Generating an access token for the API
Access tokens are used to authenticate to a team via the mambo EMM API. Access tokens are team-specific, and cannot be used against other teams.
To generate an access token,
- In the mambo EMM console, go to Developers > Access tokens
- Click Add token
- In the Access token modal, fill in the relevant details and set appropriate access to the token
- Click Add
- A new token will be added to the Access token list, and the token can be copied for use with the API
Permission that you can configureβ
π’ Teamβ
Controls access to team-level information and team security settings.
| Option | Description |
|---|---|
| Can view team information | User can see basic team details such as team name, ID and status. No changes allowed. |
| Can view and manage general team information | User can update basic team data like team name, slug, and preferences. |
| Can view, manage and change team security | User can manage security settings including 2FA enforcement, Android Enterprise binding and authentication methods. |
π₯ Rolesβ
Controls access to the Roles section itself.
| Option | Description |
|---|---|
| No access | User cannot view or access the Roles section. |
| Can view roles information | User can see existing roles but cannot edit or add them. |
| Can view and manage roles | User can create and edit roles but cannot delete them. |
| Can view, manage and delete roles | User has full control over role creation, editing, and deletion. |
β οΈ Only give full control to senior administrators.
π€ Membersβ
Controls access to team members and SSO configurations.
| Option | Description |
|---|---|
| No access | User cannot see or manage team members. |
| Can view team members and SSO Configurations | User can view member list and SSO details but cannot edit anything. |
| Can view and manage team members and SSO Configurations | User can add members, edit details, and configure SSO, but cannot remove users. |
| Can view, manage and remove team members and SSO Configurations | Full control over team members including removal and SSO changes. |
π Reportsβ
Controls access to reporting and exports.
| Option | Description |
|---|---|
| No access | User cannot view or generate any reports. |
| Can view reports | User can only view available reports. |
| Can view and generate reports | User can generate new reports and view them. |
| Can view, generate and delete reports | Full reporting access including deletion of reports. |
π± Policies, Enrolment Tokens and Devicesβ
Controls access to view the main device and policy areas.
| Option | Description |
|---|---|
| No access | User cannot see devices, enrolment tokens or policies. |
| Can view policies, enrolment tokens and devices | User can see devices, policies, and enrolment tokens but cannot modify them. |
π§βπ€βπ§ Groupsβ
Controls access to device groups.
| Option | Description |
|---|---|
| Can view groups | User can only view group information. |
| Can view and manage groups | User can edit groups and change their settings. |
| Can view, manage and delete groups | User can fully manage and remove groups. |
π Policiesβ
Controls access to device policies.
| Option | Description |
|---|---|
| Can view policies | User can only view policies. |
| Can view and manage policies | User can edit and assign policies. |
| Can view, manage and delete policies | User can fully control policies including deletion. |
π Enrolment Tokensβ
Controls device enrolment methods.
| Option | Description |
|---|---|
| Can view enrolment tokens | User can view tokens and QR codes but cannot create new ones. |
| Can view and manage enrolment tokens and zero-touch | User can create and edit tokens including Zero-Touch. |
| Can view, manage and delete enrolment tokens | Full control of enrolment tokens including deletion. |
π± Device Commandsβ
Controls which remote commands a user can issue to devices:
| Command | Description |
|---|---|
| Can lock devices | Lock a device instantly. |
| Can reset passwords | Force reset of device password. |
| Can reboot devices | Restart device remotely. |
| Can wipe/delete devices | Fully wipe the device (factory reset). |
| Can remote control devices | Remotely view and control the device. |
| Clear app data | Clear data for selected applications. |
| Can broadcast messages to devices | Send mass messages to devices. |
| Can manage eSIMs | Configure or remove eSIM profiles. |
| Can run ADB commands remotely | Run advanced Android shell commands (high risk). |
β οΈ You must also enable βView Devicesβ for these commands to work.
π¦ Device Possessionβ
Controls device ownership/possession state.
| Option | Description |
|---|---|
| No access | User cannot view possession status. |
| Can view a device's possession state | User can see current possession state of devices. |
| Can view and change device's possession state | User can modify device ownership or possession details. |
π Webhooksβ
Controls notification/integration endpoints.
| Option | Description |
|---|---|
| No access | User has no access to webhooks. |
| Can view webhooks | User can only see configured webhooks. |
| Can view and manage webhooks | User can add/edit webhooks. |
| Can view, manage and delete webhooks | User has full webhook control including deletion. |
π Access Tokensβ
Controls API and integration access tokens.
| Option | Description |
|---|---|
| No access | User cannot see or use access tokens. |
| Can view access tokens | User can view existing tokens but not create any. |
| Can view and create access tokens | User can create new tokens but cannot delete them. |
| Can view, create and delete access tokens | Full control over API tokens including deletion. |
π³ Billingβ
Controls subscription and plan details.
| Option | Description |
|---|---|
| No access | User cannot see any billing information. |
| Can view and update plan and billing information | User can see, change plans, and update payment info. |
Only give to finance or team owners.
Warning: Access tokens grant potentially unlimited access to your mambo EMM Team. We offer granular access rights per-token to assist in limiting the scope of any one token to a particular use case and strongly recommend time is spent to review and set permissions as desired.
For testing purposes, a fully-scoped token may be used, and new tokens later swapped in with fewer permissions. However you choose to go about managing your tokens, you must keep them safe. We recommend a password manager or similar for storing secrets, preferably with auditable access/use logs.