Generate an API key in the Workspace ONE UEM console under Settings > System > Advanced > API > REST API; note the tenant URL and API key
Authenticate by including the Base64-encoded credentials in the Authorization header and the API key in the aw-tenant-code header for all requests
Send GET https://{tenant}/api/mdm/devices?searchby=Serialnumber&id={serial_number} to retrieve device details including the Compliance field
Inspect the Compliance field in the response: values include Compliant, NonCompliant, Pending, and NotAvailable
For non-compliant devices, retrieve the list of failing compliance rules by calling GET https://{tenant}/api/mdm/devices/{deviceId}/compliancepolicies
Trigger a compliance re-evaluation by POST to the device's compliance endpoint; the device will re-assess and report back on next check-in
Known gotchas
The API key (aw-tenant-code) is a static credential scoped to the tenant; rotate it periodically and restrict it to IP allowlists to minimize exposure
Compliance state is last-known, not live; if a device has not checked in within the configured sample interval, the API returns stale compliance data — check the LastSeen timestamp before acting on the result
The Workspace ONE UEM REST API version and endpoint paths can vary between cloud (SaaS) and on-premises deployments; consult your tenant's API documentation page at https://{tenant}/api/help for authoritative endpoint lists
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp