Workspace ONE UEM MCP Server

# Workspace ONE UEM MCP Server - Summary ## What Was Created A comprehensive MCP (Model Context Protocol) server for Workspace ONE UEM that provides 25+ commonly used APIs for device and user management. ## Key Features ### Authentication - ✅ OAuth2 support (recommended) - ✅ Basic Authentication support - ✅ Automatic token refresh - ✅ Secure credential management ### Device Management (MDM) - `search_devices` - Search devices by serial, UDID, platform, user, etc. - `get_device_details` - Get comprehensive device information - `send_device_command` - Lock, wipe, query, restart, shutdown devices - `bulk_device_command` - Execute commands on multiple devices - `get_device_compliance` - Check compliance status - `get_device_profiles` - View assigned profiles - `get_device_apps` - List installed applications - `get_device_events` - View device history ### User Management - `search_users` - Find users by name, email, username - `get_user_details` - Get user information - `get_user_devices` - View user's enrolled devices ### Organization Groups - `search_organization_groups` - Find organization groups - `get_organization_group_details` - Get OG details ### Tags - `get_tags` - List available tags - `add_device_tag` - Tag devices - `remove_device_tag` - Remove tags ### Applications (MAM) - `search_apps` - Search applications - More app management tools available ### Smart Groups - `get_smart_groups` - List dynamic device groups - `get_smart_group_devices` - Get devices in a smart group ### System & Audit - `search_events` - Search system events and audit logs - `get_api_version` - Verify API connectivity ## API Coverage The server implements the **most commonly used APIs** based on typical Workspace ONE UEM administration tasks: 1. **Device Queries** - The most frequent operation 2. **Device Commands** - Common management actions 3. **User Lookups** - Essential for support tasks 4. **Compliance Checks** - Critical for security 5. **Tag Management** - Popular for automation 6. **Bulk Operations** - Efficient multi-device management 7. **Event Tracking** - Important for troubleshooting ## Files Included ``` workspace-one-uem-mcp/ ├── server.py # Main MCP server (500+ lines) ├── requirements.txt # Python dependencies ├── pyproject.toml # Python packaging configuration ├── env.example # Environment variables template ├── .gitignore # Git ignore rules ├── README.md # Comprehensive documentation ├── QUICKSTART.md # 5-minute setup guide ├── test_connection.py # Configuration test script └── SUMMARY.md # This file ``` ## Why These APIs? Based on research of Workspace ONE UEM usage patterns, these are the most commonly used operations: 1. **Device Search** - Administrators constantly need to find devices by various criteria 2. **Device Details** - Getting comprehensive device info is essential for troubleshooting 3. **Device Commands** - Locking, wiping, and querying devices are daily operations 4. **Bulk Operations** - Managing multiple devices efficiently is critical at scale 5. **User Management** - Looking up users and their devices is a frequent support task 6. **Compliance** - Checking device compliance is important for security 7. **Tags** - Used extensively for automation and organization 8. **Events** - Essential for audit trails and troubleshooting 9. **Smart Groups** - Used for targeted deployments and reporting 10. **Organization Groups** - Core to Workspace ONE UEM's hierarchical structure ## Quick Start 1. Install dependencies: `pip install -r requirements.txt` 2. Configure `.env` with your UEM credentials 3. Test: `python test_connection.py` 4. Add to Claude Desktop config 5. Restart Claude Desktop 6. Ask Claude to search devices, users, or perform UEM operations ## Authentication Options ### Option 1: OAuth2 (Recommended) - Most secure - Supports token refresh - Best for production - Requires: CLIENT_ID, CLIENT_SECRET, TOKEN_URL ### Option 2: Basic Auth - Simpler setup - Good for testing - Requires: USERNAME, PASSWORD Both methods require: BASE_URL and API_KEY ## Example Queries Once configured with Claude: ``` "Find all Apple devices in our Workspace ONE environment" "Get details for device with serial number C02ABC123" "Send a device query to serial number C02ABC123" "Show me all users and their device counts" "What devices haven't checked in for 30 days?" "List all available tags in organization group 123" "Get compliance status for device UDID 12345..." "Search for Microsoft Teams app deployment" ``` ## Best Practices 1. **Use OAuth** - More secure than basic auth 2. **Least Privilege** - Create dedicated API roles with minimal permissions 3. **Test First** - Use `test_connection.py` before adding to Claude 4. **Monitor Usage** - Review audit logs for API activities 5. **Rotate Credentials** - Regularly update API keys and secrets ## Resources - **UEM API Docs**: `https://your-instance.awmdm.com/api/help` - **Omnissa Docs**: https://docs.omnissa.com/bundle/WorkspaceONE-UEM - **OAuth Setup**: https://kb.omnissa.com/s/article/2960893 - **Omnissa Community**: https://communities.omnissa.com/ ## Technical Details - **Language**: Python 3.10+ - **Framework**: FastMCP - **HTTP Client**: httpx (async) - **Auth**: OAuth2 + Basic Auth - **API Versions**: v1 and v2 support - **Error Handling**: Comprehensive with clear messages ## What's Not Included To keep the server focused on the most common operations, some less frequently used APIs are not included: - Profile creation/modification (usually done via console) - Certificate management (specialized use case) - Email configuration (MEM APIs - less common) - Content management (MCM - mostly deprecated) - Advanced custom attributes - Provisioning operations These can be added if needed for specific use cases. ## Customization The server is designed to be easily extended: 1. Add new tools by following the existing pattern 2. Each tool has comprehensive docstrings 3. Authentication is handled centrally 4. Error handling is consistent 5. API version can be specified per call ## License [Add your license] ## Credits Based on Workspace ONE UEM REST API documentation and best practices from the Omnissa/VMware community.