Uploading macOS apps using REST APIs and Admin Assistant

February 21, 2022

Welcome to day 21 of Let’s Git Commit(ted) to </Dev> Resources! If you missed day 20, we discussed how to use the Workspace ONE UEM REST APIs to upload a Windows 10 application. Today’s discussion covers how to accomplish publishing macOS apps using two options:

  1. Using the Workspace ONE UEM REST APIs
  2. Using the Workspace ONE Admin Assistant CLI

Prerequisites for publishing macOS Apps

When publishing macOS apps, you need three items:

  1. The application installer (.dmg, .pkg, .mpkg, .app)
  2. The application metadata (.plist)
  3. An optional application icon (.png, .jpg)

While you would have access to these files for applications you develop, what about applications you didn’t develop that you intend to publish? Never fear – the Workspace ONE Admin Assistant Tool is here!

What is the Workspace ONE Admin Assistant Tool?

The Workspace ONE Admin Assistant Tool is a macOS application that provides administrators with two features:

  1. A graphical interface that accepts application installer files (.dmg, .pkg, .mpkg, .app) and outputs the application installer file, application metadata file, and application icon file to a subdirectory under the Workspace ONE Admin Assistant directory. This allows administrators to retrieve all the necessary files to publish macOS applications from third-party developers.
  2. A Command Line Interface (CLI) that allows you to upload macOS applications, allowing you to script or automate the upload.

If you wish to upload a macOS application and you do not have access to the metadata file, you can use the Workspace ONE Admin Assistant Tool to extract it and continue publishing applications.

You can download the Workspace ONE Admin Assistant Tool using the instructions provided here.

Extracting macOS Application Metadata

Once you have installed the Workspace ONE Admin Assistant Tool, you can use either the drag-and-drop area or click to browse and supply the application installer to parse. See Figure 1.

Graphical user interface, application, PowerPoint</p>
<p>Description automatically generated

Figure 1: Workspace ONE Admin Assistant Tool installed and ready to receive a third-party macOS application installer file.

Once the application installer file is provided, the Workspace ONE Admin Assistant Tool parses the contents and outputs the application installer (.dmg), application metadata (.plist) and application icon (.png) to the Documents/Workspace ONE Admin Assistant/ApplicationName-XX.YY.ZZ/ (where XX, YY, and ZZ change depending on the app version) directory. See Figures 2 and 3 with EverNote version 10.28.3 as an example.

Graphical user interface, text, application</p>
<p>Description automatically generated

Figure 2: Workspace ONE Admin Assistant Tool finished parsing macOS application installer file

Graphical user interface, text, website</p>
<p>Description automatically generated

Figure 3: The parsed application installer file, application metadata file, and application image file

You now have the prerequisite files (application installer, metadata, and icon) that can be used to upload the application to Workspace ONE UEM with either the REST APIs or the Admin Assistant Tool.

How Should I Publish macOS Apps? The REST APIs or the Admin Assistant Tool?

Good question! Let’s examine the primary differences.

The Workspace ONE UEM REST APIs are platform independent; you just need access to the application installer, application metadata, and optionally the application icon. The REST APIs use web requests to send and receive data, so any programming or scripting language or API application (such as Postman or Paw) that supports this process can be used.

The Workspace ONE Admin Assistant Tool is a macOS application and CLI, so if your team has more experience automating or scripting with CLIs, this may be an easier approach.

We review both options today so you can see the differences and decide for your use case.

Option 1: Workspace ONE UEM REST APIs

You use two REST APIs to accomplish the tasks of uploading the application files and publishing the application. Reference the API documentation for the following REST APIs:

  1. MAM REST API V1 > API Reference > BlobsV1 > POST /blobs/uploadblob
  2. MAM REST API V1 > API Reference > MacOsAppsV1 > POST /groups/{id}/macos/apps

You complete the following steps:

  1. Extract the application metadata (.plist) and icon from the application installer file using the Workspace ONE Admin Assistant Tool.
  2. Upload the application installer file as a blob to Workspace ONE UEM.
  3. Upload the application metadata file as a blob to Workspace ONE UEM.
  4. (Optional) Upload the application icon file as a blob to Workspace ONE UEM.
  5. Publish the application by referencing the uploaded blob IDs of the application installer, metadata, and (if uploaded) icon files.

Requirements

  1. You need a Workspace ONE UEM administrator account and an API Key. If you are not familiar with the Workspace ONE UEM REST APIs, see the Getting Started with the Workspace ONE UEM REST APIs.
  2. The Workspace ONE Admin Assistant Tool is needed to extract the application metadata for a macOS application installer file.
  3. A macOS application installer file. I use Evernote for this example, and have already followed the steps outlined in Extracting macOS Application Metadata to extract the application metadata (.plist) and icon from the downloaded installer (.dmg).
  4. You need the organization group ID for the organization group where you intend to publish the macOS application. You can retrieve this value with one of the two following methods:
    1. In the Workspace ONE UEM administrator console, navigate to the organization group you wish to upload the application to. Then navigate to Groups & Settings > Groups > Organization Groups > Details. The URL of this page is in the following format: https://{host}/AirWatch/#/OrganizationGroup/Details/Index/###. The integer value at the end of the URL is your OrgGroupId.
    2. You can use the REST APIs to query the IDs of organization groups. The GET system/groups/search?name={orgGroupName} API returns a list of organization groups that contain the provided name value. The OrgGroupId for each result is listed in the Id object under the Value property.

Step 1: Upload the Application Installer Blob

Begin by using the uploadblob API mentioned in previous steps. Refer to the API documentation to see full details on using the uploadblob API and use the table below to format your API response.

Feel free to use Postman, Paw, or reference the UploadApp.ps1 sample to script the solution.

Request:

URL

POST /api/mam/blobs/uploadblob?filename=evernote-10.28.3.dmg&organizationgroupid={groupid}

Headers

Key

Value

Authorization

Base64 encoded string in the format:
{AdminUsername}:{AdminPassword}

aw-tenant-code

Your Workspace ONE UEM API Key

Accept

application/octet-stream

Content-Type

application/json

 

Body

If using Postman…

  1. Select the Body tab.
  2. Select the binary format.
  3. Click Select File, select the Evernote .dmg installer.

If using Paw…

  1. Select the Body tab.
  2. Select the File tab.
  3. Either drag and drop the Evernote.dmg installer or click Chose File and select the Evernote .dmg installer.

If using a script…

You need to format the application installer file bytes into a byte array, and submit this byte array as the body.

See UploadApp.ps1 for a PowerShell sample.

 

Response:

A successful request produces the following response:

Status Code

200 OK

Body

{

    "uuid": "1ea28e44-48c3-4a9f-8b93-e7ff6abf8d33",

    "Value": 100

}

The expected Status Code is 200 OK, and the body contains two values:

  • uuid: A String formatted blob UUID. If an API requires a Blob UUID, you need to save this value and provide it to the corresponding API.
  • Value: An integer value representing the Blob ID. If an API requires a blob ID, you need to save this value and provide it to the corresponding API.

The final API in the macOS application upload process is POST /mam/groups/{groupId}/macos/apps, which requires Blob IDs. Record the Blob ID (Value) received from the response.

Step 2: Upload the Application Metadata Blob

Use the same uploadblob API to upload the metadata (.plist) file that was extracted from the macOS application using the Workspace ONE Admin Assistant Tool.

Request:

URL

POST /api/mam/blobs/uploadblob?filename=evernote-10.28.3.plist&organizationgroupid={groupid}

Headers

Key

Value

Authorization

Base64 encoded string in the format:
{AdminUsername}:{AdminPassword}

aw-tenant-code

Your Workspace ONE UEM API Key

Accept

application/octet-stream

Content-Type

application/json

 

Body

If using Postman…

  1. Select the Body tab.
  2. Select the binary format.
  3. Click Select File, select the Evernote .plist file.

If using Paw…

  1. Select the Body tab.
  2. Select the File tab.
  3. Either drag and drop the Evernote .plist file, or click Chose File and select the Evernote .plist file.

If using a script…

You need to format the application metadata file bytes into a byte array, and submit this byte array as the body.

See UploadApp.ps1 for a PowerShell sample.

 

Response:

A successful request produces the following response:

Status Code

200 OK

Body

{

    "uuid": "8dcac61b-b02e-450c-98bd-dce97edd9b07",

    "Value": 101

}

You need to save the returned Blob ID (Value) from the response for the metadata file as well. Be sure to keep this Blob ID separate from your first blob and label them appropriately, as you need to provide each Blob ID for the final API.

Step 3: (Optional) Upload the Application Icon Blob

Use the same uploadblob API to upload the application icon file that was extracted from the macOS application using the Workspace ONE Admin Assistant Tool. This step is optional, but recommended because the icon helps differentiate the application to your end users in the app catalog.

Request:

URL

POST /api/mam/blobs/uploadblob?filename=evernote.png&organizationgroupid={groupid}

Headers

Key

Value

Authorization

Base64 encoded string in the format:
{AdminUsername}:{AdminPassword}

aw-tenant-code

Your Workspace ONE UEM API Key

Accept

application/octet-stream

Content-Type

application/json

 

Body

If using Postman…

  1. Select the Body tab.
  2. Select the binary format.
  3. Click Select File, select the Evernote .png icon file.

If using Paw…

  1. Select the Body tab.
  2. Select the File tab.
  3. Either drag and drop the Evernote .png icon file, or click Chose File and select the Evernote .png icon file.

If using a script…

You need to format the application icon file bytes into a byte array, and submit this byte array as the body.

See UploadApp.ps1 for a PowerShell sample.

 

Response:

A successful request produces the following response:

Status Code

200 OK

Body

{

    "uuid": "519a72f9-898a-4dd8-a4d6-74e652e802c1",

    "Value": 102

}

As with the other requests, you need to save the returned Blob ID (Value) from the response for the application icon file.

Step 4: Publish the macOS Application

You should now have three different Blob IDs from the uploadblob API requests that were just submitted:

  1. A Blob ID for the application installer (Evernote.dmg in this case). My Blob ID for the application installer was 100.
  2. A Blob ID for the application metadata (Evernote.plist in this case). My Blob ID for the application metadata was 101.
  3. A Blob ID for the application icon (Evernote.png). My Blob ID for the application icon was 102.

Your Blob IDs will differ from mine, but the important thing is to record which Blob ID was associate with which file.

Now you use the POST /mam/groups/{groupId}/macos/apps API to publish the Evernote macOS application. You need to substitute the {groupId} value in the URL with the organization group ID that you retrieved in previous steps.

Request:

URL

POST /api/mam/groups/{groupId}/macos/apps

Headers

Key

Value

Authorization

Base64 encoded string in the format:
{AdminUsername}:{AdminPassword}

aw-tenant-code

Your Workspace ONE UEM API Key

Accept

application/json

Content-Type

application/json

 

Body

{

  "pkgInfoBlobId": 101,

  "applicationBlobId": 100,

  "applicationIconId": 102,

  "version": "10.28.3"

}

Be sure to format your JSON post body correctly! You need to map the Blob IDs to the following properties:

  • pkgInfoBlobId: The metadata (.plist) file. Blob ID 101 for my example.
  • applicationBlobId: The application installer file. Blob ID 100 for my example.
  • applicationIconId: The icon file. Blob ID 102 for my example. If you did not upload an icon to use for an application, remove this property from the body.

Response:

A successful request produces the following response:

Status Code

201 Created

Body

<Empty>

If you receive a different status code, confirm that:

  1. You uploaded the appropriate file with the appropriate filename and extension in your uploadblob APIs.
  2. You provided the correct Blob ID to the correct property in the /macos/apps API.

Step 5: Confirm the App Was Published

The /macos/apps API publishes the application installer, metadata, and icon file to form an Internal app in Workspace ONE UEM. Once the API is finished, log in to the Workspace ONE UEM administration console, navigate to the Organization Group that matches the organization group ID you provided, and confirm the application exists under: Apps & Books > Applications > Native > Internal. See Figure 4.

Graphical user interface, text, application</p>
<p>Description automatically generated

Figure 4: The Evernote macOS application was successfully uploaded to the Apps & Books > Applications > Native > Internal tab.

Congratulations! Your macOS app is now published using the REST APIs and you can assign it to devices and users!

Option 2: Workspace ONE Admin Assistant CLI

The second option we discussed earlier to upload a macOS application is to use the Workspace ONE Admin Assistant CLI.  The CLI is installed alongside the application.  You can confirm that everything is setup by opening the Terminal app and running:

adminassistantcli -v

If you see output showing the version of the admin assistant (such as Version: 3.0.1), then you are ready to continue! If you do not see the above output, make sure that you installed the Workspace ONE Admin Assistant Tool as discussed at the beginning, and that your user account has sufficient privileges.

Step 1: Configure the Workspace ONE Admin Assistant CLI

Use the config subcommand to configure your Workspace ONE administrator credentials, API key, UEM API hostname, and the target organization group ID.

Don’t forget that you can see a list of flags to include by using:

adminassistantcli config --help

Provide the following flags to sign in:

adminassistantcli config --signin
-u <UEM admin username>
-p <UEM admin password>
-k <UEM API key>
-o <UEM API hostname>
-g <UEM Organization Group ID>

IMPORTANT: The Organization Group ID requested here is the Group ID string field, not the integer field as we have used previously. You can find this value in two ways:

  1. In the Workspace ONE UEM administrator console, navigate to the organization group you wish to upload the application to. Then navigate to Groups & Settings > Groups > Organization Groups > Details. The Group ID field under the name field is the string-based Organization Group ID you need.
  2. You can use the REST APIs to query the IDs of organization groups. The GET system/groups/search?name={orgGroupName} API returns a list of organization groups that contain the provided name value. The Organization Group ID for each result is listed in the GroupId string property.

You can now setup your adminassistantcli config command. Refer the following as an example:

adminassistantcli config --signin -u apidemo -p apipassword -k abcd1234 -o cn135.awmdm.com -g gitcommited

If the provided credentials are correct, you receive a confirmation output stating you have been successfully signed in.

Step 2: Upload an App with the Workspace ONE Admin Assistant CLI

With the adminassistantcli configured, you can now use the upload subcommand and provide the necessary file paths to the application installer, metadata, and icon files – just as we did with the REST APIs.

Don’t forget that you can see a list of flags for the upload command using:

adminassistantcli upload --help

Since we configured the adminassistantcli with a group id already using the -g flag and we have an app icon file, we use the following flags with the upload command:

adminassistantcli upload
--installer-path <path to the app installer>
--metadata-path <path to the metadata file>
--icon-path <path to the icon file>

Since I need to provide file paths, I change directory (cd) into the Workspace ONE Admin Assistant folder where the Evernote files were extracted to. My commands are as follows:

cd Documents/Workspace\ ONE\ Admin\ Assistant/Evernote-10.28.3
adminassistantcli upload --installer-path Evernote-10.28.3.dmg --metadata-path Evernote-10.28.3.plist --icon-path Evernote.png

If everything is configured and formatted properly, you see the following success messages:

> cd Documents/Workspace\ ONE\ Admin\ Assistant/Evernote-10.28.3
> adminassistantcli upload --installer-path Evernote-10.28.3.dmg --metadata-path Evernote-10.28.3.plist --icon-path Evernote.png

installer file successfully uploaded.
metadata file successfully uploaded.
icon file successfully uploaded.
Application has been uploaded to the console successfully.
The Application ID is: ####

Step 3. Confirm the App Was Published

Once the adminassistantcli upload has completed, you can confirm the upload was successful by logging in to the Workspace ONE UEM administration console and navigating to the Organization Group that matches the organization group ID you provided. Then, confirm the application exists under: Apps & Books > Applications > Native > Internal.

Conclusion and Next Steps

We provided two methods for uploading macOS applications:

  1. Using the REST APIs to upload the application installer, metadata file, and icon file as blobs, then to publish the macOS application by referencing the returned Blob IDs.
  2. Using the Workspace ONE Admin Assistant CLI to configure API access, and then using the upload subcommand to publish the application installer, metadata file, and icon file.

For next steps, check out the following ideas:

  1. Use the API documentation and check out the MAM REST API V1 /apps/internal/{applicationId}/assignments API to check out how you can create (POST), modify (PUT), or delete (DELETE) assignments so that your intended users and groups get access to the newly installed internal application.
  2. Use the API documentation and check out the System V1.

If you enjoyed this API overview and want to see more examples or a deeper dive – let us know!

Agenda

Make sure to check out the other blog posts in our 28-day series:

 

Associated Content

From the action bar MORE button.

Filter Tags

Workspace ONE Horizon Workspace ONE Access Workspace ONE Intelligence Workspace ONE UEM Blog Technical Overview Intermediate Windows 10 Optimize