Python scripts for Apple Business Manager (ABM) and Apple School Manager (ASM) APIs.
These scripts use Apple’s official Device Management APIs to automate device inventory, AppleCare lookup, MDM assignment, and more.
đź“Ś Change the scope variable in Apple_AxM_OAuth.py for switching Apple Business Manager or Apple School Manager APIs.
This script follows the Implementing OAuth for the Apple School and Business Manager API to generate client assertion and access token.
You can refer to the official Apple documentation for further details on the OAuth implementation.
âš Important:
These scripts were reviewed and optimized using AI assistance.
Before deploying in production, make sure to test all scripts thoroughly in a safe environment.
This repository contains a collection of Python scripts that automate interactions with Apple School Manager (ASM) and Apple Business Manager (ABM) APIs.
These tools are designed so even non‑technical users can run them easily from macOS Terminal.
- Creates secure JWT client assertions
- Fetches API access tokens from Apple
- Caches token securely (encrypted with Fernet)
- Reuses the token until it expires
- Automatically refreshes the token if expired or invalid
- Fetches devices registered in Apple School/Business Manager
- Handles pagination and API limits
- Exports results into CSV format
- Reads serial numbers from
serialnumbers.txt - Fetches device details one by one
- Handles:
- Missing devices (404)
- Unauthorized responses (401)
- Rate limits (429 Too Many Requests)
- Generates CSV output
- Reads device list from
serialnumbers.txt - Gets each device’s current assigned MDM server using the
assignedServerendpoint - Exports results to CSV
- Reads serial numbers from
serialnumbers.txt - Queries AppleCare / warranty coverage details per device
- Supports multiple coverage types:
- Limited Warranty
- AppleCare+
- AppleCare for Business Essentials
- Outputs a clean CSV
- Lists all MDM servers (Device Management Services) in ASM/ABM
- Includes metadata like:
- serverName
- serverType
- created / updated timestamps
- Outputs to CSV
- Uses
orgDeviceActivities:ASSIGN_DEVICESUNASSIGN_DEVICES
- Reads devices from
serialnumbers.txt - Configuration done via variables at the top of the script:
MODE = "ASSIGN"or"UNASSIGN"MDM_SERVER_ID = "..."(your MDM server)
- Automatically:
- Creates the activity
- Waits 30 seconds
- Checks status via
GET /orgDeviceActivities/{id} - Downloads the result CSV if available
To run these scripts, you need to generate the following credentials from the Apple Business or School Manager portal:
- PEM File: An EC private key (
.pemfile) used for JWT signing. - Client ID & Team ID: Provided in the ABM/ASM portal (often the same for your account).
- Key ID: A unique identifier for the key used in the ABM/ASM portal.
- API Scope: Either
business.apiorschool.api, depending on whether you use ABM or ASM. - Python: Version 3.7 or higher (3.10+ recommended).
For detailed instructions on how to generate these credentials, refer to:
Install required Python packages:
pip install requests authlib pycryptodome cryptography python-dotenvIf you are using
pip3on macOS:pip3 install requests authlib pycryptodome cryptography python-dotenv
Create a file named AxM_Variables.env in the same directory as the scripts.
Example content:
APPLE_CLIENT_ID=BUSINESSAPI.xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
APPLE_KEY_ID=YOUR_KEY_ID
APPLE_SCOPE=business.api # or school.api
PRIVATE_KEY_FILE=private-key.pem
# Fernet encryption key used to encrypt the cached access token
FERNET_KEY=YOUR_FERNET_KEY_HERERun this command in Terminal to generate a valid Fernet key:
python3 -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"Copy the output and paste it into FERNET_KEY in AxM_Variables.env.
Place your EC private key file in the repository folder, for example:
AppleBusinessANDSchoolManagerAPI/
AxM_OAuth.py
AxM_AssignUnassign_MdmServers.py
AxM_GetAppleCareCoverage_FromList.py
...
AxM_Variables.env
private-key.pem
serialnumbers.txt
The PRIVATE_KEY_FILE value in AxM_Variables.env must match this filename.
| File | Description |
|---|---|
AxM_OAuth.py |
Core OAuth helper: generates client assertion, calls Apple OAuth endpoint, encrypts and caches access tokens |
AxM_OrgDevices_To_CSV.py |
Downloads all organization devices to a CSV |
AxM_GetDeviceInfo_FromList.py |
Fetches detailed information for each serial number in serialnumbers.txt |
AxM_GetAppleCareCoverage_FromList.py |
Gets AppleCare coverage information for devices listed in serialnumbers.txt |
AxM_MdmServers_To_CSV.py |
Lists all MDM servers (Device Management Services) and exports to CSV |
AxM_GetAssignedServer_FromList.py |
Fetches the assigned MDM server for each device in serialnumbers.txt |
AxM_MdmServerDevices_To_CSV.py |
Given an MDM server ID, exports all linked device IDs |
AxM_AssignUnassign_MdmServers.py |
Assigns or unassigns devices (from serialnumbers.txt) to/from a specific MDM server and downloads the activity log CSV |
serialnumbers.txt |
Input file: one serial number (or orgDevice ID) per line |
AxM_Variables.env |
Environment configuration: OAuth parameters, scope, and Fernet key |
- Install Python & dependencies.
- Create
AxM_Variables.envwith your Apple credentials and Fernet key. - Place your EC private key as
private-key.pem. - Create
serialnumbers.txtwhere needed:C02ABC123XYZ C02DEF456UVW C02GHI789JKL
You do not need to run anything manually to create tokens.
Each script imports AxM_OAuth.py, which:
- Generates a client assertion JWT
- Requests an OAuth access token
- Encrypts and caches it
- Reuses it within its validity period
- Handles 401 (Unauthorized) by regenerating once
All commands are run from the repository directory, e.g.:
cd /path/to/AppleBusinessANDSchoolManagerAPI
- Populate
serialnumbers.txtwith serials. - Run:
python3 AxM_GetAppleCareCoverage_FromList.pyOutput:
appleCareCoverage_details.csv- Summary of devices with/without coverage in the console.
python3 AxM_GetAssignedServer_FromList.pyOutput:
assignedServer_details.csv
python3 AxM_MdmServers_To_CSV.pyOutput:
appleMdmServers.csv
Edit the top of AxM_AssignUnassign_MdmServers.py:
MODE = "ASSIGN" # or "UNASSIGN"
MDM_SERVER_ID = "YOUR_MDM_SERVER_ID"Ensure serialnumbers.txt contains the devices to assign/unassign.
Then run:
python3 AxM_AssignUnassign_MdmServers.pyThe script will:
- Create an
orgDeviceActivityin Apple. - Wait 30 seconds.
- Check the activity status via API.
- If a
downloadUrlis available and the activity is COMPLETED, automatically download the CSV log (e.g.ABM-ActivityLog_...csv).
The scripts are designed to fail loudly but clearly:
-
401 Unauthorized
- Token cache invalidated and regenerated once.
- If still 401: asks you to verify credentials in
AxM_Variables.env.
-
429 Too Many Requests
- Uses
Retry-Afterheader when available. - Otherwise waits 60 seconds and retries once.
- Uses
-
404 Not Found
- For device queries: device not in AxM.
- For activities: invalid activity ID.
-
Other Errors
- Full HTTPs status and response body printed for debugging (excluding tokens or keys).
- Access tokens are never printed to the console.
- Token cache is encrypted using Fernet with your
FERNET_KEY. - Private keys and environment files should never be committed to a public repository.
- Treat
AxM_Variables.envandprivate-key.pemas secrets.
- Implementing OAuth for the Apple School and Business Manager API
- Apple Support – Apple School Manager
- Apple Support – Apple Business Manager
- My old scripts
These scripts are meant to save time and reduce manual work in Apple device management workflows, but you are responsible for:
- Verifying CSV outputs
- Testing in a non‑production environment first
- Reviewing logs for any failed devices or errors
If you expand the repository with new scripts (e.g., updating device metadata, filtering by MDM, etc.),
you can follow the same structure and reuse AxM_OAuth.py for authentication.