Automation of creating and validing tokens when working with the AxM API based on the script provided by Bart Reardon
To find out more about this project check out the post "Automating Token Generation for Apple School Managers New API" on my blog CantScript.com
- A Script that only deals with creating the
Client Assertion - Saves the
Client Assertionto a text file, along with a date/time stamp 180 days later - A second Script that only handle the creation of the
Access Token - Saves the
Access Tokento a text file, along with a timestamp 60 mins later - Should an
Access Tokennot exist, the second script will create anAccess Tokenproviding theClient Assertionis still valid based on its date/time stamp - Should there be an
Access Tokenbut its not valid based on its timestamp, the second script will create a new validAccess Token, again providing theClient Assertionis still valid based on its date/time - Enables two lines of code in the actual API script that creates/checks/renews the
Access Tokenand saves the value into a variable for use in that script
This is all contained in a folder structure so as long as you add the scripts that interact with the API in the root of this folder, you only need to add the values you need from Axm to the Create Client Assertion and Create Access Token scripts once and no other variables are needed to make the automation work.
First things first, if you haven't already go and read Barts blog so that you know how to configure ASM. From ASM you'll need
The Private Key Filewhich will end in .pemClient IDKey ID
Step 1
- Download the
AxM_APIfolder from the GitHun repo.
It doesn't matter where this folder lives on the device as long as you know where you keep it as this is going to become the working folder for all of your ASM API scripts
Step 2
Take your Private Key File and move it into the AxM-API/AxMCert folder
Step 3
- Open
AxM-API/AutomationScript/create_client_assertion.shin a text/code editor - Enter the name of your
Private Key File(so for examplemyPrivateKey.pem, not the location of the file) into theprivate_key_filevariable - Enter your
Client IDinto theclient_idvariable - Enter your
Key IDinto thekey_idvariable - Save and close
Step 4
- Open
AxM-API/AutomationScript/create_access_token.shin a text/code editor - Enter your
Client IDinto theclient_idvariable - Comment out either
scope="school.api"orscope="business.api"depending on if you are interacting with ASM or ABM - Save and close
Step 5
- Run
AxM-API/AutomationScript/create_client_assertion.sh
Any script that you want to use that interacts with the AxM API needs save to the root of the AxM_API folder.
I've given a simple example script within the AxM_API folder.
Your scripts just need the following two lines at the top
./AutomationScripts/create_access_token.sh
accessToken=$(awk -F': ' '/^AccessToken:/ {print $2}' ./Tokens/access_token_format.txt)
Then you will use the accessToken variable as the bearer token in a call. Below is a simple example.
curl "https://api-school.apple.com/v1/mdmServers" -H "Authorization: Bearer ${accessToken}"
Notice that as part of the setup with didn't run the create_access_token.sh? Thats becuase on the first run of any script, the automation will see that there isn't one and will generate it on the fly for you.
The next part is up to you! How you interact with AxM and the automations and workflow you create is actually the hard part and the part that gets the job done.
If you haven't already seen, here are the [Apple Documents for the ASM Endpoints or ABM Endpoints
Although the scripts take care of keeping the Access Token valid, I didn't actually build in any "self renewal" of the Client Assertion. If this becomes invalid due to being over 180 days old, everything will just exit and error out.
So if you need to renew this, run AxM-API/AutomationScript/create_client_assertion.sh again.
"You took the time to self renew the Access Token so why not the Client Assertion". Great Question! I just didn't, at least not today. Maybe next time I have a few minutes and I don't have a project Im not working on