OAuth 2.0 is an industry-standard authorization framework that allows applications to securely access resources on behalf of a user or service without exposing credentials.
Workspace One UEM supports OAuth 2.0 and creating a client can be extremely useful. It enables integrations and automations, by allowing external systems, applications or scripts to authenticate and interact with Workspace One UEM APIs in a secure, controlled manner. Here’s some examples of what you could use a Workspace One UEM OAuth client for:
When you create an OAuth client in Workspace ONE UEM, you receive client credentials that can be used to request an access token from a token server in your UEM tenant’s data centre region. These tokens have a limited lifespan of one hour, providing temporary, scoped access to UEM resources. This enhances security by ensuring access is restricted to authorised operations.
Each OAuth 2.0 client in Workspace ONE UEM must be assigned an admin role. While predefined roles are available, I strongly recommend creating a custom role for each OAuth client, granting only the minimum permissions necessary for its specific task. This principle of least privilege reduces the risk of unauthorised access.
For even greater security, create separate OAuth clients for each integration or use case. This approach minimises security risks and simplifies remediation – if a client is ever compromised, you only need to deactivate and replace that specific client without impacting other integrations.
How-To
Create a Custom Admin Role
In this example I create a custom role which I intend on using with an OAuth Client created for use with PowerShell scripting. Note that while I assign the role full API access, some APIs also require additional permissions under some of the other categories in order to be used successfully.
These additional permissions are usually under the Device Management category. Unfortunately the API explorer tool built into Workspace One does not specify what permissions each individual API requires, so this can sometimes involve a bit of trial and error depending on what you are trying to achieve.
Custom admin roles can also be used for managing role based access controls (RBAC) to the Workspace One UEM console. It ties in well with Directory integration, which I’ll cover off in a separate post.
Navigate to:
Accounts > Administrators > Admin Roles
Click Add Role
Give the role a Name and Description
Click the Circle next to the API category and select Edit from the popup list that appears
Click Save
Now that you’ve created a custom role, continue on below to create an OAuth Client.
Create an OAuth Client
This brief video shows the basic steps to create an OAuth Client, and assign it the custom role created earlier.
Navigate to:
Groups & Settings > Configurations
Start typing the word OAuth into the Enter a name or category field
Click on the OAuth Client Management link
Click Add
Give the client a Name and Description
Set the Organisation Group 💡Usually you would set this as the parent / top level organisation group
Set the role as the custom role you created earlier
Once you’ve recorded the Client ID & Client Secret, click Close ⚠️The Client Secret is only displayed once. When you exit the screen there is no way to go back to see it at a later stage, so make sure you’ve recorded it in a secure place such as a password manager!
You’ve now successfully created an OAuth Client!
Conclusion
Setting up an OAuth 2.0 client in Workspace ONE UEM is an important step for enabling secure, controlled integrations and automation. By following best practices — such as using custom admin roles with the principle of least privilege and creating separate OAuth clients for each use case — you can enhance security while ensuring seamless interactions with the UEM API.
While the process sometimes involves trial and error when determining API permissions, the benefits far outweigh the effort. OAuth clients empower automation, improve efficiency, and open up new possibilities for integrating Workspace ONE UEM with other enterprise tools.
Whether you’re leveraging OAuth for PowerShell scripts, Omnissa Intelligence workflows, or third-party integrations like Samsung Knox E-FOTA and ServiceNow, implementing it this way ensures a more secure and scalable UEM environment.
