Create an API account in Apple Business
Overview
With the Apple Business API, you can edit the devices’ management assignments and view device information. You can also use a device’s endpoint to give apps the ability to create custom reports or to export device data. The API supports OAuth 2. With OAuth 2, apps authenticate with a set of credentials in exchange for an access token to make authenticated requests to the API.
Before you can use these APIs, you need to create an API account in Apple Business. Only users with the role of Organisation Administrator can create an API account.
Note: You can have up to 50 API accounts.
Data access
When the API account is properly configured, that account can allow an app to access the following information:
Category | Description |
|---|---|
Devices | Get a list of devices in an organisation that enrol using Automated Device Enrolment. |
Devices | Get information about a device in an organisation, such as the device model order number and part number. |
Device management services | Get a list of device management services in an organisation. |
Device management services | Get a list of device serial numbers assigned to a device management service. |
Device management services | Get the assigned device management service ID information for a device. |
Device management services | Get the assigned device management service information for a device. |
Device management services | Get information for an organisation device activity that a device management action creates, such as assign or unassign. |
Device management services | Assign or unassign devices to a device management service. |
User management services | Get a list of users in an organisation. |
User management services | Get information about a specific user in an organisation. |
User group management services | Get a list of user groups in an organisation. |
User group management services | Get information about a specific user group in an organisation. |
User group management services | Get a list of users assigned to a user group in an organisation. |
Blueprints | Get a list of Blueprints in an organisation. |
Blueprints | Create a Blueprint in an organisation. |
Blueprints | Get information about a Blueprint in an organisation. |
Blueprints | Update a Blueprint in an organisation. |
Blueprints | Delete a Blueprint in an organisation. |
Blueprints | Get or modify the members of a given type within a Blueprint in an organisation. |
Configurations | Get the list of Configurations in an organisation. |
Configurations | Get the details of a Configuration in an organisation. |
Configurations | Create a Configuration in an organisation (of type CUSTOM_SETTING). |
Configurations | Update a Configuration in an organisation (of type CUSTOM_SETTING). |
Configurations | Delete a Configuration in an organisation. |
Packages | Get packages in an organisation. |
Apps | Get the licensed apps in an organisation. |
Audit events | Retrieve a list of audit events for an organisation, filtered by various criteria. An audit event represents an activity within the organisation, for example adding or removing a device. |
What permissions do I need for accessing the API endpoints?
Users with an API account need the following permissions to access the API endpoints:
Resource | Resource URL and permission | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
auditEvents | /v1/auditEvents CAN_ACCESS_AUDIT_EVENTS | ||||||||||
Users | /v1/users implicit permission(CAN_LOGIN_IN_EE_PORTAL) | ||||||||||
Users | /v1/users/<IDENTIFIER> implicit permission(CAN_LOGIN_IN_EE_PORTAL) | ||||||||||
userGroups | /v1/usergroups implicit permission(CAN_LOGIN_IN_EE_PORTAL) | ||||||||||
userGroups | /v1/usergroups/<IDENTIFIER> implicit permission(CAN_LOGIN_IN_EE_PORTAL) | ||||||||||
userGroups | /v1/usergroups/<IDENTIFIER>/relationships/users implicit permission(CAN_LOGIN_IN_EE_PORTAL) | ||||||||||
blueprints | /v1/blueprints CAN_VIEW_COLLECTIONS/CAN_MANAGE_COLLECTIONS | ||||||||||
blueprints | /v1/blueprints/<IDENTIFIER> CAN_VIEW_COLLECTIONS/CAN_MANAGE_COLLECTIONS | ||||||||||
blueprints | /v1/blueprints/<IDENTIFIER>/relationships/<resource> CAN_VIEW_COLLECTIONS/CAN_MANAGE_COLLECTIONS | ||||||||||
apps | /v1/apps /v1/apps/<IDENTIFIER> CAN_VIEW_COLLECTIONS/CAN_MANAGE_COLLECTIONS | ||||||||||
packages | /v1/packages /v1/packages/<IDENTIFIER> CAN_VIEW_COLLECTIONS/CAN_MANAGE_COLLECTIONS | ||||||||||
configurations | /v1/configurations /v1/configurations/<IDENTIFIER> CAN_VIEW_CONFIGURATIONS/CAN_MANAGE_CONFIGURATIONS | ||||||||||
mdmDevices | /v1/mdmDevices /v1/mdmDevices/<IDENTIFIER>/details CAN_MANAGE_DEVICES | ||||||||||
Generate a private key
To maintain a secure connection to Apple Business, you need to generate a private key. The key’s filename ends in .pem, and you generate it only once.
Create a new API account and download the private key
In Apple Business, sign in with a user who has the role of Organisation Administrator.
Select Add API Account, enter the name of the user and select their role, then select Next.
Choose one of the following:
Select Generate & Download to generate and download the key.
The file automatically downloads to the file download location in your browser preferences or, if there isn’t a location, the system asks where to save the file.
Select Not Now to generate the private key later.
Select Manage to view the information you need to create the connection.
Review the Apple Developer documentation on how to create the connection.
Edit an existing API account migrated from Apple Business Manager or Apple Business Essentials
If your organisation migrated from Apple Business Manager or Apple Business Essentials to Apple Business and you had any existing API accounts, those accounts now have a default role. You can review and edit any API account information.
In Apple Business, sign in with a user who has the role of Organisation Administrator.
Select Edit next to an existing API account.
If necessary, do any of the following:
Change the account name
Change the role
The custom role is Device API Manager. To edit the role’s permissions, see Intro to roles and permissions.
Copy the Client ID to your Clipboard.
Copy the Key ID to your Clipboard.
Revoke the private key.
Select Save.
Review the Apple Developer documentation on how to create the connection.