic will be applied to all fields that are specified in the query. The operator is used by
default even if 'queryOperator' parameter is not defined in the query |
OR |
The 'OR' logic will be applied to all fields that are specified in the query |
|
|
sortBy |
query |
The field to sort the user results by. The format is <field name> ASC|DESC , where
ASC means to sort the results in ascending order and DESC means descending order. For
example, to sort the results by emailAddress in descending order, specify emailAddress DESC . If not
specified, a value of displayName ASC will be used. The following fields are allowed: username,
displayName, firstName, lastName, emailAddress. |
|
Response Codes
Code |
Condition |
Data type |
200 |
OK (even if no users are found). |
|
400 |
Invalid search query. |
|
Response Body
Media type |
Data type |
Description |
application/vnd.blackberry.users-v1+json |
Users
(JSON) |
|
POST /{tenantGuid}/api/v1/users
- Available Since:
- 12.6.0
Create a local user. The user will be assigned the highest ranking self-service user role, the All users group, and any
default policies and profiles. The user will be enabled for MDM, unless the "mdm" property is set to false.
The
user properties that are allowed when creating a local user are:
displayName, firstName, lastName, username, emailAddress, password, emailPassword, mdm, company, title, department,
officePhoneNumber, homePhoneNumber, mobilePhoneNumber, streetAddress, poBox, city, state, postalCode, country,
customVariables. Other properties in the user data type are ignored if they are provided. If properties are
provided that are not part of the user data type, an error is returned.
If 'emailPassword' is true, the user must have an email address and the SMTP server must be configured in the UEM
management console.
In custom variable object fields "label" and "encrypted" are ignored and can be not provided. Field "value" should be
encoded using Base64. Adding of custom variables is possible only if appropriate label is set.
Samples
Sample request body
Create local user with password (base64-encoded value of "p@55w0rd", and having it emailed to the user) and MDM service
{
"username" : "pmorley",
"password" : "cEA1NXcwcmQ=",
"emailPassword" : true,
"displayName" : "Paul Morley",
"firstName" : "Paul",
"lastName" : "Morley",
"emailAddress" : "pmorley@example.com",
"company" : "BlackBerry Limited",
"title" : "Associate",
"department" : "Sales",
"officePhoneNumber" : "(519) 555-0100",
"homePhoneNumber" : "(519) 555-0101",
"mobilePhoneNumber" : "(519) 555-0102",
"streetAddress" : "2240 University Avenue",
"poBox" : "555",
"city" : "Waterloo",
"state" : "Ontario",
"postalCode" : "N2K 0A9",
"country" : "Canada",
"customVariables" : [{
"name" : "%custom1%",
"value" : "QW1lcmljYXM="
}, {
"name" : "%custom_pswd1%",
"value" : "cGFzc3dvcmQ="
}
]
}
Sample response body
{
"links" : [ {
"rel" : "groups",
"href" : "https://server01:18084/SRP00000/api/v1/users/6dd3a8e2-3f24-48c6-961a-949794f4b554/groups"
}, {
"rel" : "profiles",
"href" : "https://server01:18084/SRP00000/api/v1/users/6dd3a8e2-3f24-48c6-961a-949794f4b554/profiles"
} ],
"guid" : "6dd3a8e2-3f24-48c6-961a-949794f4b554",
"username" : "pmorley",
"displayName" : "Paul Morley",
"firstName" : "Paul",
"lastName" : "Morley",
"emailAddress" : "pmorley@example.com",
"created": "2018-02-01T09:46:08.514Z",
"company" : "BlackBerry Limited",
"title" : "Associate",
"department" : "Sales",
"officePhoneNumber" : "(519) 555-0100",
"homePhoneNumber" : "(519) 555-0101",
"mobilePhoneNumber" : "(519) 555-0102",
"streetAddress" : "2240 University Avenue",
"poBox" : "555",
"city" : "Waterloo",
"state" : "Ontario",
"postalCode" : "N2K 0A9",
"country" : "Canada",
"customVariables" : [{
"name" : "%custom1%",
"label" : "Region",
"value" : "QW1lcmljYXM=",
"encrypted" : false
}, {
"name" : "%custom_pswd1%",
"label" : "VPN password",
"value" : "KioqKioq",
"encrypted" : true
}
]
}
Sample request body
Create local user without password or MDM service
{
"username" : "pmorley",
"displayName" : "Paul Morley",
"firstName" : "Paul",
"lastName" : "Morley",
"emailAddress" : "pmorley@example.com",
"mdm": false
}
Sample response body
{
"links" : [ {
"rel" : "groups",
"href" : "https://server01:18084/SRP00000/api/v1/users/6dd3a8e2-3f24-48c6-961a-949794f4b554/groups"
}, {
"rel" : "profiles",
"href" : "https://server01:18084/SRP00000/api/v1/users/6dd3a8e2-3f24-48c6-961a-949794f4b554/profiles"
} ],
"guid" : "6dd3a8e2-3f24-48c6-961a-949794f4b554",
"username" : "pmorley",
"displayName" : "Paul Morley",
"firstName" : "Paul",
"lastName" : "Morley",
"emailAddress" : "pmorley@example.com",
"created": "2018-02-01T09:46:08.514Z"
}
Request Body
Media type |
Data type |
application/vnd.blackberry.user-v1+json |
User
(JSON) |
Response Codes
Code |
Condition |
Data type |
201 |
User created. |
|
400 |
Invalid request. For example, invalid field semantics or missing required field. |
|
409 |
User already exists. |
|
Response Body
Media type |
Data type |
Description |
application/vnd.blackberry.user-v1+json |
User
(JSON) |
|
Response Headers
Name |
Description |
|
|
POST /{tenantGuid}/api/v1/users
- Available Since:
- 12.6.0
Create a directory-linked user (identified by the "directoryId" property). See the "Company directories" resource for
searching for directory users. The user will be assigned the highest ranking self-service user role, the All users group,
and any default policies and profiles. The user will be enabled for MDM, unless the "mdm" property is set to false.
The directory user properties that are allowed when creating a
directory-linked user are: directoryId, mdm, customVariables. Other properties in the directory user data type are ignored
if they are
provided, and directory-linked user information (ex. displayName, emailAddress) will be synced from the directory when the
user is created. If properties are provided that are not part of the directory user data type, an error is returned.
In custom variable object fields "label" and "encrypted" are ignored and can be not provided. Field "value" should be
encoded using Base64. Adding of custom variables is possible only if appropriate label is set.
Sample request body
Create directory user with MDM service
{
"directoryId" : "e7aad64542784faeab305304abea36fa",
"customVariables" : [{
"name" : "%custom1%",
"value" : "QW1lcmljYXM="
}, {
"name" : "%custom_pswd1%",
"value" : "cGFzc3dvcmQ="
}
]
}
Sample response body
{
"links" : [ {
"rel" : "groups",
"href" : "https://server01:18084/SRP00000/api/v1/users/6dd3a8e2-3f24-48c6-961a-949794f4b554/groups"
}, {
"rel" : "profiles",
"href" : "https://server01:18084/SRP00000/api/v1/users/6dd3a8e2-3f24-48c6-961a-949794f4b554/profiles"
} ],
"guid" : "6dd3a8e2-3f24-48c6-961a-949794f4b554",
"username" : "pmorley",
"displayName" : "Paul Morley",
"firstName" : "Paul",
"lastName" : "Morley",
"emailAddress" : "pmorley@example.com",
"created": "2018-02-01T09:46:08.514Z",
"directoryId" : "e7aad64542784faeab305304abea36fa",
"company" : "BlackBerry Limited",
"title" : "Associate",
"department" : "Sales",
"officePhoneNumber" : "(519) 555-0100",
"homePhoneNumber" : "(519) 555-0101",
"mobilePhoneNumber" : "(519) 555-0102",
"streetAddress" : "2240 University Avenue",
"poBox" : "555",
"city" : "Waterloo",
"state" : "Ontario",
"postalCode" : "N2K 0A9",
"country" : "Canada",
"customVariables" : [{
"name" : "%custom1%",
"label" : "Region",
"value" : "QW1lcmljYXM=",
"encrypted" : false
}, {
"name" : "%custom_pswd1%",
"label" : "VPN password",
"value" : "KioqKioq",
"encrypted" : true
}
]
}
Request Body
Media type |
Data type |
application/vnd.blackberry.directoryuser-v1+json |
Directory user
(JSON) |
Response Codes
Code |
Condition |
Data type |
201 |
User created. |
|
400 |
Invalid request. For example, invalid field semantics or missing required field. |
|
409 |
User already exists. |
|
Response Body
Media type |
Data type |
Description |
application/vnd.blackberry.user-v1+json |
User
(JSON) |
|
Response Headers
Name |
Description |
|
|
DELETE /{tenantGuid}/api/v1/users/{userGuid}
- Available Since:
- 12.7.0
Remove the user specified in the URL.
Request Parameters
Name |
Location |
Description |
userGuid |
path |
GUID of the user to remove. |
Response Codes
Code |
Condition |
Data type |
204 |
User removed. |
|
404 |
User not found. |
|
409 |
User has associated services or enrolled devices. |
|
GET /{tenantGuid}/api/v1/users/{userGuid}
- Available Since:
- 12.7.0
Get details of a user by GUID.
Sample response body
{
"links" : [ {
"rel" : "groups",
"href" : "https://server01:18084/SRP00000/api/v1/users/6dd3a8e2-3f24-48c6-961a-949794f4b554/groups"
}, {
"rel" : "profiles",
"href" : "https://server01:18084/SRP00000/api/v1/users/6dd3a8e2-3f24-48c6-961a-949794f4b554/profiles"
} ],
"guid" : "6dd3a8e2-3f24-48c6-961a-949794f4b554",
"username" : "pmorley",
"displayName" : "Paul Morley",
"firstName" : "Paul",
"lastName" : "Morley",
"emailAddress" : "pmorley@example.com",
"domain" : "example.com",
"administrator": true,
"created": "2018-02-01T09:46:08.514Z",
"directoryId" : "e7aad64542784faeab305304abea36fa",
"customVariables" : [{
"name" : "%custom1%",
"label" : "Region",
"value" : "QW1lcmljYXM=",
"encrypted" : false
}, {
"name" : "%custom_pswd1%",
"label" : "VPN password",
"value" : "KioqKioq",
"encrypted" : true
}
],
"company" : "BlackBerry Limited",
"title" : "Associate",
"department" : "Sales",
"officePhoneNumber" : "(519) 555-0100",
"homePhoneNumber" : "(519) 555-0101",
"mobilePhoneNumber" : "(519) 555-0102",
"streetAddress" : "2240 University Avenue",
"poBox" : "555",
"city" : "Waterloo",
"state" : "Ontario",
"postalCode" : "N2K 0A9",
"country" : "Canada"
}
Request Parameters
Name |
Location |
Description |
userGuid |
path |
GUID of the user to get |
Response Codes
Code |
Condition |
Data type |
200 |
OK. |
|
404 |
User not found. |
|
Response Body
Media type |
Data type |
Description |
application/vnd.blackberry.userdetail-v1+json |
User detail
(JSON) |
|
PATCH /{tenantGuid}/api/v1/users/{userGuid}
- Available Since:
- 12.7.0
Update a user. The following fields are allowed when updating a local user: password, emailPassword, username,
displayName, firstName, lastName, emailAddress, company, title, department, officePhoneNumber, homePhoneNumber,
mobilePhoneNumber, streetAddress, poBox, city, state, postalCode, country, customVariables. Other fields will be ignored if
they are provided. Removing username or displayName is not allowed.
Directory-linked users use their directory-configured attributes and password, so only custom variables can be changed.
To update a local user's login password, set the 'password' field (base64-encoded). Removing a password is not allowed. The
password does not have to meet the password restrictions that have been configured in the UEM management console. To email
a new password to the user, set 'emailPassword' to true. By default, the password is not sent to the user. If
'emailPassword' is true, the user must have an email address and the SMTP server must be configured in the management
console. The user will be forced to change their password the next time they log in to the management console or UEM
Self-Service console.
To unset a field, set it to null. Fields that are not provided, or that are provided but unchanged will be ignored. If no
changes are detected in the request, the response will indicate success without having made any changes to the user. If
request contains customVariables field then all existing user's custom variables will be deleted and the ones provided in
the request will be set.
Sample request body
Update local user's password ("cEA1NXcwcmQ=" is the base64-encoded value of "p@55w0rd"), and email it to the user,
unset the "company" field and set custom variables.
{
"password" : "cEA1NXcwcmQ=",
"emailPassword" : true,
"company" : null,
"customVariables" : [{
"name" : "%custom1%",
"value" : "QW1lcmljYXM="
}, {
"name" : "%custom_pswd1%",
"value" : "cGFzc3dvcmQ="
}]
}
Sample response body
{
"links" : [ {
"rel" : "groups",
"href" : "https://server01:18084/SRP00000/api/v1/users/6dd3a8e2-3f24-48c6-961a-949794f4b554/groups"
}, {
"rel" : "profiles",
"href" : "https://server01:18084/SRP00000/api/v1/users/6dd3a8e2-3f24-48c6-961a-949794f4b554/profiles"
} ],
"guid" : "6dd3a8e2-3f24-48c6-961a-949794f4b554",
"username" : "pmorley",
"displayName" : "Paul Morley",
"firstName" : "Paul",
"lastName" : "Morley",
"emailAddress" : "pmorley@example.com",
"customVariables": [
{
"name": "%custom1%",
"label": "label1",
"value": "QW1lcmljYXM=",
"encrypted": false
},
{
"name": "%custom_pswd1%",
"label": "password",
"value": "KioqKioq",
"encrypted": true
}
]
}
Request Parameters
Name |
Location |
Description |
userGuid |
path |
GUID of the user to update |
Request Body
Media type |
Data type |
application/vnd.blackberry.user-v1+json |
User
(JSON) |
Response Codes
Code |
Condition |
Data type |
200 |
OK. |
|
400 |
Invalid request. For example, invalid field semantics or missing required field. |
|
404 |
User not found. |
|
409 |
Duplicate username or email address. |
|
503 |
SMTP server temporarily unavailable to send emails. Retry the request again later. |
|
Response Body
Media type |
Data type |
Description |
application/vnd.blackberry.user-v1+json |
User
(JSON) |
|
DELETE /{tenantGuid}/api/v1/users/{userGuid}/accessPasswords
- Available Since:
- 12.8.0
Remove all access passwords for a user.
Request Parameters
Name |
Location |
Description |
userGuid |
path |
GUID of the user. |
Response Codes
Code |
Condition |
Data type |
204 |
Access passwords removed. |
|
404 |
User not found. |
|
GET /{tenantGuid}/api/v1/users/{userGuid}/accessPasswords
- Available Since:
- 12.8.0
Get all access passwords for a user.
Sample response body
{
"accessPasswords" : [ {
"type" : "ACCESS_KEY",
"properties" : {
"accessKey" : "jh5a4-Lo4fn-7sowf",
"accessKeyExpiry" : "2017-07-12T14:54:02.947-04:00",
"dynamicsContainerId" : "2fbeb753-4aa8-4aa0-a1c1-597bc68198a0"
}
}, {
"type" : "ACCESS_KEY",
"properties" : {
"accessKey" : "o76s8-xrcv4-xeck9",
"accessKeyExpiry" : "2017-07-12T14:54:02.947-04:00",
"dynamicsContainerId" : "b699d17a-df3d-4a42-98f5-a1193b4f612d"
}
} ]
}
Request Parameters
Name |
Location |
Description |
userGuid |
path |
GUID of the user |
Response Codes
Code |
Condition |
Data type |
200 |
OK. |
|
404 |
User not found. |
|
Response Body
Media type |
Data type |
Description |
application/vnd.blackberry.accesspasswords-v1+json |
Access passwords
(JSON) |
|
POST /{tenantGuid}/api/v1/users/{userGuid}/accessPasswords
- Available Since:
- 12.8.0
Update access passwords for a user
Access password type |
Description |
Properties |
DELETE_UNLOCK_ACCESS_KEY |
Delete an unlock access key. |
Name |
Type |
Description |
appGuid |
String |
GUID of the app |
userDeviceGuid |
String |
GUID of the userDevice |
|
GENERATE_ACCESS_KEYS |
Generate access keys. |
Name |
Type |
Description |
accessKeyExpiry |
String |
The date and time the access key will expire in ISO-8601 format. |
emailTemplateGuid |
String |
GUID of the email template (Optional. If set, an email will be sent to the user if they have an email address.) |
numberOfKeys |
Integer |
The number of keys to generate (Optional. Default is one key.) |
|
GENERATE_UNLOCK_ACCESS_KEY |
Generate an access key to unlock an app. |
Name |
Type |
Description |
accessKeyExpiry |
String |
The date and time the access key will expire in ISO-8601 format. (Optional. Default is one day.) |
appGuid |
String |
GUID of the app |
emailTemplateGuid |
String |
GUID of the email template (Optional. If set an email will be sent to the user.) |
userDeviceGuid |
String |
GUID of the userDevice |
|
Samples
Sample request body
Generate one or many access keys to activate a BlackBerry Dynamics app.
{
"type" : "GENERATE_ACCESS_KEYS",
"properties" : {
"accessKeyExpiry" : "2017-07-12T14:54:02.947-04:00",
"emailTemplateGuid" : "932cc0b4-8ff2-469d-9589-a5e1734bdda8",
"numberOfKeys" : 2
}
}
Sample response body
{
"accessPasswords" : [ {
"type" : "ACCESS_KEY",
"properties" : {
"accessKey" : "jh5a4-Lo4fn-7sowf",
"accessKeyExpiry" : "2017-07-12T14:54:02.947-04:00",
"dynamicsContainerId" : "2fbeb753-4aa8-4aa0-a1c1-597bc68198a0"
}
}, {
"type" : "ACCESS_KEY",
"properties" : {
"accessKey" : "o76s8-xrcv4-xeck9",
"accessKeyExpiry" : "2017-07-12T14:54:02.947-04:00",
"dynamicsContainerId" : "b699d17a-df3d-4a42-98f5-a1193b4f612d"
}
} ]
}
Sample 2 request body
Generate an access key to unlock a BlackBerry Dynamics app.
{
"type" : "GENERATE_UNLOCK_ACCESS_KEY",
"properties" : {
"accessKeyExpiry" : "2017-07-12T14:54:02.947-04:00",
"appGuid" : "07ce5bb9-59a5-4095-ae84-079e6b3f2dcf",
"emailTemplateGuid" : "932cc0b4-8ff2-469d-9589-a5e1734bdda8",
"userDeviceGuid" : "b9cc63c1-ae0c-4cd0-bc6b-a3a11a921b38"
}
}
Sample 2 response body
{
"accessPasswords" : [ {
"type" : "UNLOCK_ACCESS_KEY",
"properties" : {
"accessKey" : "1owag-juodq-h93k1",
"accessKeyExpiry" : "2017-07-12T14:54:02.947-04:00"
}
} ]
}
Request Parameters
Name |
Location |
Description |
userGuid |
path |
GUID of the user |
Request Body
Media type |
Data type |
application/vnd.blackberry.accesspassword-v1+json |
Access password
(JSON) |
Response Codes
Code |
Condition |
Data type |
201 |
Access password(s) created. |
|
400 |
Invalid request. For example, invalid field semantics or missing required field. |
|
404 |
User not found. |
|
Response Body
Media type |
Data type |
Description |
application/vnd.blackberry.accesspasswords-v1+json |
Access passwords
(JSON) |
|
DELETE /{tenantGuid}/api/v1/users/{userGuid}/activationPasswords
- Available Since:
- 12.6.0
Expire all activation passwords for a user. An expired activation password is no longer valid to be used for device
activation. 204 return status is still returned if the user has no activation passwords.
Request Parameters
Name |
Location |
Description |
userGuid |
path |
The GUID of the user |
Response Codes
Code |
Condition |
Data type |
204 |
Activation password(s) expired. |
|
404 |
User not found. |
|
GET /{tenantGuid}/api/v1/users/{userGuid}/activationPasswords
- Available Since:
- 12.6.0
Get all non-expired activation passwords for a user.
Sample response body
The passwords are "******" in base64 encoding.
{
"activationPasswords" : [ {
"guid" : "ee970507-b08f-43ad-853b-27a4d3e41129",
"password" : "KioqKioq",
"expiry" : "2016-07-16T19:20:30.45+01:00",
"expireAfterUse" : true,
"emailTemplate" : {
"guid" : "b82021dc-8020-41c9-a756-4318c968e95e",
"name" : "Basic Activation Template"
}
}, {
"guid" : "173a989c-c67e-446d-9a94-ba7db854fd5c",
"password" : "KioqKioq",
"expiry" : "2016-08-01T12:41:38.41-05:00",
"expireAfterUse" : false,
"activationProfile" : {
"guid" : "07b54042-b375-47e9-a50d-3d6f94654689",
"name" : "BYOD Activation Profile"
}
} ]
}
Request Parameters
Name |
Location |
Description |
userGuid |
path |
The GUID of the user |
Response Codes
Code |
Condition |
Data type |
200 |
OK. |
|
404 |
User not found. |
|
Response Body
Media type |
Data type |
Description |
application/vnd.blackberry.activationpasswords-v1+json |
Activation passwords
(JSON) |
|
POST /{tenantGuid}/api/v1/users/{userGuid}/activationPasswords
- Available Since:
- 12.6.0
Set one or more activation passwords for a user. If emailing an activation password to the user, the user must have an
email address. To send activation email messages to users, the SMTP server must be configured.
Sample request body
Auto-generate and email a default device activation password and manually set an activation password (base64-encoded value
of "abc123") with a specified activation profile without sending an email
{
"activationPasswords" : [ {
"password" : null,
"expiry" : "2016-07-16T19:20:30.45+01:00",
"expireAfterUse" : true,
"activationProfile" : null,
"emailTemplate" : {
"guid" : "eb14fc60-c6f7-4e67-b312-6612518fa0a5"
}
}, {
"password" : "YWJjMTIz",
"expiry" : "2016-08-01T12:41:38.41-05:00",
"expireAfterUse" : null,
"activationProfile" : {
"name" : "BYOD Activation Profile"
},
"emailTemplate" : null
} ]
}
Sample response body
The passwords are "******" in base64 encoding.
{
"activationPasswords" : [ {
"guid" : "ee970507-b08f-43ad-853b-27a4d3e41129",
"password" : "KioqKioq",
"expiry" : "2016-07-16T19:20:30.45+01:00",
"expireAfterUse" : true,
"emailTemplate" : {
"guid" : "eb14fc60-c6f7-4e67-b312-6612518fa0a5",
"name" : "Corporate Activation Email"
}
}, {
"guid" : "173a989c-c67e-446d-9a94-ba7db854fd5c",
"password" : "KioqKioq",
"expiry" : "2016-08-01T12:41:38.41-05:00",
"expireAfterUse" : false,
"activationProfile" : {
"guid" : "07b54042-b375-47e9-a50d-3d6f94654689",
"name" : "BYOD Activation Profile"
}
} ]
}
Request Parameters
Name |
Location |
Description |
userGuid |
path |
The GUID of the user |
Request Body
Media type |
Data type |
application/vnd.blackberry.activationpasswords-v1+json |
Activation passwords
(JSON) |
Response Codes
Code |
Condition |
Data type |
201 |
Activation password(s) created. |
|
400 |
Invalid request. For example, invalid field semantics or missing required field. |
|
404 |
User not found. |
|
409 |
Non-unique activation password or too many activation passwords specified. |
|
503 |
SMTP server temporarily unavailable to send emails. Retry the request again later. |
|
Response Body
Media type |
Data type |
Description |
application/vnd.blackberry.activationpasswords-v1+json |
Activation passwords
(JSON) |
|
PUT /{tenantGuid}/api/v1/users/{userGuid}/activationPasswords
- Available Since:
- 12.6.0
Replace all activation passwords for a user. All existing passwords are expired and replaced by the list provided.
Providing an empty list will expire all existing activation passwords for the user.
If emailing an activation password to the user, the user must have an email address. To send activation email messages to
users, the SMTP server must be configured.
See POST request with the same path for sample request and response.
Request Parameters
Name |
Location |
Description |
userGuid |
path |
The GUID of the user |
Request Body
Media type |
Data type |
Description |
application/vnd.blackberry.activationpasswords-v1+json |
Activation passwords
(JSON) |
The collection of activation passwords to set |
Response Codes
Code |
Condition |
Data type |
201 |
Activation password(s) created. |
|
400 |
Invalid request. For example, invalid field semantics or missing required field. |
|
404 |
User not found. |
|
409 |
Non-unique activation password or too many activation passwords specified. |
|
503 |
SMTP server temporarily unavailable to send emails. Retry the request again later. |
|
Response Body
Media type |
Data type |
Description |
application/vnd.blackberry.activationpasswords-v1+json |
Activation passwords
(JSON) |
|
DELETE /{tenantGuid}/api/v1/users/{userGuid}/activationPasswords/{activationPasswordGuid}
- Available Since:
- 12.6.0
Expire a specific activation password for a user. An expired activation password is no longer valid to be used for device
activation.
Request Parameters
Name |
Location |
Description |
activationPasswordGuid |
path |
The GUID of the activation password to expire |
userGuid |
path |
The GUID of the user |
Response Codes
Code |
Condition |
Data type |
204 |
Activation password expired. |
|
404 |
User or activation password not found. |
|
GET /{tenantGuid}/api/v1/users/{userGuid}/activationPasswords/{activationPasswordGuid}/qr
- Available Since:
- 12.14.0
Get activation QR code by activation password GUID.
The response body is .png image represented by array of bytes.
Samples
Get activation QR code
GET /SRP00000/api/v1/users/6dd3a8e2-3f24-48c6-961a-949794f4b554/activationPasswords/3d55abd2-c00e-4f5f-abcf-01c92ac777b1/qr
Request Parameters
Name |
Location |
Description |
activationPasswordGuid |
path |
The GUID of the activation password to generate |
userGuid |
path |
non-empty user GUID |
Response Codes
Code |
Condition |
200 |
OK. |
400 |
Invalid request. For example, invalid field semantics or missing required field. |
400 |
Tenant has the QR code function disabled |
403 |
User has no permission to see QR code |
404 |
User not found. |
404 |
Password not found |
GET /{tenantGuid}/api/v1/users/{userGuid}/applications
- Available Since:
- 12.7.0
Get the apps or app groups that were directly or indirectly assigned to a user.
Samples
Sample 1 request
Get all apps and app groups assigned directly to a user.
GET /SRP00000/api/v1/users/2d2d3a7f-076d-46f9-8c25-56cb8eba2800/applications
Sample response body
{
"applicationAssignments" : [ {
"application" : {
"guid" : "aa291d31-3b51-4424-a09c-7b127ee398a8",
"name":"sampleApplication",
"description" : "Our sample app.",
"os": "android",
"packageId": "com.sample.app.client",
"sourceName": "In Store",
"storeName": "Google Play",
"securedType": "All Android devices",
"reviewMode": "PUBLIC"
},
"disposition" : "OPTIONAL",
"assignment" : "USER"
},
{
"applicationGroup" : {
"guid" : "4e9e07fd-f2f9-4eea-94eb-85524dcecb9e",
"name" : "Business apps",
"description" : "App group for Internal marketing department"
},
"disposition" : "REQUIRED",
"assignment" : "USER"
}
Sample 2 request
Get all apps and app groups assigned a user through group assignment.
GET /SRP00000/api/v1/users/2d2d3a7f-076d-46f9-8c25-56cb8eba2800/applications?query=assignment=GROUP
Sample 2 response body
{
"applicationAssignments" : [ {
"application" : {
"guid" : "aa291d31-3b51-4424-a09c-7b127ee398a8",
"name":"sampleApplication",
"description" : "Our sample app.",
"os": "android",
"packageId": "com.sample.app.client",
"sourceName": "In Store",
"storeName": "Google Play",
"securedType": "All Android devices",
"reviewMode": "PUBLIC"
},
"applicationConfig" : {
"appGuid": "aa291d31-3b51-4424-a09c-7b127ee398a8",
"appName": "sampleApplication",
"appPackageId": "com.sample.app.client",
"guid": "d5b1b6bd-deec-4196-898d-9c0e68925385",
"name": "Sample App Configuration",
"rank": 0
},
"disposition" : "OPTIONAL",
"assignment" : "GROUP",
"links" : [ {
"rel" : "group",
"href" : "https://server01:18084/SRP00000/api/v1/group/2d2d3a7f-076d-46f9-8c25-56cb8eba2800"
} ]
},
{
"applicationGroup" : {
"guid" : "4e9e07fd-f2f9-4eea-94eb-85524dcecb9e",
"name" : "Business apps",
"description" : "App group for Internal marketing department"
},
"disposition" : "REQUIRED",
"assignment" : "GROUP",
"links" : [ {
"rel" : "group",
"href" : "https://server01:18084/SRP00000/api/v1/group/2d2d3a7f-076d-46f9-8c25-56cb8eba2800"
} ]
}
Request Parameters
Name |
Location |
Description |
userGuid |
path |
GUID of the user to get assigned applications for |
query |
query |
A query for filtering the application assignment results. The format is
<field name>=<query value> ,
for example assignment=USER to return only directly assigned application and application groups.
Multiple field-value pairs can be provided in the query with each pair separated with a comma, in which case
only users matching all of the criteria provided will be included in the response. Querying for empty/null
values is not supported.
Field |
Type |
Description |
assignment |
string |
Specify "user" or "group" to return applications assigned by the specified assignment type. Multiple
assignment types can be separated with a semicolon, for example assignment=user;group to return
applications assigned by user and by user groups. |
|
Response Codes
Code |
Condition |
Data type |
200 |
OK. |
|
400 |
Invalid search query. |
|
404 |
User not found. |
|
Response Body
Media type |
Data type |
Description |
application/vnd.blackberry.applicationassignments-v1+json |
Application assignments
(JSON) |
|
POST /{tenantGuid}/api/v1/users/{userGuid}/applications
- Available Since:
- 12.10.0
Assign one or more applications or application groups by GUID to a user. If the application or application group is
already assigned, the disposition and application config will be updated. Only the GUID field of each application,
application config or application group is required. Application config property is optional. Only application config GUID
is required to define an app config. NOTE: Application config cannot be assigned to application group.
NOTE: Only BlackBerry Dynamics app configs are supported.
Sample request body
{
"applicationAssignments" : [ {
"application" : {
"guid" : "aa291d31-3b51-4424-a09c-7b127ee398a8"
},
"disposition" : "OPTIONAL"
}, {
"application" : {
"guid" : "841e0146-07d5-4963-947c-dcabe7293806"
},
"disposition" : "REQUIRED"
}, {
"applicationGroup" : {
"guid" : "47cb164d-4173-4f4f-9686-842f0d22a19c"
},
"disposition" : "REQUIRED"
} ]
}
Sample request body with application config
{
"applicationAssignments": [{
"application": {
"guid": "ef7fb3f4-5ed5-4f53-b54d-c0280cbf2716"
},
"disposition": "REQUIRED",
"applicationConfig": {
"guid": "A2BA5128-FE07-4DF9-AE09-5FC31F4C774E"
}
},
{
"application": {
"guid": "c2cff83f-bbe0-4903-b2e9-557278656fe9"
},
"disposition": "OPTIONAL",
"applicationConfig": {
"guid": "0651D265-069D-4B79-94C3-B1326B70E130"
}
}
]
}
Request Parameters
Name |
Location |
Description |
userGuid |
path |
GUID of the user to assign applications to. |
Request Body
Media type |
Data type |
application/vnd.blackberry.applicationassignments-v1+json |
Application assignments
(JSON) |
Response Codes
Code |
Condition |
Data type |
204 |
Applications(s) assigned. |
|
400 |
Invalid request. For example, invalid field semantics or missing required field. |
|
404 |
Application not found.User not found. |
|
GET /{tenantGuid}/api/v1/users/{userGuid}/applications/{appGuid}
- Available Since:
- 12.11.0
Get an application directly assigned to a user.
Sample response body
{
"application" : {
"guid" : "aa291d31-3b51-4424-a09c-7b127ee398a8",
"name":"sampleApplication",
"description" : "Our sample app.",
"os": "android",
"packageId": "com.sample.app.client",
"sourceName": "In Store",
"storeName": "Google Play",
"securedType": "All Android devices",
"reviewMode": "PUBLIC"
},
"disposition" : "OPTIONAL"
}
Request Parameters
Name |
Location |
Description |
appGuid |
path |
GUID of the application assigned to user |
userGuid |
path |
GUID of the user to get assigned application for |
Response Codes
Code |
Condition |
Data type |
200 |
OK. |
|
404 |
User not found. |
|
404 |
Application not found. |
|
Response Body
Media type |
Data type |
Description |
application/vnd.blackberry.applicationassignment-v1+json |
Application assignment
(JSON) |
|
GET /{tenantGuid}/api/v1/users/{userGuid}/embeddedCertificates
- Available Since:
- 12.12.0
Get a list of embedded certificates by a user GUID.
EmbeddedCertificate is an entity that connects a certificate object (user certificate, non-BlackBerry Dynamics user
certificate,
SCEP, user credential profile, and
so on) to other entities, providing information about how the certificate is used, for example, the associated user,
profile, or enrollments.
Samples
Sample 1 request
Get a list of embedded certificates that are enrolled and belong to a certificate bundle (groups of certificates that can
be renewed or deleted as a single element).
Sample 1 response body
{
"embeddedCertificates": [
{
"links": [
{
"rel": "user",
"href": "https://server01:18084/SRP00000/api/v1/users/dd93cfa3-6016-4685-8bb7-6bd8e18fc82d"
},
{
"rel": "certificateEnrollments",
"href": "https://server01:18084/SRP00000/api/v1/users/dd93cfa3-6016-4685-8bb7-6bd8e18fc82d/embeddedCertificate/cdf5f9eb-7964-4b27-9fb8-ba038c199e5c/certificateEnrollments"
},
{
"rel": "profile",
"href": "https://server01:18084/SRP00000/api/v1/users/dd93cfa3-6016-4685-8bb7-6bd8e18fc82d/profiles/1aba01cb-c758-4590-9fb1-527cc94fb7ba"
},
{
"rel": "certificate",
"href": "https://server01:18084/SRP00000/api/v1/pki/certificates/cdf5f9eb-7964-4b27-9fb8-ba038c199e5c"
},
{
"rel": "bundle",
"href": "https://server01:18084/SRP00000/api/v1/pki/bundles/7ebddbc5-9673-4f3b-83ff-55a5f1c70f6e"
}
],
"guid": "cdf5f9eb-7964-4b27-9fb8-ba038c199e5c",
"name": "entrustUCP-testUser-cdf5f9eb-7964-4b27-9fb8-ba038c199e5c",
"created": "2017-01-14T16:40:03.54Z"
},
{
"links": [
{
"rel": "user",
"href": "https://server01:18084/SRP00000/api/v1/users/dd93cfa3-6016-4685-8bb7-6bd8e18fc82d"
},
{
"rel": "certificateEnrollments",
"href": "https://server01:18084/SRP00000/api/v1/users/dd93cfa3-6016-4685-8bb7-6bd8e18fc82d/embeddedCertificate/33041bb9-28c9-4b27-9061-ff6370249771/certificateEnrollments"
},
{
"rel": "profile",
"href": "https://server01:18084/SRP00000/api/v1/users/dd93cfa3-6016-4685-8bb7-6bd8e18fc82d/profiles/1aba01cb-c758-4590-9fb1-527cc94fb7ba"
},
{
"rel": "certificate",
"href": "https://server01:18084/SRP00000/api/v1/pki/certificates/33041bb9-28c9-4b27-9061-ff6370249771"
},
{
"rel": "bundle",
"href": "https://server01:18084/SRP00000/api/v1/pki/bundles/7ebddbc5-9673-4f3b-83ff-55a5f1c70f6e"
}
],
"guid": "33041bb9-28c9-4b27-9061-ff6370249771",
"name": "openTrustUCP-testUser-33041bb9-28c9-4b27-9061-ff6370249771",
"created": "2017-01-15T16:40:03.54Z"
}
]
}
Sample 2 request
Get the embedded certificates for a user that has no certificates.
Sample 2 response body.
{
"embeddedCertificates": []
}
Request Parameters
Name |
Location |
Description |
userGuid |
path |
non-empty user GUID that owns certificate |
Response Codes
Code |
Condition |
Data type |
200 |
OK. |
|
404 |
User not found. |
|
Response Body
Media type |
Data type |
Description |
application/vnd.blackberry.embeddedcertificates-v1+json |
Embedded certificates
(JSON) |
|
POST /{tenantGuid}/api/v1/users/{userGuid}/embeddedCertificates
- Available Since:
- 12.12.0
Add a PKCS #12 certificate to a user that will be delivered to BlackBerry Dynamics enabled devices.
This method eventually creates a new user certificate profile that is configured for BlackBerry Dynamics enabled devices.
Client should specify application/pkcs12
MIME-type for Content-Type HTTP request header to use this request.
PKCS #12 certificate body is passed in a binary form in HTTP request
body. File name should be provided in Content-Disposition HTTP request header.
On successful certificate persistence response message will contain array of
embedded certificates for each private key uploaded as PKCS #12 file
Sample request
Content-Type: application/pkcs12
Content-Disposition: attachment; filename="FILE_NAME.pfx"
BINARY_PKCS12_CONTENT_GOES_HERE
Request Parameters
Name |
Location |
Description |
Content-Disposition |
header |
The value for this required request header must follow the format of
filename="<PKCS12 certificate binary filename>" . |
userGuid |
path |
|
Request Body
Media type |
Data type |
application/pkcs12 |
object
|
Response Codes
Code |
Condition |
Data type |
201 |
Certificate uploaded. |
|
400 |
Invalid request. For example, invalid field semantics or missing required field. |
|
400 |
Could not extract file name. |
|
404 |
User not found. |
|
Response Headers
Name |
Description |
|
|
POST /{tenantGuid}/api/v1/users/{userGuid}/embeddedCertificates
- Available Since:
- 12.12.0
Add a PKCS #12 certificate to a user that will be uploaded to non-BlackBerry Dynamics managed devices.
This method eventually creates a new user certificate profile that is configured for non-BlackBerry Dynamics managed
devices. It is recommended to use user credential profile profile instead of user certificate profile. User certificate
profiles are provided for UI compatibility but may be deprecated in a future release.
Request is based on Multipart/related MIME type, and consists of two
parts:
- PKCS #12 Root part of the request - certificate by itself with
application/pkcs12 MIME-type
- Certificate metadata which contains Base64 encoded password of the PKCS #12
container.
Note the following about the multi-part/related request:
- The boundary must be defined in a root Content-type header (For example, someClientDefinedContentBoundary).
- The start parameter must be identified in a root Content-type header (For example,
start="clientDefinedRootPartIdentifier").
- Each part of a multi-part request should start with the boundary value defined in the root Content-type header,
prefixed with a double dash ( '--' ).
- Each part must define its own content type.
- The root part must contain a Content-ID header with a 'start' value defined in a root Content-type header (For example,
clientDefinedRootPartIdentifier).
- Headers and content should be separated with an empty line inside each part.
- The last part must be followed by an end-line delimiter that consists of a boundary value prefixed and postfixed with a
double dash ( '--' ). For example, '--someClientDefinedContentBoundary--'.
After successful certificate persistence response message will contain array of
Embedded certificate for each private key uploaded as PKCS #12 file
Sample request header
Content-type: multipart/related; boundary="clientDefinedContentBoundary"; start="clientDefinedRootPartIdentifier"
Sample request body
User certificate password is required if it has been set. ("cEA1NXcwcmQ=" is base64-encoded value of "p@55w0rd").
--clientDefinedContentBoundary
Content-Type: application/vnd.blackberry.deviceusercertificatemetadata-v1+json
{
"password":"cEA1NXcwcmQ="
}
--clientDefinedContentBoundary
Content-Type: application/pkcs12
Content-Disposition: attachment; filename="FILE_NAME.pfx"
Content-ID: clientDefinedRootPartIdentifier
BINARY_PKCS12_CONTENT_GOES_HERE
--clientDefinedContentBoundary--
As of API version 12.13.0, response message body will not contain an empty
Embedded certificates because retrieving non-BlackBerry Dynamics user
certificates is supported.
Request Parameters
Name |
Location |
Description |
userGuid |
path |
GUID of the user to update |
Request Body
Media type |
Data type |
multipart/related |
object
|
Response Codes
Code |
Condition |
Data type |
201 |
Certificate uploaded. |
|
400 |
Invalid request. For example, invalid field semantics or missing required field. |
|
400 |
Multipart request should contain only two parts. |
|
400 |
Multipart request defines wrong root part. Certificate part expected. |
|
400 |
Certificate password was not found. |
|
400 |
Certificate password can not be extracted. |
|
400 |
Could not extract file name. |
|
404 |
User not found. |
|
Response Headers
Name |
Description |
|
|
GET /{tenantGuid}/api/v1/users/{userGuid}/embeddedCertificates/{embeddedCertificateGuid}
- Available Since:
- 12.12.0
Retrieves the embedded certificate by user account and GUID.
EmbeddedCertificate is an entity that connects a Certificate object (user certificate, non-BlackBerry Dynamics user
certificate,
SCEP, user credential profile, and
so on) to other entities, providing information about how the certificate is used, for example, the associated user,
profile, or enrollments.
Samples
Sample 1 request
Get the embedded certificate that is enrolled and is part of a certificate bundle (a group of certificates that can be
renewed or deleted as a single element).
Sample 1 response body
{
"links": [
{
"rel": "user",
"href": "https://server01:18084/SRP00000/api/v1/users/dd93cfa3-6016-4685-8bb7-6bd8e18fc82d"
},
{
"rel": "certificateEnrollments",
"href": "https://server01:18084/SRP00000/api/v1/users/dd93cfa3-6016-4685-8bb7-6bd8e18fc82d/embeddedCertificate/cdf5f9eb-7964-4b27-9fb8-ba038c199e5c/certificateEnrollments"
},
{
"rel": "profile",
"href": "https://server01:18084/SRP00000/api/v1/users/dd93cfa3-6016-4685-8bb7-6bd8e18fc82d/profiles/1aba01cb-c758-4590-9fb1-527cc94fb7ba"
},
{
"rel": "certificate",
"href": "https://server01:18084/SRP00000/api/v1/pki/certificates/cdf5f9eb-7964-4b27-9fb8-ba038c199e5c"
},
{
"rel": "bundle",
"href": "https://server01:18084/SRP00000/api/v1/pki/bundles/7ebddbc5-9673-4f3b-83ff-55a5f1c70f6e"
}
],
"guid": "cdf5f9eb-7964-4b27-9fb8-ba038c199e5c",
"name": "entrustUCP-testUser-cdf5f9eb-7964-4b27-9fb8-ba038c199e5c",
"created": "2017-01-14T16:40:03.54Z"
}
Sample 2 request
Get embedded certificate that is not enrolled.
Sample 2 response body.
{
"links": [
{
"rel": "user",
"href": "https://server01:18084/SRP00000/api/v1/users/dd93cfa3-6016-4685-8bb7-6bd8e18fc82d"
},
{
"rel": "profile",
"href": "https://server01:18084/SRP00000/api/v1/users/dd93cfa3-6016-4685-8bb7-6bd8e18fc82d/profiles/3522b810-b17c-491c-bc3f-c88e48af0770"
},
{
"rel": "certificate",
"href": "https://server01:18084/SRP00000/api/v1/pki/certificates/2ab7d0e2-3f24-48c6-961a-949794f4b554"
}
],
"guid": "2ab7d0e2-3f24-48c6-961a-949794f4b554",
"name": "TKCA_02_VF1_S_MIME_Encr.pfx",
"created": "2017-01-01T11:04:30.45Z"
}
Request Parameters
Name |
Location |
Description |
embeddedCertificateGuid |
path |
non-empty embedded certificate GUID |
userGuid |
path |
non-empty user GUID that owns certificate |
Response Codes
Code |
Condition |
Data type |
200 |
OK. |
|
404 |
Embedded certificate not found. |
|
Response Body
Media type |
Data type |
Description |
application/vnd.blackberry.embeddedcertificate-v1+json |
Embedded certificate
(JSON) |
|
GET /{tenantGuid}/api/v1/users/{userGuid}/embeddedCertificates/{embeddedCertificateGuid}/certificateEnrollments
- Available Since:
- 12.12.0
Get a list of certificate enrollments for a specified embedded certificate for a user.
CertificateEnrollment is an entity that shows all places certificate was sent to with statuses of it's enrollment.
Note: statuses for non-BlackBerry Dynamics certificates are not returned.
Samples
Sample 1 request
Get a list of successful certificate enrollments.
Sample 1 response body
{
"certificateEnrollments": [
{
"link": {
"rel": "userDeviceApplication",
"href": "https://server01:18084/SRP00000/api/v1/users/6dd3a8e2-3f24-48c6-961a-949794f4b554/userDevices/2d2d3a7f-076d-46f9-8c25-56cb8eba2800/applications/9abf8858-53bd-4434-8a00-0e8fdbd9c0c4"
},
"status" : "Delivered" // mandatory, unique. Status of certificate for a particular managed endpoint
},
{
"link": {
"rel": "userDevice",
"href": "https://server01:18084/SRP00000/api/v1/users/6dd3a8e2-3f24-48c6-961a-949794f4b554/userDevices/2d2d3a7f-076d-46f9-8c25-56cb8eba2800"
},
"status" : "Duplicate"
}
]
}
Sample 2 request
Get the certificate enrollments when the certificate enrolling was not started yet. For example, the user certificate
profile is assigned to the user but this user does not have an activated device, so the system maintains the certificate
and embedded certificate, but enrollments do not exist.
Sample 2 response body.
{
"certificateEnrollments": []
}
Request Parameters
Name |
Location |
Description |
embeddedCertificateGuid |
path |
GUID of the embedded certificate |
userGuid |
path |
GUID of the user that owns a certificate |
Response Codes
Code |
Condition |
Data type |
200 |
OK. |
|
404 |
User not found. |
|
404 |
Embedded certificate not found. |
|
Response Body
Media type |
Data type |
Description |
application/vnd.blackberry.certificateenrollments-v1+json |
Certificate enrollments
(JSON) |
|
GET /{tenantGuid}/api/v1/users/{userGuid}/groups
- Available Since:
- 12.10.0
Get assigned user groups for user.
NOTE: The accept header Accept: application/vnd.blackberry.groupassignments-v1+json
must be
provided to return the Group assignments Data Type.
Sample response body
{
"groupAssignments" : [ {
"group" : {
"guid" : "6d0c4ddb-10ae-471d-948d-df27868dcf8a",
"name" : "Sales",
"description" : "Group for sales associates.",
"directoryLinked" : false
},
"indirect" : true
}, {
"group" : {
"guid" : "6c5b41f6-20ff-4cb2-8ee0-37cd8756320e",
"name" : "All users",
"directoryLinked" : false
},
"indirect" : false
} ] ]
}
Request Parameters
Name |
Location |
Description |
Accept |
header |
|
userGuid |
path |
GUID of the user to get group assignments for |
query |
query |
A query for filtering the group results. The format is <field name>=<query value> ,
for example indirect=true to return only indirect groups. Querying for empty/null values is not
supported.
Field |
Type |
Description |
indirect |
boolean |
Specify "true" to return indirect groups. |
|
Response Codes
Code |
Condition |
Data type |
200 |
OK. |
|
400 |
Invalid search query. |
|
404 |
User not found. |
|
Response Body
Media type |
Data type |
Description |
application/vnd.blackberry.groupassignments-v1+json |
Group assignments
(JSON) |
|
GET /{tenantGuid}/api/v1/users/{userGuid}/groups
- Available Since:
- 12.7.0
Get all user groups directly assigned to a user. Every user belongs to at least the "All users" group by default.
Sample response body
{
"groups" : [ {
"guid" : "6d0c4ddb-10ae-471d-948d-df27868dcf8a",
"name" : "Sales",
"description" : "Group for sales associates.",
"directoryLinked" : false
},
{
"guid" : "6c5b41f6-20ff-4cb2-8ee0-37cd8756320e",
"name" : "All users",
"directoryLinked" : false
} ]
}
Request Parameters
Name |
Location |
Description |
userGuid |
path |
GUID of the user to get groups for |
Response Codes
Code |
Condition |
Data type |
200 |
OK. |
|
404 |
User not found. |
|
Response Body
Media type |
Data type |
Description |
application/vnd.blackberry.groups-v1+json |
Groups
(JSON) |
|
DELETE /{tenantGuid}/api/v1/users/{userGuid}/profiles
- Available Since:
- 12.9.0
Remove profiles assigned to a user. All profiles provided in the list of profiles (by GUID)
are removed. Only the GUID field of each profile is required.
Sample request body
{
"profiles" : [ {
"guid" : "3d55abd2-c00e-4f5f-abcf-01c92ac777b1"
}, {
"guid" : "6106fce8-83f5-44b3-8288-e8e4e0966561"
} ]
}
Request Parameters
Name |
Location |
Description |
userGuid |
path |
GUID of the user to remove profiles for. |
Request Body
Media type |
Data type |
application/vnd.blackberry.profiles-v1+json |
Profiles
(JSON) |
Response Codes
Code |
Condition |
Data type |
204 |
Profile(s) removed. |
|
400 |
Invalid request. For example, invalid field semantics or missing required field. |
|
404 |
User not found. |
|
GET /{tenantGuid}/api/v1/users/{userGuid}/profiles
- Available Since:
- 12.9.0
Get assigned profiles for a user.
NOTE: The accept header Accept: application/vnd.blackberry.profileassignments-v1+json
must be
provided to return the Profile assignments Data Type.
Sample response body
{
"profileAssignments" : [ {
"profile" : {
"guid" : "3d55abd2-c00e-4f5f-abcf-01c92ac777b1",
"name" : "Strict IT Policy",
"categoryName" : "IT_CONFIG",
"default": false
},
"assignment" : "USER"
"effective" : true
}, {
"profile" : {
"guid" : "6106fce8-83f5-44b3-8288-e8e4e0966561",
"name" : "Sales Email Profile",
"categoryName" : "EMAIL",
"default": false
},
"assignment" : "GROUP"
"effective" : false
} ] ]
}
Request Parameters
Name |
Location |
Description |
Accept |
header |
|
userGuid |
path |
GUID of the user to get profile assignments for |
query |
query |
A query for filtering the profile results. The format is <field name>=<query value> ,
for example effective=true to return only effective profiles. Multiple field-value pairs can be
provided in the query with each pair separated with a comma, in which case only users matching all of the
criteria provided will be included in the response. Querying for empty/null values is not supported.
Field |
Type |
Description |
effective |
boolean |
Specify "true" to return effective profiles and "false" to return profiles that are not effective. |
assignment |
string |
Specify "default", "group" or "user" to return profiles assigned by the specified assignment type. Multiple
assignment types can be separated with a semicolon, for example assignment=group;user to return
profiles assigned by group and user. |
|
Response Codes
Code |
Condition |
Data type |
200 |
OK. |
|
400 |
Invalid search query. |
|
404 |
User not found. |
|
Response Body
Media type |
Data type |
Description |
application/vnd.blackberry.profileassignments-v1+json |
Profile assignments
(JSON) |
|
GET /{tenantGuid}/api/v1/users/{userGuid}/profiles
- Available Since:
- 12.6.0
Get all profiles directly assigned to a user.
Sample response body
{
"profiles" : [ {
"guid" : "3d55abd2-c00e-4f5f-abcf-01c92ac777b1",
"name" : "Strict IT Policy",
"categoryName" : "IT_CONFIG",
"default": false
}, {
"guid" : "6106fce8-83f5-44b3-8288-e8e4e0966561",
"name" : "Sales Email Profile",
"categoryName" : "EMAIL",
"default": false
} ]
}
Request Parameters
Name |
Location |
Description |
userGuid |
path |
|
Response Codes
Code |
Condition |
Data type |
200 |
OK. |
|
404 |
User not found. |
|
Response Body
Media type |
Data type |
Description |
application/vnd.blackberry.profiles-v1+json |
Profiles
(JSON) |
|
POST /{tenantGuid}/api/v1/users/{userGuid}/profiles
- Available Since:
- 12.6.0
Assign one or more profiles, by GUID, to a user. Only the GUID field of each profile is required.
Sample request body
{
"profiles" : [ {
"guid" : "3d55abd2-c00e-4f5f-abcf-01c92ac777b1"
}, {
"guid" : "6106fce8-83f5-44b3-8288-e8e4e0966561"
} ]
}
Request Parameters
Name |
Location |
Description |
userGuid |
path |
GUID of the user to assign profiles to. |
Request Body
Media type |
Data type |
application/vnd.blackberry.profiles-v1+json |
Profiles
(JSON) |
Response Codes
Code |
Condition |
Data type |
204 |
Profile(s) assigned. |
|
400 |
Invalid request. For example, invalid field semantics or missing required field. |
|
404 |
User not found. |
|
PUT /{tenantGuid}/api/v1/users/{userGuid}/profiles
- Available Since:
- 12.6.0
Replace all profiles assigned to a user. All existing profiles are removed and replaced by the list of profiles (by GUID)
provided. Only the GUID field of each profile is required.
Request Parameters
Name |
Location |
Description |
userGuid |
path |
GUID of the user to replace profiles for. |
Request Body
Media type |
Data type |
application/vnd.blackberry.profiles-v1+json |
Profiles
(JSON) |
Response Codes
Code |
Condition |
Data type |
204 |
Profile(s) assigned. |
|
400 |
Invalid request. For example, invalid field semantics or missing required field. |
|
404 |
User not found. |
|
GET /{tenantGuid}/api/v1/users/{userGuid}/profiles/{profileGuid}
- Available Since:
- 12.12.0
Get assigned profile for a user by profile GUID.
Sample response body
{
"profile" : {
"guid" : "3d55abd2-c00e-4f5f-abcf-01c92ac777b1",
"name" : "Sample Policy",
"description" : "Corporate profile",
"categoryName" : "IT_CONFIG",
"default": true
},
"assignment" : "USER"
"effective" : true
}
Request Parameters
Name |
Location |
Description |
profileGuid |
path |
GUID of the profile |
userGuid |
path |
GUID of the user to get profile assignments for |
Response Codes
Code |
Condition |
Data type |
200 |
OK. |
|
400 |
Profile type not supported. |
|
404 |
User not found. |
|
404 |
Profile not found. |
|
Response Body
Media type |
Data type |
Description |
application/vnd.blackberry.profileassignment-v1+json |
Profile assignment
(JSON) |
|
DELETE /{tenantGuid}/api/v1/users/{userGuid}/profiles/{profileGuid}/certificate
- Available Since:
- 12.7.0
Remove the certificate from a manual user credential profile.
Request Parameters
Name |
Location |
Description |
profileGuid |
path |
GUID of the user credential profile assigned to the user. |
userGuid |
path |
GUID of the user to update. |
Response Codes
Code |
Condition |
Data type |
204 |
Certificate removed. |
|
404 |
Profile not found. |
|
404 |
User not found. |
|
PUT /{tenantGuid}/api/v1/users/{userGuid}/profiles/{profileGuid}/certificate
- Available Since:
- 12.8.0
Add or update a certificate for a manual user credential profile
A certificate must be assigned for a manual certification authority connection. If a certificate is already assigned to
this user, the added certificate will override it
Sample request body
The user credential certificate password is required if it has been set. ("cEA1NXcwcmQ=" is the base64-encoded value of
"p@55w0rd"). Certificate content must be from a base64 encoded .p12 or .pfx certificate.
{
"name" : "Certificate name",
"password" : "cEA1NXcwcmQ=",
"certificateContent" : "VGhpcyBpcyBjZXJ0aWZpY2F0ZSBmaWxlIGNvbnRlbnQgYmFzZSA2NCBlbmNvZGVk"
}
Request Parameters
Name |
Location |
Description |
profileGuid |
path |
GUID of the user credential profile assigned to the user |
userGuid |
path |
GUID of the user to update |
Request Body
Media type |
Data type |
application/vnd.blackberry.certificate-v1+json |
Certificate
(JSON) |
Response Codes
Code |
Condition |
Data type |
204 |
User updated. |
|
400 |
Invalid request. For example, invalid field semantics or missing required field. |
|
404 |
Profile not found. |
|
404 |
User not found. |
|
PUT /{tenantGuid}/api/v1/users/{userGuid}/profiles/{profileGuid}/embeddedCertificates
- Available Since:
- 12.12.0
Set or replace a certificate for a profile assigned to a user for BlackBerry Dynamics managed devices.
As of API version 12.12.0, this route supports two options for the PUT method. The client must define the option by
specifying the Content-Type in the HTTP request header:
-
Content-Type: application/pkcs12
Uploading binary PKCS #12 file without any additional information.
This option is used to upload a certificate for BlackBerry Dynamics applications.
As of UEM 12.12, only the user certificate profile supports BlackBerry Dynamics.
Details of this option are provided below.
-
Content-Type: multipart/related wih two boundary parts:
Content-Type: application/vnd.blackberry.deviceusercertificatemetadata-v1+json and
Content-Type: application/pkcs12
Uploading binary PKCS #12 file with password.
This option is used to upload a certificate for non-BlackBerry Dynamics managed devices. It supports both user credential
and user certificate profiles, but it is recommended to use user credential profiles. User certificate profiles are
provided for UI compatibility but may be deprecated in a future release. or more information about this option, see
set or replace certificate with
password for profile assigned to user.
API client should specify application/pkcs12
MIME-type for Content-Type HTTP request header to use this request.
PKCS #12 certificate body is passed in a binary form in HTTP request
body. File name should be provided in Content-Disposition HTTP request header.
After successful certificate persistence response message will contain array of
embedded certificates for each private key uploaded as PKCS #12 file
Sample request
Content-Type: application/pkcs12
Content-Disposition: attachment; filename="FILE_NAME.pfx"
BINARY_PKCS12_CONTENT_GOES_HERE
Request Parameters
Name |
Location |
Description |
Content-Disposition |
header |
|
profileGuid |
path |
GUID of the profile assigned to the user |
userGuid |
path |
GUID of the user to update |
Request Body
Media type |
Data type |
application/pkcs12 |
object
|
Response Codes
Code |
Condition |
Data type |
201 |
Certificate uploaded |
|
400 |
Invalid request. For example, invalid field semantics or missing required field. |
|
400 |
Could not extract file name. |
|
400 |
Upload certificate without password is not supported for USER_CREDENTIAL profile category. |
|
404 |
Profile not found. |
|
404 |
User not found. |
|
Response Headers
Name |
Description |
|
|
PUT /{tenantGuid}/api/v1/users/{userGuid}/profiles/{profileGuid}/embeddedCertificates
- Available Since:
- 12.12.0
Set or replace a certificate for a profile assigned to a user for non-BlackBerry Dynamics managed devices.
As of API version 12.12.0, this route supports two options for the PUT method. The client must define the option by
specifying the Content-Type in the HTTP request header:
-
Content-Type: application/pkcs12
Uploading binary PKCS #12 file without any additional information.
This option is used to upload a certificate for BlackBerry Dynamics applications.
As of UEM 12.12, only the user certificate profile supports BlackBerry Dynamics.
For more information about this option, see
set or replace certificate for profile
assigned to user.
-
Content-Type: multipart/related wih two boundary parts:
Content-Type: application/vnd.blackberry.deviceusercertificatemetadata-v1+json and
Content-Type: application/pkcs12
Uploading binary PKCS #12 file with password.
This option is used to upload a certificate for non-BlackBerry Dynamics managed devices. It supports both user credential
and user certificate profiles, but it is recommended to use user credential profiles. User certificate profiles are
provided for UI compatibility but may be deprecated in a future release. Details of this option are provided below.
Request is based on
Multipart/related MIME type, and consists of two
parts:
- PKCS #12 Root part of the request - certificate by itself with
application/pkcs12 MIME-type
- Certificate metadata which contains Base64 encoded password of the PKCS #12
container.
Note the following about the multi-part/related request:
- The boundary must be defined in a root Content-type header (For example, someClientDefinedContentBoundary).
- The start parameter must be identified in a root Content-type header (For example,
start="clientDefinedRootPartIdentifier").
- Each part of a multi-part request should start with the boundary value defined in the root Content-type header,
prefixed with a double dash ( '--' ).
- Each part must define its own content type.
- The root part must contain a Content-ID header with a 'start' value defined in a root Content-type header (For example,
clientDefinedRootPartIdentifier),
- Headers and content should be separated with an empty line inside each part.
- The last part must be followed by an end-line delimiter that consists of a boundary value prefixed and postfixed with a
double dash ( '--' ). For example, '--someClientDefinedContentBoundary--'.
After successful certificate persistence response message will contain array of
Embedded certificate for each private key uploaded as PKCS #12 file
Sample request header
Content-type: multipart/related; boundary="clientDefinedContentBoundary"; start="clientDefinedRootPartIdentifier"
Sample request body
User certificate password is required if it has been set. ("cEA1NXcwcmQ=" is base64-encoded value of "p@55w0rd").
--clientDefinedContentBoundary
Content-Type: application/vnd.blackberry.deviceusercertificatemetadata-v1+json
{
"password":"cEA1NXcwcmQ="
}
--clientDefinedContentBoundary
Content-Type: application/pkcs12
Content-Disposition: attachment; filename="FILE_NAME.pfx"
Content-ID: clientDefinedRootPartIdentifier
BINARY_PKCS12_CONTENT_GOES_HERE
--clientDefinedContentBoundary--
Request Parameters
Name |
Location |
Description |
profileGuid |
path |
GUID of the profile assigned to the user |
userGuid |
path |
GUID of the user to update |
Request Body
Media type |
Data type |
multipart/related |
object
|
Response Codes
Code |
Condition |
Data type |
201 |
Certificate uploaded |
|
400 |
Invalid request. For example, invalid field semantics or missing required field. |
|
400 |
Multipart request should contain only two parts. |
|
400 |
Multipart request defines wrong root part. Certificate part expected. |
|
400 |
Certificate password was not found. |
|
400 |
Certificate password can not be extracted. |
|
400 |
Could not extract file name. |
|
404 |
Profile not found. |
|
404 |
User not found. |
|
Response Headers
Name |
Description |
|
|
GET /{tenantGuid}/api/v1/users/{userGuid}/services
- Available Since:
- 12.7.0
Get services assigned to a user.
Sample response body
{
"serviceAssignments" : [ {
"service" : {
"guid" : "7f463414-5266-4a41-ae5b-159d27bb8107",
"name" : "mdm",
},
"status": "ASSOCIATED"
} ]
}
Request Parameters
Name |
Location |
Description |
userGuid |
path |
GUID of the user to get services for |
Response Codes
Code |
Condition |
Data type |
200 |
OK. |
|
404 |
User not found. |
|
Response Body
Media type |
Data type |
Description |
application/vnd.blackberry.serviceassignments-v1+json |
Service assignments
(JSON) |
|
GET /{tenantGuid}/api/v1/users/{userGuid}/userDevices
- Available Since:
- 12.7.0
Get the user devices assigned to a user that are listed as Enrolled.
Sample response body
{
"userDevices": [
{
"links" : [ {
"rel" : "user",
"href" : "https://server01:18084/SRP00000/api/v1/users/59dc743d-f325-4a6c-97ac-44dcb9ef8a0e"
}, {
"rel" : "sharedDeviceGroup",
"href" : "https://server01:18084/SRP00000/api/v1/sharedDeviceGroups/361287bf-d2b9-4a3a-80db-0da4c80de5f2"
} ],
"guid": "2d2d3a7f-076d-46f9-8c25-56cb8eba2800",
"checkedOut": false,
"clientVersion": "5.50.1",
"enrollmentType": [
"WORK_SPACE_ONLY_AFW"
],
"enrollmentState": "ENROLLED",
"language": "en_US",
"lastContactTime": "2017-01-20T11:01:52.400Z",
"loggingExpiryDate": "2017-01-18T18:18:43.000Z",
"loggingStatus": "Expired",
"device": {
"guid": "4659aa7f-0a7d-9f69-258c-2800ebaa2800",
"activationDate": "2017-01-16T14:47:03.662Z",
"activeSyncId": "K6CKULJTID3SDEAIV0ELHBBTTO",
"batteryLevel": 95.0,
"compromised": false,
"externalStorageFree": 12021.0,
"externalStorageSize": 16386.0,
"hardwareModel": "Desire",
"hardwareName": "bravo",
"hardwareVendorCompanyName": "HTC Corporation",
"homeCarrier": "Rogers",
"iccid": "8938 0012 1050 8728 331",
"internalStorageFree": 2112.0,
"internalStorageSize": 32768.0,
"imei": "990000862471854",
"meid": "01234567890123456",
"os": "Android 5.0",
"osFamilyName": "android",
"osVersion": "5.0",
"ownership": "PERSONAL",
"phoneNumber": "4045551234",
"serialNumber": "c08088415436112",
"udid": "d88496fdf7115ac9f3ab69966cbaf91d960b95036fa68f66489c8ad78f136b5c",
"wifiMacAddress": "62:9a:7e:bc:fe:01",
"clientId": "com.rim.mobilefusion.client",
"clientVersion": "12.34.0.154893"
},
"service" : {
"guid" : "c90ca7e8-f219-42a2-9a33-97e77f784acf",
"name" : "mdm",
}
},
{
"links" : [ {
"rel" : "user",
"href" : "https://server01:18084/SRP00000/api/v1/users/59dc743d-f325-4a6c-97ac-44dcb9ef8a0e"
} ],
"guid": "6dd3a8e2-3f24-48c6-961a-949794f4b554",
"checkedOut": false,
"clientVersion": "6.30.12",
"dynamicsDeviceId": "kzsaj8JeVGtyWU6RY7Zh0jidClQ7BwKg",
"enrollmentType": [
"USER_PRIVACY_AFW"
],
"enrollmentState": "DELETE_PENDING",
"language": "en_US",
"lastContactTime": "2017-01-23T10:02:12.340Z",
"loggingExpiryDate": "2017-12-31T12:00:00.000Z",
"loggingStatus": "Logging",
"device": {
"guid": "8002ebaa-c258-96f9-d7a0a-0082aa7f4659",
"activationDate": "2017-01-16T14:47:03.662Z",
"activeSyncId": "Q633AGG6QP3FJF6QBNAA81UHB0",
"batteryLevel": 64.0,
"compromised": false,
"externalStorageFree": 12021.0,
"externalStorageSize": 16386.0,
"hardwareModel": "Desire",
"hardwareName": "bravo",
"hardwareVendorCompanyName": "HTC Corporation",
"homeCarrier": "Rogers",
"currentCarrier": "Rogers",
"networkRoaming": false,
"iccid": "8938 0012 1050 8728 331",
"internalStorageFree": 2112.0,
"internalStorageSize": 32768.0,
"imei": "351756051523999",
"meid": "56789012345678901",
"ownership": "CORPORATE",
"os": "Android 6.0",
"osFamilyName": "android",
"osVersion": "6.0",
"phoneNumber": "2125557890",
"securityPatchLevel": "6.0.1.1345",
"serialNumber": "c03618841215084",
"udid": "82f2aaa813c5a4bc2748b078ca844bdbd6a8fb8eaaa173a389467646cf04d00c",
"wifiMacAddress": "b4:52:7e:62:a5:9a",
"clientId": "com.rim.mobilefusion.client",
"clientVersion": "12.34.0.154893"
},
"outOfComplianceInfo": [
{
"date": "2018-03-29T19:47:07.133Z",
"reason": "jailbroken"
"displayName": "Integrity alert"
},
{
"date": "2018-03-29T19:47:27.653Z",
"reason": "blacklistedappsinstalled"
"displayName": "Restricted app is installed"
}
],
"service" : {
"guid" : "c90ca7e8-f219-42a2-9a33-97e77f784acf",
"name" : "mdm",
},
"deviceLocation": {
"latitude": 1.2,
"longitude": 1.2,
"altitude": 400.0,
"speed": 60.0,
"direction": 3.0,
"accuracy": 4.0,
"type": "USER",
"timestamp": "2018-03-29T20:28:59.443Z"
},
"attestationInfo": [
{
"type": "SAFETYNET",
"lastAttestationResponseReceived": "2017-01-23T10:02:12.340Z",
"status": "CTS_PROFILE_MISMATCH",
"attestationNote": "RESTORE_TO_FACTORY_ROM"
}
],
"osUpdateStatus": {
"latestVersion": "12.4",
"otherVersions": [
"12.3.2",
"12.3.1",
"12.3"
],
"attempts": "3",
"attemptsRemaining": "27",
"latestRepspone": "The update is already downloaded.",
"timestamp": "2019-09-03T11:02:12.340Z",
"updateIsAvailable": true,
"isLatest": false
},
"maliciousApplications": [
{
"package": "com.dodgy.app.xyz",
"name": "Sample App One",
"version": "2.0.0.34",
"hash": "kdfjdkasdkjsakljdslkfjdskfjdsk212asdsakj"
},
{
"package": "com.phishing.app.abc",
"name": "Sample App Two",
"version": "5.0.0.34",
"hash": "rtykdtrtkjsakljdgdgdkfjgddgd235sfndkfndk"
}
],
"maliciousSystemApplications": [
{
"package": "com.dodgy.sys.app.xyz",
"name": "Sample System App One",
"version": "3.0.0.34",
"hash": "syskdfjdkasdkjsakljdslkfjdskfjdsk212asds"
},
{
"package": "com.phishing.sys.app.abc",
"name": "Sample System App Two",
"version": "4.0.0.34",
"hash": "sysrtykdtrtkjsakljdgdgdkfjgddgd235sfndkf"
}
]
}
]
}
Request Parameters
Name |
Location |
Description |
userGuid |
path |
GUID of the user to get all user devices for |
query |
query |
Query parameter for filtering the results. The format is <field name>=<query value> ,
for example sharedDeviceOnly=true .
The following table describes the field that can be used in the query.
Field |
Type |
Description |
Supports prefix matching |
sharedDeviceOnly |
boolean |
Filter to return only user devices that are part of shared device groups. If a filter is not specified, then
all the user devices are returned. |
No |
|
Response Codes
Code |
Condition |
Data type |
200 |
OK. |
|
404 |
User not found. |
|
Response Body
Media type |
Data type |
Description |
application/vnd.blackberry.userdevices-v1+json |
User devices
(JSON) |
|
GET /{tenantGuid}/api/v1/users/{userGuid}/userDevices/{userDeviceGuid}
- Available Since:
- 12.7.0
Get the specified user device assigned to a user.
Sample response body
{
"links" : [ {
"rel" : "user",
"href" : "https://server01:18084/SRP00000/api/v1/users/59dc743d-f325-4a6c-97ac-44dcb9ef8a0e"
} ],
"guid": "6dd3a8e2-3f24-48c6-961a-949794f4b554",
"checkedOut": false,
"clientVersion": "6.30.12",
"dynamicsDeviceId": "kzsaj8JeVGtyWU6RY7Zh0jidClQ7BwKg",
"enrollmentType": [
"USER_PRIVACY_AFW"
],
"enrollmentState": "ENROLLED",
"language": "en_US",
"lastContactTime": "2017-01-23T10:02:12.340Z",
"loggingExpiryDate": "2017-12-31T12:00:00.000Z",
"loggingStatus": "Logging",
"device": {
"guid": "8002ebaa-c258-96f9-d7a0a-0082aa7f4659",
"activeSyncId": "K6CKULJTID3SDEAIV0ELHBBTTO",
"activationDate": "2017-01-16T14:47:03.662Z",
"batteryLevel": 64.0,
"compromised": false,
"externalStorageFree": 12021.0,
"externalStorageSize": 16386.0,
"hardwareModel": "Desire",
"hardwareName": "bravo",
"hardwareVendorCompanyName": "HTC Corporation",
"iccid": "8938 0012 1050 8728 331",
"internalStorageFree": 2112.0,
"internalStorageSize": 32768.0,
"imei": "351756051523999",
"meid": "56789012345678901",
"phoneNumber": "2125557890",
"os": "Android 6.0",
"osFamilyName": "android",
"osVersion": "6.0",
"ownership": "CORPORATE",
"securityPatchLevel": "6.0.1.1345",
"serialNumber": "c03618841215084",
"udid": "d88496fdf7115ac9f3ab69966cbaf91d960b95036fa68f66489c8ad78f136b5c",
"wifiMacAddress": "b4:52:7e:62:a5:9a",
"clientId": "com.rim.mobilefusion.client",
"clientVersion": "12.34.0.154893"
},
"outOfComplianceInfo": [
{
"date": "2018-03-29T19:47:07.133Z",
"reason": "jailbroken",
"displayName": "Integrity alert",
},
{
"date": "2018-03-29T19:47:27.653Z",
"reason": "blacklistedappsinstalled",
"displayName": "Restricted app is installed"
}
],
"service" : {
"guid" : "c90ca7e8-f219-42a2-9a33-97e77f784acf",
"name" : "mdm",
},
"deviceLocation": {
"latitude": 1.2,
"longitude": 1.2,
"altitude": 400.0,
"speed": 60.0,
"direction": 3.0,
"accuracy": 4.0,
"type": "USER",
"timestamp": "2018-03-29T20:28:59.443Z"
},
"attestationInfo": [
{
"type": "SAFETYNET",
"lastAttestationResponseReceived": "2017-01-23T10:02:12.340Z",
"status": "CTS_PROFILE_MISMATCH",
"attestationNote": "RESTORE_TO_FACTORY_ROM"
}
],
"osUpdateStatus": {
"latestVersion": "12.4",
"otherVersions": [
"12.3.2",
"12.3.1",
"12.3"
],
"attempts": "3",
"attemptsRemaining": "27",
"latestRepspone": "The update is already downloaded.",
"timestamp": "2019-09-03T11:02:12.340Z",
"updateIsAvailable": true,
"isLatest": false
},
"maliciousApplications": [
{
"package": "com.dodgy.app.xyz",
"name": "Sample App One",
"version": "2.0.0.34",
"hash": "kdfjdkasdkjsakljdslkfjdskfjdsk212asdsakj"
},
{
"package": "com.phishing.app.abc",
"name": "Sample App Two",
"version": "5.0.0.34",
"hash": "rtykdtrtkjsakljdgdgdkfjgddgd235sfndkfndk"
}
],
"maliciousSystemApplications": [
{
"package": "com.dodgy.sys.app.xyz",
"name": "Sample System App One",
"version": "3.0.0.34",
"hash": "syskdfjdkasdkjsakljdslkfjdskfjdsk212asds"
},
{
"package": "com.phishing.sys.app.abc",
"name": "Sample System App Two",
"version": "4.0.0.34",
"hash": "sysrtykdtrtkjsakljdgdgdkfjgddgd235sfndkf"
}
],
"sideloadedApplications": {
"applications": [
{
"package": "com.dodgy.app.xyz",
"name": "Sample App One"
},
{
"package": "com.phishing.app.abc",
"name": "Sample App Two"
}
],
"signingIdentity": [
{
"identity": "iPhone Distribution: BlackBerry Limited",
"hash": "kdfjdkasdkjsakljdslkfjdskfjdsk212asdsakj"
},
{
"identity": "iP#### Di########### Re###### i# Mo#### Li#####",
"hash": "dffjdkasdkjsakljdslkfjdskfjdsk212asdsakj"
}
]
}
}
Request Parameters
Name |
Location |
Description |
userDeviceGuid |
path |
GUID of the user device to get |
userGuid |
path |
GUID of the user to get user device for |
Response Codes
Code |
Condition |
Data type |
200 |
OK. |
|
404 |
User not found. |
|
404 |
User device not found. |
|
Response Body
Media type |
Data type |
Description |
application/vnd.blackberry.userdevice-v1+json |
User device
(JSON) |
|
GET /{tenantGuid}/api/v1/users/{userGuid}/userDevices/{userDeviceGuid}/applications
- Available Since:
- 12.7.2
Get the assigned and installed applications for a specified user device.
Sample response body
{
"deviceApplications" : [ {
"guid" : "442132bb-2b22-492f-9443-a6b59e4c5289",
"entitlementGuid" : "61b815b3-fd92-4a3e-b033-c686917529df",
"bundleId" : "com.good.gcs",
"disposition" : "REQUIRED",
"dynamics" : true,
"dynamicsContainerId" : "C85ECFF5-A3DB-4FDC-887F-8712220EBD92",
"dynamicsDeviceId" : "21NYbfE+q5gZebL7QKmZ5FUdxGP/b2FT",
"status" : "ACTIVATED",
"name" : "BlackBerry Work",
"personal" : false,
"attestationInfo" : [ {
"type" : "SAFETYNET",
"lastAttestationResponseReceived" : "2017-01-23T10:02:12.340Z",
"status" : "SUCCESS"
}, {
"type" : "HARDWARE_KEY",
"lastAttestationResponseReceived" : "2017-02-22T11:05:15.750Z",
"status" : "FAILURE"
} ]
}, {
"guid" : "99805d7a-f633-4890-878a-c26fc02e5306",
"assignedVersion" : "12.30.0.153794",
"assignedVersionCode" : "2150028",
"installedVersion" : "12.30.0.153794",
"installedVersionCode" : "2150028",
"bundleId" : "com.rim.mobilefusion.client",
"disposition" : "OPTIONAL",
"dynamics" : true,
"status" : "NOT_INSTALLED",
"name" : "UEM Client",
"personal" : false,
"version" : "12.30.0.153794",
"attestationInfo" : [{
"type" : "HARDWARE_KEY",
"lastAttestationResponseReceived" : "2017-02-22T11:05:15.750Z",
"status" : "FAILURE"
} ]
} ]
}
Sample of attestationInfo section for iOS device:
{
"attestationInfo" : [ {
"type": "APP_INTEGRITY",
"lastAttestationResponseReceived": "2017-01-23T10:02:12.340Z",
"status": "APP_LEVEL_FAILURE",
"lastAttestationCode": "INVALID_OR_EXPIRED_AUTH_TOKEN",
"subStatus":"APP_GRACE_PERIOD_FAILURE_ACTIVE_CONTAINER"
} ]
}
Request Parameters
Name |
Location |
Description |
userDeviceGuid |
path |
GUID of the user device |
userGuid |
path |
GUID of the user |
Response Codes
Code |
Condition |
Data type |
200 |
OK. |
|
404 |
User not found. |
|
404 |
User device not found. |
|
Response Body
Media type |
Data type |
Description |
application/vnd.blackberry.userdevice.applications-v1+json |
User device applications
(JSON) |
|
GET /{tenantGuid}/api/v1/users/{userGuid}/userDevices/{userDeviceGuid}/applications/{appGuid}
- Available Since:
- 12.11.0
Get an assigned or personal application installed on a specified user device.
Sample response body
{
"guid" : "442132bb-2b22-492f-9443-a6b59e4c5289",
"entitlementGuid" : "61b815b3-fd92-4a3e-b033-c686917529df",
"bundleId" : "com.good.gcs",
"disposition" : "REQUIRED",
"dynamics" : true,
"dynamicsContainerId" : "C85ECFF5-A3DB-4FDC-887F-8712220EBD92",
"status" : "ACTIVATED",
"name" : "BlackBerry Work",
"personal" : false,
"attestationInfo" : [ {
"type" : "SAFETYNET",
"lastAttestationResponseReceived" : "2017-01-23T10:02:12.340Z",
"status" : "SUCCESS"
}, {
"type" : "HARDWARE_KEY",
"lastAttestationResponseReceived" : "2017-02-22T11:05:15.750Z",
"status" : "FAILURE"
} ]
}
Sample of attestationInfo section for iOS device:
{
"attestationInfo" : [ {
"type": "APP_INTEGRITY",
"lastAttestationResponseReceived": "2017-01-23T10:02:12.340Z",
"status": "APP_LEVEL_FAILURE",
"lastAttestationCode": "INVALID_OR_EXPIRED_AUTH_TOKEN",
"subStatus":"APP_GRACE_PERIOD_FAILURE_ACTIVE_CONTAINER"
} ]
}
Request Parameters
Name |
Location |
Description |
appGuid |
path |
GUID of the application installed on user device |
userDeviceGuid |
path |
GUID of the user device |
userGuid |
path |
GUID of the user |
Response Codes
Code |
Condition |
Data type |
200 |
OK. |
|
404 |
User not found. |
|
404 |
User device not found. |
|
404 |
Application not found. |
|
Response Body
Media type |
Data type |
Description |
application/vnd.blackberry.userdevice.application-v1+json |
User device application
(JSON) |
|
POST /{tenantGuid}/api/v1/users/{userGuid}/userDevices/{userDeviceGuid}/applications/{appGuid}/commands
- Available Since:
- 12.8.0
Send a command to a BlackBerry Dynamics app.
Command type |
Description |
Properties |
ATTEST_APPLICATION |
Triggers attestation for the app.
Please use the following resources to get attestation result for:
|
Optional properties. Absence of properties means triggering the SAFETYNET attestation.
Name |
Type |
Description |
type |
string |
The attestation type to trigger. Possible values: SAFETYNET, HARDWARE_KEY or APP_INTEGRITY. |
|
BLOCK_APPLICATION |
Blocks the application. The app must be unblocked with an Unblock API call (below). |
Name |
Type |
Description |
title |
string |
Title of the message that indicates that the device is in a blocked state (optional). |
body |
string |
Detailed message that displays on the same screen as the title. For example, the message can provide steps to follow to
get the device back in compliance (optional). |
actionId |
string |
A unique identifier for any Block action. Can be any value as long as it is unique. When sending a corresponding
UNBLOCK_APPLICATION command later on, the same value must be used to correlate the commands. |
|
DELETE_APPLICATION |
Delete app data. |
No properties. |
LOCK_APPLICATION |
Lock app. The app may be unlocked with an unlock key. |
No properties. |
UNBLOCK_APPLICATION |
Unblocks a previous Block action (above). |
Name |
Type |
Description |
actionId |
string |
This must be the same value that was used in the preceding and related BLOCK_APPLICATION action(s). No format or value
restrictions apply. If more than one actionIds were sent in more than one BLOCK_APPLICATION calls, all actionIDs used must
be sent in separate calls to unblock the application (order of calls is not important for this). |
|
Samples
Sample 1 request body
Send a command to lock an app.
{
"type" : "LOCK_APPLICATION"
}
Sample 2 request body
Send a command to block an app.
{
"type" : "BLOCK_APPLICATION",
"properties" : {
"actionId" : "Random string - same value used for both block and unblock actions",
"title" : "Summary message for display on the device",
"body" : "Description of compliance failure with steps to get back in compliance for display on the device"
}
}
Request Parameters
Name |
Location |
Description |
appGuid |
path |
GUID of the app |
userDeviceGuid |
path |
GUID of the user device |
userGuid |
path |
GUID of the user |
Request Body
Media type |
Data type |
application/vnd.blackberry.command-v1+json |
Command
(JSON) |
Response Codes
Code |
Condition |
Data type |
202 |
Command accepted for processing. |
|
400 |
Invalid request. For example, command not supported or invalid field semantics. |
|
404 |
Application not found. |
|
404 |
User not found. |
|
404 |
User device not found. |
|
POST /{tenantGuid}/api/v1/users/{userGuid}/userDevices/{userDeviceGuid}/commands
- Available Since:
- 12.8.0
Send a command to a user device. The following table describes the command types and corresponding properties that can be
sent to a user device. Properties that are not supported for a specific user device may be ignored.
For more information about sending commands to devices, see the commands reference in the BlackBerry
UEM Commands reference.
Command type |
Description |
Properties |
ATTEST_DEVICE |
Triggers attestation for the user device.
For SafetyNet and Hardware Key attestation, the list of app native bundle IDs that will go through the attestation
process is returned. (Sample response below).
For App Integrity attestation, the list of app entitlement and native bundle IDs that will go through the attestation
process is returned. (Sample response below).
Please use the following resources to get attestation result for:
|
Optional properties. Absence of properties means triggering the SAFETYNET attestation.
Name |
Type |
Description |
type |
string |
The attestation type to trigger. Possible values: SAFETYNET, HARDWARE_KEY or APP_INTEGRITY. |
|
BLOCK_APPLICATIONS |
Blocks the applications on a device. The apps must be unblocked with an Unblock API call (below). |
Name |
Type |
Description |
title |
string |
Title of the message that indicates that the device is in a blocked state (optional). |
body |
string |
Detailed message that displays on the same screen as the title. For example, the message can provide steps to follow to
get the device back in compliance (optional). |
actionId |
string |
A unique identifier for any Block action. Can be any value as long as it is unique. When sending a corresponding
UNBLOCK_APPLICATIONS command later on, the same value must be used to correlate the commands. |
|
DELETE_DEVICE_DATA |
Delete all data on the device, and return the device to factory default settings. |
Name |
Type |
Description |
password |
Base64-encoded string |
New device password to set after restoring to factory default settings (optional, must be 6 digits). |
|
DELETE_WORK_SPACE_DATA |
Delete only work data on the device. |
No properties. |
DISABLE_LOST_MODE |
Disable Lost Mode on the device. |
No properties. |
DISABLE_WORK_SPACE |
Disable access to the work space. |
No properties. |
ENABLE_LOST_MODE |
Enable Lost Mode on the device. Either phoneNumber or message properties should be specified. |
Name |
Type |
Description |
phoneNumber |
string |
The phone number to display on the locked device. The maximum length of the phone number is 30 characters. |
message |
string |
The message to display on the locked device. The maximum length of the message is 150 characters. |
footnote |
string |
Slide to unlock text. The maximum length of the text is 30 characters (optional). |
|
ENABLE_WORK_SPACE |
Enable access to the work space. |
No properties. |
GET_DEVICE_LOGS |
Retrieve logs from the device and send the logs to a path defined by the UEM administrator. See
System Information for the path to the
log location.
The log file name when the command is processed by the device will be of the form:
{user name}_{device UDID}_YYYYMMdd-HHmmss.xyz
|
No properties. |
LOCK_DEVICE |
Lock device. |
Name |
Type |
Description |
password |
Base64-encoded string |
New device password (optional). |
message |
string |
Message to display on device lock screen (optional). |
|
LOCK_WORK_SPACE |
Set work space password and lock work space. |
Name |
Type |
Description |
password |
Base64-encoded string |
New work space password (required). |
|
REMOVE_DEVICE |
Remove a device from UEM without waiting for a response from the device. |
No properties. |
REQUEST_DEVICE_INFO |
Request that the device update its information with the UEM server.
|
No properties. |
RESET_WORK_SPACE_PASSWORD |
Reset work space password. The work space password will be deleted and the user will be prompted to set a new work
space password when the work space is opened. |
No properties. |
UNBLOCK_APPLICATIONS |
Unblocks a previous Block action (above). |
Name |
Type |
Description |
actionId |
string |
This must be the same value that was used in the preceding and related BLOCK_APPLICATIONS action(s). No format or value
restrictions apply. If more than one actionIds were sent in more than one BLOCK_APPLICATIONS calls, all actionIDs used must
be sent in separate calls to unblock the application (order of calls is not important for this). |
|
UNLOCK_DEVICE |
Unlock device. The existing device password will be deleted and the user will be prompted to set a new device password.
|
No properties. |
UPDATE_DEVICE_OS |
Update device OS. |
Name |
Type |
Description |
installAction |
string |
The installAction type to trigger. Possible values: OS_UPDATE_INSTALL_ACTION_DOWNLOAD_ONLY,
OS_UPDATE_INSTALL_ACTION_DOWNLOAD_AND_INSTALL or OS_UPDATE_INSTALL_ACTION_INSTALL_DOWNLOADED.
|
osVersion |
string |
OS version to install on device (optional). If the version is not provided, the latest OS version is installed
on device. |
|
WIPE_APPLICATIONS |
Resets applications on the device to their pre-enrollment state. All management and user data related to the
application(s) is deleted on the device. |
No properties. |
Samples
Sample 1 request body
Send command to lock device, change password, and set a display message. "cEA1NXcwcmQ=" is the base64-encoded value of
"p@55w0rd".
{
"type" : "LOCK_DEVICE",
"properties" : {
"password" : "cEA1NXcwcmQ=",
"message" : "Paul Morley"
}
}
Sample 1 response body
Where possible commands will return a guid of the command generated for the device. This guid can be used to get the command status for a user device.
{
"guid" : "df415bb5-345b-4947-a8fa-d768300b76e5"
}
Sample 2 request body
Send command to reset work space password.
{
"type" : "RESET_WORK_SPACE_PASSWORD"
}
Sample 3 request body
Send a command to block device applications.
{
"type" : "BLOCK_APPLICATIONS",
"properties" : {
"actionId" : "Random string - same value used for both block and unblock actions",
"title" : "Summary message for display on the device",
"body" : "Description of compliance failure with steps to get back in compliance for display on the device"
}
}
Sample 4 response body for SafetyNet and Hardware key attestations
{
"appsForAttestation" : [
"app.id.1",
"app.id.2",
"app.id.3"
]
}
Sample 5 response body for App Integrity attestation
{
"appsForAttestation" : [{
"entitlementID" : "app.entitlement.id.1",
"bundleID" : "app.bundle.id.1"
},
{
"entitlementID" : "app.entitlement.id.2",
"bundleID" : "app.bundle.id.2"
}]
}
Request Parameters
Name |
Location |
Description |
userDeviceGuid |
path |
GUID of the user device to send a command to |
userGuid |
path |
GUID of the user |
Request Body
Media type |
Data type |
application/vnd.blackberry.command-v1+json |
Command
(JSON) |
Response Codes
Code |
Condition |
Data type |
202 |
Command accepted for processing. |
|
400 |
Invalid request. For example, command not supported or invalid field semantics. |
|
404 |
User not found. |
|
404 |
User device not found. |
|
GET /{tenantGuid}/api/v1/users/{userGuid}/userDevices/{userDeviceGuid}/commands/{commandGuid}
- Available Since:
- 12.12.0
Request the status of a command that has been sent to a user device.
For more information about sending commands to devices refer to send user device command documentation.
Sample request
Get the status of a command using the GUID of the user, the device, and the device command.
GET /SRP00000/api/v1/users/f9ff5a4c-3932-4814-9b92-1e3fca8a7304/userDevices/8ef1516c-beb8-4acd-b164-9405780e470b/commands/adecc3cc-7748-445d-baba-f61414a2a6ce
Sample response body
{
"status": "READY",
"modified": "2019-05-15T10:03:45.863-0400",
"guid": "adecc3cc-7748-445d-baba-f61414a2a6ce"
}
Request Parameters
Name |
Location |
Description |
commandGuid |
path |
GUID of the user device command for which status is being requested |
userDeviceGuid |
path |
GUID of the user device to send a command to |
userGuid |
path |
GUID of the user |
Response Codes
Code |
Condition |
Data type |
202 |
Command accepted for processing. |
|
400 |
Invalid request. For example, command not supported or invalid field semantics. |
|
404 |
User not found. |
|
404 |
User device not found. |
|
404 |
User device command not found. |
|
GET /{tenantGuid}/api/v1/users/{userGuid}/userDevices/{userDeviceGuid}/profiles
- Available Since:
- 12.9.0
Get effective profiles for a user device. The effective profiles are the profiles that will actually get delivered to the
user device. A profile that is assigned to a user directly, via a user group, or via a device group may not actually get
delivered to the user device, for example due to OS and version compatibility.
Sample response body
{
"profiles" : [ {
"guid" : "3d55abd2-c00e-4f5f-abcf-01c92ac777b1",
"name" : "Strict IT Policy",
"categoryName" : "IT_CONFIG",
"default": false
}, {
"guid" : "6106fce8-83f5-44b3-8288-e8e4e0966561",
"name" : "Sales Email Profile",
"categoryName" : "EMAIL",
"default": false
} ]
}
Request Parameters
Name |
Location |
Description |
userDeviceGuid |
path |
GUID of the user device to get effective profiles for |
userGuid |
path |
GUID of the user |
Response Codes
Code |
Condition |
Data type |
200 |
OK. |
|
404 |
User not found. |
|
404 |
User device not found. |
|
Response Body
Media type |
Data type |
Description |
application/vnd.blackberry.profiles-v1+json |
Profiles
(JSON) |
|