Applying Tags to Devices in Workspace One UEM via Powershell

Navigation

Introduction

Applying tags to devices in Workspace One UEM is a useful way to group devices, assign profiles, or enforce policies efficiently. While Workspace One UEM provides an interface for managing tags, there are scenarios where automating this process is beneficial.

In this post, I’ll guide you through using a PowerShell script ApplyTag.ps1 which automatically applies a tag to all devices within a specific Smart Group. This smartgroup can be tied to profiles, applications, or products to ensure these are assigned to devices.

Why Use ApplyTag.ps1??

Manually applying tags to devices in Workspace One can be time-consuming, especially if you manage a large number of devices. Automating this process provides:

Consistency – Ensures all devices in a Smart Group receive the necessary tags.
Efficiency – Reduces the need for manual intervention, saving time and effort.
Scalability – Easily applies tags to thousands of devices without administrator intervention.
Automation – Can be scheduled to run at specific intervals, ensuring tags are applied as devices are added to the Smart Group.

💡While this script was created with automation in mind, it can also be run manually.

How the Script Works

The script is designed to:

Authenticate with Workspace ONE UEM using UEMAuth.ps1
Retrieve a list of devices assigned to a specific Smart Group.
Iterate through the devices and apply a tag based on the Tag ID specified.

What You’ll Need

Before running the script, ensure:

PowerShell Execution Policy allows script execution (Set-ExecutionPolicy Bypass -Scope Process if needed).
The UEMAuth.ps1 script is present in the same directory as this script. See Automating Workspace ONE UEM API Authentication with PowerShell for more information
💡If using any of my scripts in automation, ensure you’ve run UEMAuth.ps1 manually once to generate a credentials file before setting any scheduled tasks up
You have created an OAuth Client for your Workspace One UEM tenant – see my post on OAuth Client Creation in WS1 UEM for a how-to
The Tag ID for the product you wish to Force Reprocess – see Obtaining a Tag ID
The SmartGroup ID which includes the devices you want to tag
If you want to run this script on a regular basis automatically, see my post on Automating Powershell Scripts via Task Scheduler for additional requirements and how to set this up

Script Breakdown

Setting Required Variables

At the beginning of the script, you must specify the Smart Group ID and the Tag ID that will be applied to the devices:

$SmartGroup = "enter smartgroup number here"
$TagID = "enter product number here"

Smart Group ID – The identifier for the group of devices to which the tag should be applied.
Tag ID – The unique identifier for the tag that will be assigned to the devices.

Ensure you replace these placeholder values with the actual IDs from your Workspace One UEM environment.

Authenticating with Workspace One UEM

The script imports UEMAuth.ps1, designed to handle authentication and set global API variables. If these variables are missing, the script exits with an error.

$AuthScript = "UEMAuth.ps1"
$ScriptDir = Split-Path -Parent $MyInvocation.MyCommand.Definition
$AuthScriptPath = Join-Path -Path $ScriptDir -ChildPath $AuthScript

if (!(Test-Path $AuthScriptPath)) {
    Write-Host "Error: $AuthScript not found in script directory. Please ensure it is present." -ForegroundColor Red
    exit 1
}

. $AuthScriptPath  # Dot-source the authentication script

Retrieving Devices in the Smart Group

Using the Smart Group ID, the script queries the Workspace ONE UEM API to get a list of device IDs associated with the group:

$Response = Invoke-RestMethod -Method Get -ContentType "$global:Content" -Headers $global:UEMHeaders[$version] \
    -Uri "https://$global:ws1url/api/mdm/smartgroups/$SmartGroup/devices" -DisableKeepAlive
$DeviceIDs = $Response.SmartGroupDevices.Devices.Device.Id

If no devices are found, the script exits gracefully.

Applying the Tag to Each Device

The script iterates through the list of device IDs obtained and applies the specified tag:

ForEach ($DeviceID in $DeviceIDs) {
    Write-Host "Applying $TagID to Device ID $DeviceID" -ForegroundColor Cyan

$Body = @"
<?xml version="1.0"?>
<BulkInput xmlns="http://www.air-watch.com/servicemodel/resources">
  <BulkValues>
    <Value>$DeviceID</Value>
  </BulkValues>
</BulkInput>
"@

    try {
        Invoke-RestMethod -Method Post -ContentType "$global:Content" -Headers $global:UEMHeaders[$version] `
            -Uri "https://$global:ws1url/api/mdm/tags/$TagID/adddevices" -Body $Body
    } catch {
        $ErrorMessage = $_.Exception.Message
        Write-Host "Failed to add tag to device ID $DeviceID - $ErrorMessage" -ForegroundColor Red
    }
}

Conclusion

Automating tag application in Workspace One using PowerShell and Task Scheduler is a powerful way to streamline device management. By following the steps outlined in this guide, you can ensure that devices in a Smart Group are automatically tagged at regular intervals, reducing manual workload and ensuring policy compliance.

This approach provides a scalable, efficient, and reliable solution for maintaining an organised Workspace One UEM environment.