Category: Mobile Devices

AirWatch REST API Script : change Self-Service Portal role for users

Here’s several scripts that may be very helpful for anyone that needs to change the self-service portal role for their users in AirWatch. AirWatch is becoming more robust and mature with every new release, but they still have a long way to go towards overall usability for administrators.


 

#******************************************
### AirWatch API Connection
###
### Template from https://support.air-watch.com/posts/94020718-REST-API-Authentication-in-PowerShell
###
### 2015-11-15 Brian Deyo www.briandeyo.us
#*******************************************

write-output ” __ ___ __ ”
write-output ” /\ | |__) | | /\ | / “ |__| ”
write-output ” /~~\ | | \ |/\| /~~\ | \__, | | ”
write-output ” ”

###############################
###
### BEGIN CONFIGURATION SECTION
###
###############################

###Insert AirWatch API Key here
###Consider it best practice to create an API Key for every account that needs API access. Easier to manage access that way.
###
$APIKEY = “blahblahblahAPIKey”

###Insert AirWatch Application Server URL
###The Server is the “Application Server” component of the AirWatch environment.
###
$AWHost = “xxyyy.awmdm.com/API/v1”

###Pop up to get username and password, and then encodes U & P to string
###
$Credential = Get-Credential
$EncodedUsernamePassword = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($(‘{0}:{1}’ -f $Credential.UserName,$Credential.GetNetworkCredential().Password)))

###Define Headers to send with each API access
###Switch Basic to Directory if using AD integrated account
###
$Headers = @{‘Authorization’ = “Basic $($EncodedUsernamePassword)”;’aw-tenant-code’ = “$APIKey”;’Content-type’ = ‘application/json’}

###Define output folder for Rest Logs when the out-file cmdlet is used
###
$RestLogPath = “\\fileshare\log\location”

###############################
###
### END CONFIGURATION SECTION
###
###############################

#***********************************
# List devices for a specific user
#***********************************
#
#write-output “Type User’s email address”
#$UserEmail = Read-Host
#Invoke-RestMethod -Method Get -Uri https://$AWHost/mdm/devices/search?user=$UserEmail -Headers $Headers

#***********************************
# Set Enrollment User’s SSP Access
#***********************************
#
# Define the JSON in the $body variable. Then the Invoke-RestMethod converts to JSON on the fly
#
#$Role = “SSP ROLE NAME”
#$user = “userID”
#$body = @{
# Role = $Role
# }
#Invoke-RestMethod -Method Post -Uri https://$AWHost/system/users/$user/update -Body (ConvertTo-Json $body) -Headers $Headers

#***********************************
# Get Enrollment User Details
#***********************************
#$user = Read-Host
#$Filename = “UserDetails.txt”
#Invoke-RestMethod -Method Get -Uri https://$AWHost/system/users/$user -Headers $Headers | Out-File -Append $RestLogPath$Filename

#***********************************
# Change a single Users SSP Role
#***********************************

#$User = Read-Host
#$NewRole = “SSP ROLE NAME”
#$body = @{
# Role = $NewRole
# }
#Invoke-RestMethod -Method Post -Uri https://$AWHost/system/users/$User/update -Body (ConvertTo-Json $body) -Headers $Headers

#*************************************************************
# Search for All Users that have specific role and change it
#*************************************************************
#$CurrentRole = “SSP ROLE NAME”
#$Filename = “SSP ROLE NAME.txt”
#$UserList = Invoke-RestMethod -Method Get -Uri https://$AWHost/system/users/search?role=$CurrentRole -Headers $Headers
#$list = $UserList.Users.Id
###Save output of every UserID getting changed
#$list.value | Out-File $RestLogPath$Filename
#
### Loop to change all the roles from the dumped list
#
#$NewRole = “SSP ROLE NAME”
#foreach ($User in $list)
#{
# $UserToUpdate = $User.value
#
# $body = @
# {
# Role = $NewRole
# }
# Invoke-RestMethod -Method Post -Uri https://$AWHost/system/users/$UserToUpdate/update -Body (ConvertTo-Json $body) -Headers $Headers
#}

#************************************
# List Number of Users in Each Role
#************************************
#$RolesToCheck = @(“Basic Access”,”External Access”,”Full Access”)
#Foreach ($Role in $RolesToCheck)
#{
# $Filename = “$Role – TOTALS.txt”
# $UserList = Invoke-RestMethod -Method Get -Uri https://$AWHost/system/users/search?role=$Role -Headers $Headers
# $list = $UserList.Users.Id
# ###Save output of every UserID getting changed
# $UserList | Tee-Object $RestLogPath$Filename
#}

 

Time to finally pen-test on my androids

I install custom recoveries very infrequently and I rarely remember all the commands necessary for it. The link here really helped remind me how simple it is. How to flash a custom recovery (like CWM or TWRP) on Android.

I’ve been in need of a junker device that I can use to test out sniffing and hijacking with. I now have two test devices.

  • 1 x Galaxy S4 with TWRP and CM 12. With Zanti.
  • 1 x HTC rezound with CWM and CM 10 (unofficial). Thanks recycling box at work.

The HTC rezound required that I go through a token generation process at HTCDEV.com (heed the SSL error. Non-trusted issuer). This isn’t something I’ve done before, but wasn’t that difficult. The only obnoxious part is having to give them an email address. Thanks 10minutemail.

 

Hooray for enough devices to do pen-testing. Now I can learn sweet stuff *AND* remain ethical all at the same time!

“Workplace Join discovery failed” error with exit code 0x80072EE7

<conundrum>

Source: “Workplace Join discovery failed” error with exit code 0x80072EE7

When I was trying to enroll an older Surface RT to my AirWatch MDM, I kept tapping the “Join” button to watch as nothing happened.

Looking through the logs for Workplace Join, I see that the device is pointing to enterpriseregistration.domain.com and not the enterpriseenrollment.domain.com that the AirWatch auto-discovery service specifies for use.

</conundrum>