managedDevice resource type
Namespace: microsoft.graph
Important: Microsoft Graph APIs under the /beta version are subject to change; production use is not supported.
Note: The Microsoft Graph API for Intune requires an active Intune license for the tenant.
Devices that are managed or pre-enrolled through Intune
Methods
| Method | Return Type | Description |
|---|---|---|
| Get managedDevice | managedDevice | Read properties and relationships of the managedDevice object. |
| Update managedDevice | managedDevice | Update the properties of a managedDevice object. |
| executeAction action | bulkManagedDeviceActionResult | Not yet documented |
| enableLostMode action | None | Enable lost mode |
| playLostModeSound action | None | Play lost mode sound |
| setDeviceName action | None | Set device name of the device. |
| activateDeviceEsim action | None | Activate eSIM on the device. |
| rotateFileVaultKey action | None | Not yet documented |
| getFileVaultKey function | String | Not yet documented |
| createDeviceLogCollectionRequest action | deviceLogCollectionResponse | Not yet documented |
| retire action | None | Retire a device |
| wipe action | None | Wipe a device |
| resetPasscode action | None | Reset passcode |
| remoteLock action | None | Remote lock |
| requestRemoteAssistance action | None | Request remote assistance |
| disableLostMode action | None | Disable lost mode |
| locateDevice action | None | Locate a device |
| bypassActivationLock action | None | Bypass activation lock |
| rebootNow action | None | Reboot device |
| shutDown action | None | Shut down device |
| recoverPasscode action | None | Recover passcode |
| cleanWindowsDevice action | None | Clean Windows device |
| logoutSharedAppleDeviceActiveUser action | None | Logout shared Apple device active user |
| deleteUserFromSharedAppleDevice action | None | Delete user from shared Apple device |
| syncDevice action | None | Not yet documented |
| windowsDefenderScan action | None | Not yet documented |
| windowsDefenderUpdateSignatures action | None | Not yet documented |
| updateWindowsDeviceAccount action | None | Not yet documented |
| revokeAppleVppLicenses action | None | Revoke all Apple Vpp licenses for a device |
| rotateBitLockerKeys action | None | Rotate BitLockerKeys |
| sendCustomNotificationToCompanyPortal action | None | Not yet documented |
| triggerConfigurationManagerAction action | None | Trigger action on ConfigurationManager client |
| enrollNowAction action | None | Trigger comanagement enrollment action on ConfigurationManager client |
| deprovision action | None | Not yet documented |
| disable action | None | Not yet documented |
| reenable action | None | Not yet documented |
| moveDevicesToOU action | None | Not yet documented |
| removeDeviceFirmwareConfigurationInterfaceManagement action | None | Remove device from Device Firmware Configuration Interface management |
| initiateMobileDeviceManagementKeyRecovery action | None | Perform MDM key recovery and TPM attestation |
| initiateOnDemandProactiveRemediation action | None | Perform On Demand Proactive Remediation |
| rotateLocalAdminPassword action | None | Initiates a manual rotation for the local admin password on the device |
| getOemWarranty function | oemWarranty | Not yet documented |
| appDiagnostics function | powerliftIncidentMetadata collection | Not yet documented |
| downloadAppDiagnostics action | Stream | Not yet documented |
Properties
| Property | Type | Description |
|---|---|---|
| id | String | Unique Identifier for the device. This property is read-only. |
| userId | String | Unique Identifier for the user associated with the device. This property is read-only. |
| deviceName | String | Name of the device. This property is read-only. |
| hardwareInformation | hardwareInformation | The hardward details for the device. Includes information such as storage space, manufacturer, serial number, etc. Return default value in LIST managedDevices. Real value only returned in singel device GET call with device id and included in select parameter. Supports: $select. $Search is not supported. Read-only. This property is read-only. |
| ownerType | ownerType | Ownership of the device. Can be 'company' or 'personal'. Possible values are: unknown, company, personal. |
| managedDeviceOwnerType | managedDeviceOwnerType | Ownership of the device. Can be 'company' or 'personal'. Possible values are: unknown, company, personal. |
| deviceActionResults | deviceActionResult collection | List of ComplexType deviceActionResult objects. This property is read-only. |
| managementState | managementState | Management state of the device. This property is read-only. Possible values are: managed, retirePending, retireFailed, wipePending, wipeFailed, unhealthy, deletePending, retireIssued, wipeIssued, wipeCanceled, retireCanceled, discovered. |
| enrolledDateTime | DateTimeOffset | Enrollment time of the device. This property is read-only. |
| lastSyncDateTime | DateTimeOffset | The date and time that the device last completed a successful sync with Intune. This property is read-only. |
| chassisType | chassisType | Chassis type of the device. This property is read-only. Possible values are: unknown, desktop, laptop, worksWorkstation, enterpriseServer, phone, tablet, mobileOther, mobileUnknown. |
| operatingSystem | String | Operating system of the device. Windows, iOS, etc. This property is read-only. |
| deviceType | deviceType | Platform of the device. This property is read-only. Possible values are: desktop, windowsRT, winMO6, nokia, windowsPhone, mac, winCE, winEmbedded, iPhone, iPad, iPod, android, iSocConsumer, unix, macMDM, holoLens, surfaceHub, androidForWork, androidEnterprise, windows10x, androidnGMS, chromeOS, linux, blackberry, palm, unknown, cloudPC. |
| complianceState | complianceState | Compliance state of the device. This property is read-only. Possible values are: unknown, compliant, noncompliant, conflict, error, inGracePeriod, configManager. |
| jailBroken | String | whether the device is jail broken or rooted. This property is read-only. |
| managementAgent | managementAgentType | Management channel of the device. Intune, EAS, etc. This property is read-only. Possible values are: eas, mdm, easMdm, intuneClient, easIntuneClient, configurationManagerClient, configurationManagerClientMdm, configurationManagerClientMdmEas, unknown, jamf, googleCloudDevicePolicyController, microsoft365ManagedMdm, msSense, intuneAosp. |
| osVersion | String | Operating system version of the device. This property is read-only. |
| easActivated | Boolean | Whether the device is Exchange ActiveSync activated. This property is read-only. |
| easDeviceId | String | Exchange ActiveSync Id of the device. This property is read-only. |
| easActivationDateTime | DateTimeOffset | Exchange ActivationSync activation time of the device. This property is read-only. |
| aadRegistered | Boolean | Whether the device is Azure Active Directory registered. This property is read-only. |
| azureADRegistered | Boolean | Whether the device is Azure Active Directory registered. This property is read-only. |
| deviceEnrollmentType | deviceEnrollmentType | Enrollment type of the device. This property is read-only. Possible values are: unknown, userEnrollment, deviceEnrollmentManager, appleBulkWithUser, appleBulkWithoutUser, windowsAzureADJoin, windowsBulkUserless, windowsAutoEnrollment, windowsBulkAzureDomainJoin, windowsCoManagement, windowsAzureADJoinUsingDeviceAuth, appleUserEnrollment, appleUserEnrollmentWithServiceAccount, azureAdJoinUsingAzureVmExtension, androidEnterpriseDedicatedDevice, androidEnterpriseFullyManaged, androidEnterpriseCorporateWorkProfile. |
| lostModeState | lostModeState | Indicates if Lost mode is enabled or disabled. This property is read-only. Possible values are: disabled, enabled. |
| activationLockBypassCode | String | The code that allows the Activation Lock on managed device to be bypassed. Default, is Null (Non-Default property) for this property when returned as part of managedDevice entity in LIST call. Individual GET call with select query options is needed to retrieve actual values. Supports: $select. $Search is not supported. Read-only. This property is read-only. |
| emailAddress | String | Email(s) for the user associated with the device. This property is read-only. |
| azureActiveDirectoryDeviceId | String | The unique identifier for the Azure Active Directory device. Read only. This property is read-only. |
| azureADDeviceId | String | The unique identifier for the Azure Active Directory device. Read only. This property is read-only. |
| deviceRegistrationState | deviceRegistrationState | Device registration state. This property is read-only. Possible values are: notRegistered, registered, revoked, keyConflict, approvalPending, certificateReset, notRegisteredPendingEnrollment, unknown. |
| deviceCategoryDisplayName | String | Device category display name. This property is read-only. |
| isSupervised | Boolean | Device supervised status. This property is read-only. |
| exchangeLastSuccessfulSyncDateTime | DateTimeOffset | Last time the device contacted Exchange. This property is read-only. |
| exchangeAccessState | deviceManagementExchangeAccessState | The Access State of the device in Exchange. This property is read-only. Possible values are: none, unknown, allowed, blocked, quarantined. |
| exchangeAccessStateReason | deviceManagementExchangeAccessStateReason | The reason for the device's access state in Exchange. This property is read-only. Possible values are: none, unknown, exchangeGlobalRule, exchangeIndividualRule, exchangeDeviceRule, exchangeUpgrade, exchangeMailboxPolicy, other, compliant, notCompliant, notEnrolled, unknownLocation, mfaRequired, azureADBlockDueToAccessPolicy, compromisedPassword, deviceNotKnownWithManagedApp. |
| remoteAssistanceSessionUrl | String | Url that allows a Remote Assistance session to be established with the device. This property is read-only. |
| remoteAssistanceSessionErrorDetails | String | An error string that identifies issues when creating Remote Assistance session objects. This property is read-only. |
| isEncrypted | Boolean | Device encryption status. This property is read-only. |
| userPrincipalName | String | Device user principal name. This property is read-only. |
| model | String | Model of the device. This property is read-only. |
| manufacturer | String | Manufacturer of the device. This property is read-only. |
| imei | String | IMEI. This property is read-only. |
| complianceGracePeriodExpirationDateTime | DateTimeOffset | The DateTime when device compliance grace period expires. This property is read-only. |
| serialNumber | String | SerialNumber. This property is read-only. |
| phoneNumber | String | Phone number of the device. This property is read-only. |
| androidSecurityPatchLevel | String | Android security patch level. This property is read-only. |
| userDisplayName | String | User display name. This property is read-only. |
| configurationManagerClientEnabledFeatures | configurationManagerClientEnabledFeatures | ConfigrMgr client enabled features. This property is read-only. |
| wiFiMacAddress | String | Wi-Fi MAC. This property is read-only. |
| deviceHealthAttestationState | deviceHealthAttestationState | The device health attestation state. This property is read-only. |
| subscriberCarrier | String | Subscriber Carrier. This property is read-only. |
| meid | String | MEID. This property is read-only. |
| totalStorageSpaceInBytes | Int64 | Total Storage in Bytes. This property is read-only. |
| freeStorageSpaceInBytes | Int64 | Free Storage in Bytes. Default value is 0. Read-only. This property is read-only. |
| managedDeviceName | String | Automatically generated name to identify a device. Can be overwritten to a user friendly name. |
| partnerReportedThreatState | managedDevicePartnerReportedHealthState | Indicates the threat state of a device when a Mobile Threat Defense partner is in use by the account and device. Read Only. This property is read-only. Possible values are: unknown, activated, deactivated, secured, lowSeverity, mediumSeverity, highSeverity, unresponsive, compromised, misconfigured. |
| retireAfterDateTime | DateTimeOffset | Indicates the time after when a device will be auto retired because of scheduled action. This property is read-only. |
| usersLoggedOn | loggedOnUser collection | Indicates the last logged on users of a device. This property is read-only. |
| preferMdmOverGroupPolicyAppliedDateTime | DateTimeOffset | Reports the DateTime the preferMdmOverGroupPolicy setting was set. When set, the Intune MDM settings will override Group Policy settings if there is a conflict. Read Only. This property is read-only. |
| autopilotEnrolled | Boolean | Reports if the managed device is enrolled via auto-pilot. This property is read-only. |
| requireUserEnrollmentApproval | Boolean | Reports if the managed iOS device is user approval enrollment. This property is read-only. |
| managementCertificateExpirationDate | DateTimeOffset | Reports device management certificate expiration date. This property is read-only. |
| iccid | String | Integrated Circuit Card Identifier, it is A SIM card's unique identification number. Return default value null in LIST managedDevices. Real value only returned in singel device GET call with device id and included in select parameter. Supports: $select. $Search is not supported. Read-only. This property is read-only. |
| udid | String | Unique Device Identifier for iOS and macOS devices. Return default value null in LIST managedDevices. Real value only returned in singel device GET call with device id and included in select parameter. Supports: $select. $Search is not supported. Read-only. This property is read-only. |
| roleScopeTagIds | String collection | List of Scope Tag IDs for this Device instance. |
| windowsActiveMalwareCount | Int32 | Count of active malware for this windows device. This property is read-only. |
| windowsRemediatedMalwareCount | Int32 | Count of remediated malware for this windows device. This property is read-only. |
| notes | String | Notes on the device created by IT Admin. Return default value null in LIST managedDevices. Real value only returned in singel device GET call with device id and included in select parameter. Supports: $select. $Search is not supported. |
| configurationManagerClientHealthState | configurationManagerClientHealthState | Configuration manager client health state, valid only for devices managed by MDM/ConfigMgr Agent |
| configurationManagerClientInformation | configurationManagerClientInformation | Configuration manager client information, valid only for devices managed, duel-managed or tri-managed by ConfigMgr Agent |
| ethernetMacAddress | String | Indicates Ethernet MAC Address of the device. Default, is Null (Non-Default property) for this property when returned as part of managedDevice entity. Individual get call with select query options is needed to retrieve actual values. Example: deviceManagement/managedDevices({managedDeviceId})?$select=ethernetMacAddress Supports: $select. $Search is not supported. Read-only. This property is read-only. |
| physicalMemoryInBytes | Int64 | Total Memory in Bytes. Return default value 0 in LIST managedDevices. Real value only returned in singel device GET call with device id and included in select parameter. Supports: $select. Default value is 0. Read-only. This property is read-only. |
| processorArchitecture | managedDeviceArchitecture | Processor architecture. This property is read-only. Possible values are: unknown, x86, x64, arm, arM64. |
| specificationVersion | String | Specification version. This property is read-only. |
| joinType | joinType | Device join type. Possible values are: unknown, azureADJoined, azureADRegistered, hybridAzureADJoined. |
| skuFamily | String | Device sku family |
| skuNumber | Int32 | Device sku number, see also: https://learn.microsoft.com/windows/win32/api/sysinfoapi/nf-sysinfoapi-getproductinfo. Valid values 0 to 2147483647. This property is read-only. |
| managementFeatures | managedDeviceManagementFeatures | Device management features. Possible values are: none, microsoftManagedDesktop. |
| chromeOSDeviceInfo | chromeOSDeviceProperty collection | List of properties of the ChromeOS Device. |
| enrollmentProfileName | String | Name of the enrollment profile assigned to the device. Default value is empty string, indicating no enrollment profile was assgined. This property is read-only. |
| bootstrapTokenEscrowed | Boolean | Reports if the managed device has an escrowed Bootstrap Token. This is only for macOS devices. To get, include BootstrapTokenEscrowed in the select clause and query with a device id. If FALSE, no bootstrap token is escrowed. If TRUE, the device has escrowed a bootstrap token with Intune. This property is read-only. |
| deviceFirmwareConfigurationInterfaceManaged | Boolean | Indicates whether the device is DFCI managed. When TRUE the device is DFCI managed. When FALSE, the device is not DFCI managed. The default value is FALSE. |
Relationships
| Relationship | Type | Description |
|---|---|---|
| detectedApps | detectedApp collection | All applications currently installed on the device |
| deviceCategory | deviceCategory | Device category |
| windowsProtectionState | windowsProtectionState | The device protection status. This property is read-only. |
| users | user collection | The primary users associated with the managed device. |
| logCollectionRequests | deviceLogCollectionResponse collection | List of log collection requests |
| deviceHealthScriptStates | deviceHealthScriptPolicyState collection | Results of device health scripts that ran for this device. Default is empty list. This property is read-only. |
JSON Representation
Here is a JSON representation of the resource.
{
"@odata.type": "#microsoft.graph.managedDevice",
"id": "String (identifier)",
"userId": "String",
"deviceName": "String",
"hardwareInformation": {
"@odata.type": "microsoft.graph.hardwareInformation",
"serialNumber": "String",
"totalStorageSpace": 1024,
"freeStorageSpace": 1024,
"imei": "String",
"meid": "String",
"manufacturer": "String",
"model": "String",
"phoneNumber": "String",
"subscriberCarrier": "String",
"cellularTechnology": "String",
"wifiMac": "String",
"operatingSystemLanguage": "String",
"isSupervised": true,
"isEncrypted": true,
"batterySerialNumber": "String",
"batteryHealthPercentage": 1024,
"batteryChargeCycles": 1024,
"isSharedDevice": true,
"sharedDeviceCachedUsers": [
{
"@odata.type": "microsoft.graph.sharedAppleDeviceUser",
"userPrincipalName": "String",
"dataToSync": true,
"dataQuota": 1024,
"dataUsed": 1024
}
],
"tpmSpecificationVersion": "String",
"operatingSystemEdition": "String",
"deviceFullQualifiedDomainName": "String",
"deviceGuardVirtualizationBasedSecurityHardwareRequirementState": "String",
"deviceGuardVirtualizationBasedSecurityState": "String",
"deviceGuardLocalSystemAuthorityCredentialGuardState": "String",
"osBuildNumber": "String",
"operatingSystemProductType": 1024,
"ipAddressV4": "String",
"subnetAddress": "String",
"esimIdentifier": "String",
"systemManagementBIOSVersion": "String",
"tpmManufacturer": "String",
"tpmVersion": "String",
"wiredIPv4Addresses": [
"String"
],
"batteryLevelPercentage": "4.2",
"residentUsersCount": 1024,
"productName": "String",
"deviceLicensingStatus": "String",
"deviceLicensingLastErrorCode": 1024,
"deviceLicensingLastErrorDescription": "String"
},
"ownerType": "String",
"managedDeviceOwnerType": "String",
"deviceActionResults": [
{
"@odata.type": "microsoft.graph.deviceActionResult",
"actionName": "String",
"actionState": "String",
"startDateTime": "String (timestamp)",
"lastUpdatedDateTime": "String (timestamp)"
}
],
"managementState": "String",
"enrolledDateTime": "String (timestamp)",
"lastSyncDateTime": "String (timestamp)",
"chassisType": "String",
"operatingSystem": "String",
"deviceType": "String",
"complianceState": "String",
"jailBroken": "String",
"managementAgent": "String",
"osVersion": "String",
"easActivated": true,
"easDeviceId": "String",
"easActivationDateTime": "String (timestamp)",
"aadRegistered": true,
"azureADRegistered": true,
"deviceEnrollmentType": "String",
"lostModeState": "String",
"activationLockBypassCode": "String",
"emailAddress": "String",
"azureActiveDirectoryDeviceId": "String",
"azureADDeviceId": "String",
"deviceRegistrationState": "String",
"deviceCategoryDisplayName": "String",
"isSupervised": true,
"exchangeLastSuccessfulSyncDateTime": "String (timestamp)",
"exchangeAccessState": "String",
"exchangeAccessStateReason": "String",
"remoteAssistanceSessionUrl": "String",
"remoteAssistanceSessionErrorDetails": "String",
"isEncrypted": true,
"userPrincipalName": "String",
"model": "String",
"manufacturer": "String",
"imei": "String",
"complianceGracePeriodExpirationDateTime": "String (timestamp)",
"serialNumber": "String",
"phoneNumber": "String",
"androidSecurityPatchLevel": "String",
"userDisplayName": "String",
"configurationManagerClientEnabledFeatures": {
"@odata.type": "microsoft.graph.configurationManagerClientEnabledFeatures",
"inventory": true,
"modernApps": true,
"resourceAccess": true,
"deviceConfiguration": true,
"compliancePolicy": true,
"windowsUpdateForBusiness": true,
"endpointProtection": true,
"officeApps": true
},
"wiFiMacAddress": "String",
"deviceHealthAttestationState": {
"@odata.type": "microsoft.graph.deviceHealthAttestationState",
"lastUpdateDateTime": "String",
"contentNamespaceUrl": "String",
"deviceHealthAttestationStatus": "String",
"contentVersion": "String",
"issuedDateTime": "String (timestamp)",
"attestationIdentityKey": "String",
"resetCount": 1024,
"restartCount": 1024,
"dataExcutionPolicy": "String",
"bitLockerStatus": "String",
"bootManagerVersion": "String",
"codeIntegrityCheckVersion": "String",
"secureBoot": "String",
"bootDebugging": "String",
"operatingSystemKernelDebugging": "String",
"codeIntegrity": "String",
"testSigning": "String",
"safeMode": "String",
"windowsPE": "String",
"earlyLaunchAntiMalwareDriverProtection": "String",
"virtualSecureMode": "String",
"pcrHashAlgorithm": "String",
"bootAppSecurityVersion": "String",
"bootManagerSecurityVersion": "String",
"tpmVersion": "String",
"pcr0": "String",
"secureBootConfigurationPolicyFingerPrint": "String",
"codeIntegrityPolicy": "String",
"bootRevisionListInfo": "String",
"operatingSystemRevListInfo": "String",
"healthStatusMismatchInfo": "String",
"healthAttestationSupportedStatus": "String"
},
"subscriberCarrier": "String",
"meid": "String",
"totalStorageSpaceInBytes": 1024,
"freeStorageSpaceInBytes": 1024,
"managedDeviceName": "String",
"partnerReportedThreatState": "String",
"retireAfterDateTime": "String (timestamp)",
"usersLoggedOn": [
{
"@odata.type": "microsoft.graph.loggedOnUser",
"userId": "String",
"lastLogOnDateTime": "String (timestamp)"
}
],
"preferMdmOverGroupPolicyAppliedDateTime": "String (timestamp)",
"autopilotEnrolled": true,
"requireUserEnrollmentApproval": true,
"managementCertificateExpirationDate": "String (timestamp)",
"iccid": "String",
"udid": "String",
"roleScopeTagIds": [
"String"
],
"windowsActiveMalwareCount": 1024,
"windowsRemediatedMalwareCount": 1024,
"notes": "String",
"configurationManagerClientHealthState": {
"@odata.type": "microsoft.graph.configurationManagerClientHealthState",
"state": "String",
"errorCode": 1024,
"lastSyncDateTime": "String (timestamp)"
},
"configurationManagerClientInformation": {
"@odata.type": "microsoft.graph.configurationManagerClientInformation",
"clientIdentifier": "String",
"isBlocked": true,
"clientVersion": "String"
},
"ethernetMacAddress": "String",
"physicalMemoryInBytes": 1024,
"processorArchitecture": "String",
"specificationVersion": "String",
"joinType": "String",
"skuFamily": "String",
"skuNumber": 1024,
"managementFeatures": "String",
"chromeOSDeviceInfo": [
{
"@odata.type": "microsoft.graph.chromeOSDeviceProperty",
"name": "String",
"value": "String",
"valueType": "String",
"updatable": true
}
],
"enrollmentProfileName": "String",
"bootstrapTokenEscrowed": true,
"deviceFirmwareConfigurationInterfaceManaged": true
}
Feedback
Submit and view feedback for