Skip to content

Header

The Sequence by Kandji

Unlocking Apple’s New Device Management API: Practical Use Cases, Workflows, and How-To

October 6, 2025

Arek Dreyer Arek Dreyer
Thought Leadership

Apple Business Manager (ABM) and Apple School Manager (ASM) have evolved significantly in recent years, but one critical piece has been missing: programmatic access. That changed with the introduction of the ABM/ASM API, opening new possibilities for automation, integration, and workflow enhancement.

At PSU Mac Admins, Kandji's Weldon Dodd and Arek Dreyer walked through this new capability, demonstrating how it works, and discussing its implications for administrators who manage Mac computers. Let’s dive into the details.

What’s New in Apple Business Manager and Apple School Manager

Before exploring the API itself, it’s worth highlighting the significant improvements Apple has made to the ABM/ASM web portal. These changes provide valuable context for what’s now accessible programmatically.

Key additions include:

  • Activation Lock management: View activation lock status and remove locks directly from ABM/ASM.
  • Device storage information: Available capacity and specifications are visible in the device view.
  • Cellular information: IMEI and EID details for cellular-enabled devices.
  • Release history: Information about who released devices from your organization.
  • Network identifiers: MAC addresses for iPads and iPhones, and Bluetooth addresses for iPads.
  • AppleCare coverage information: Coming soon to ABM/ASM.

These enhancements make many previously inaccessible features available through the web portal and provide a foundation for programmatic access via the new API.

Why the API Matters: Automation and Integration Opportunities

The ABM/ASM API transforms these web portal capabilities into programmatically accessible functions, creating numerous opportunities for automation and integration. 

Some key use cases include:

  • Automatic MDM assignment: Automatically assign new devices to the correct MDM server when they appear in ABM/ASM.
  • ServiceNow integration: Add functionality to ServiceNow to remove activation locks without needing direct ABM/ASM access.
  • Asset management integration: Synchronize device information, including forthcoming AppleCare data, into asset management systems.
  • Network access control: Use device identifiers like MAC addresses to automate network access provisioning.
  • eSIM provisioning: Streamline cellular activation using IMEI and EID data.

The AppleCare information integration is particularly significant for organizations outside the U.S. where access to GSX (Apple’s Global Service Exchange) is often limited. Moving AppleCare data into ABM broadens accessibility for companies seeking warranty and support details.

Current Limitations: What the API Can’t Do (Yet)

While the API unlocks exciting new capabilities, it also has notable limitations administrators should understand:

  • No granular permissions: API tokens currently have full access to all endpoints, without permission controls.
  • Can’t release devices: Device release is still only available via the web interface or through MDM server integration.
  • No migration deadlines: When reassigning devices between MDM servers, migration deadlines can’t be set using the API.
  • No MDM token updates: The API doesn’t yet allow automatic renewal of MDM server tokens.

The inability to programmatically release devices is a particularly noticeable gap, as this functionality would streamline workflows for many administrators managing device lifecycles.

How to Use the API: OAuth2 Authentication Flow

The ABM/ASM API uses OAuth2 for authentication, following a secure multi-step process. Here’s the workflow for setting up access:

1. Create an API account in ABM/ASM:
  • Navigate to your profile in ABM/ASM and select Preferences > API.
  • Click the plus button to create a new API account.
  • This generates a private key (downloaded as a PEM file), client ID, and key ID.
2. Generate a client assertion:
  • Using the private key, client ID, and key ID, create a signed client assertion.
  • The assertion is valid for 180 days and serves as your long-term credential.
3. Request a JWT (JSON Web Token):
  • Use the client assertion to request a short-lived access token.
  • The token is valid for one hour (3,600 seconds).
4. Make API requests:
  • Use the access token as a bearer token in your API requests.
  • When the token expires, request a new one using your client assertion.

The process, while detailed, ensures secure programmatic access. This flow can be implemented in Python using libraries like  <code>requests</code>,  <code>authlib, and <code>pycryptodome. </code> However, any language with support for elliptic curve cryptography can be used to create client assertions and interact with the API.

Available Endpoints and Practical Applications

The API currently provides eight endpoints, enabling the following operations:

  • Get all devices in your organization.
  • Get details for a specific device.
  • List all device management services configured in ABM/ASM.
  • Get serial numbers of devices assigned to a specific device management service.
  • Get the device management service for a specific device.
  • Assign a device to a device management service.

These endpoints enable workflows like filtering active versus released devices, organizing devices by MDM assignment, retrieving detailed device information for asset management, and automating device assignments based on criteria.

For testing and debugging, administrators can use tools like Postman to experiment with the endpoints before integrating them into production workflows.

Looking Forward: The Future of Apple Device Management

The ABM/ASM API marks a significant milestone in Apple’s evolving approach to device management. While the current version has limitations, it lays the groundwork for more comprehensive programmatic control in the future.

Administrators are already considering innovative ways to leverage this new capability, from building custom integrations to automating complex workflows. For organizations seeking efficiency, streamlined tasks, and enhanced integration, the API is a welcome addition—offering practical use cases even in its initial form.

Over time, Apple’s commitment to expanding API functionality should enable deeper control and new possibilities for managing Mac and iOS devices at scale.

Whether you’re in education, enterprise, or specialized environments, the ABM/ASM API is a valuable tool for taking device management to the next level.