{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://github.com/api-evangelist/microsoft-intune/json-schema/microsoft-intune-managed-device-schema.json", "title": "Microsoft Intune Managed Device", "description": "Devices that are managed or pre-enrolled through Intune. Represents a physical or virtual device managed by the Microsoft Intune service via the Microsoft Graph API. Based on the microsoft.graph.managedDevice resource type.", "type": "object", "properties": { "@odata.type": { "type": "string", "const": "#microsoft.graph.managedDevice", "description": "The OData type annotation for the managed device resource." }, "id": { "type": "string", "description": "Unique identifier for the device. This property is read-only.", "readOnly": true }, "userId": { "type": "string", "description": "Unique identifier for the user associated with the device. This property is read-only.", "readOnly": true }, "deviceName": { "type": "string", "description": "Name of the device. This property is read-only.", "readOnly": true }, "managedDeviceOwnerType": { "type": "string", "description": "Ownership of the device. Can be 'company' or 'personal'.", "enum": [ "unknown", "company", "personal" ] }, "deviceActionResults": { "type": "array", "description": "List of ComplexType deviceActionResult objects. This property is read-only.", "readOnly": true, "items": { "$ref": "#/$defs/deviceActionResult" } }, "enrolledDateTime": { "type": "string", "format": "date-time", "description": "Enrollment time of the device. Supports $filter operator 'lt' and 'gt'. This property is read-only.", "readOnly": true }, "lastSyncDateTime": { "type": "string", "format": "date-time", "description": "The date and time that the device last completed a successful sync with Intune. Supports $filter operator 'lt' and 'gt'. This property is read-only.", "readOnly": true }, "operatingSystem": { "type": "string", "description": "Operating system of the device. Windows, iOS, etc. This property is read-only.", "readOnly": true }, "complianceState": { "type": "string", "description": "Compliance state of the device. Examples: Compliant, Conflict, Error, etc. Default is unknown. Supports $filter operator 'eq' and 'or'. This property is read-only.", "readOnly": true, "enum": [ "unknown", "compliant", "noncompliant", "conflict", "error", "inGracePeriod", "configManager" ] }, "jailBroken": { "type": "string", "description": "Whether the device is jail broken or rooted. Default is an empty string. This property is read-only.", "readOnly": true }, "managementAgent": { "type": "string", "description": "Management channel of the device. Examples: Intune, EAS, etc. Default is unknown. This property is read-only.", "readOnly": true, "enum": [ "eas", "mdm", "easMdm", "intuneClient", "easIntuneClient", "configurationManagerClient", "configurationManagerClientMdm", "configurationManagerClientMdmEas", "unknown", "jamf", "googleCloudDevicePolicyController" ] }, "osVersion": { "type": "string", "description": "Operating system version of the device. This property is read-only.", "readOnly": true }, "easActivated": { "type": "boolean", "description": "Whether the device is Exchange ActiveSync activated. This property is read-only.", "readOnly": true }, "easDeviceId": { "type": "string", "description": "Exchange ActiveSync Id of the device. This property is read-only.", "readOnly": true }, "easActivationDateTime": { "type": "string", "format": "date-time", "description": "Exchange ActivationSync activation time of the device. This property is read-only.", "readOnly": true }, "azureADRegistered": { "type": ["boolean", "null"], "description": "Whether the device is Azure Active Directory registered. This property is read-only.", "readOnly": true }, "deviceEnrollmentType": { "type": "string", "description": "Enrollment type of the device. This property is read-only.", "readOnly": true, "enum": [ "unknown", "userEnrollment", "deviceEnrollmentManager", "appleBulkWithUser", "appleBulkWithoutUser", "windowsAzureADJoin", "windowsBulkUserless", "windowsAutoEnrollment", "windowsBulkAzureDomainJoin", "windowsCoManagement", "windowsAzureADJoinUsingDeviceAuth", "appleUserEnrollment", "appleUserEnrollmentWithServiceAccount" ] }, "activationLockBypassCode": { "type": ["string", "null"], "description": "The code that allows the Activation Lock on managed device to be bypassed. This property is read-only.", "readOnly": true }, "emailAddress": { "type": "string", "description": "Email(s) for the user associated with the device. This property is read-only.", "readOnly": true }, "azureADDeviceId": { "type": "string", "description": "The unique identifier for the Azure Active Directory device. Read only. This property is read-only.", "readOnly": true }, "deviceRegistrationState": { "type": "string", "description": "Device registration state. This property is read-only.", "readOnly": true, "enum": [ "notRegistered", "registered", "revoked", "keyConflict", "approvalPending", "certificateReset", "notRegisteredPendingEnrollment", "unknown" ] }, "deviceCategoryDisplayName": { "type": "string", "description": "Device category display name. Default is an empty string. This property is read-only.", "readOnly": true }, "isSupervised": { "type": "boolean", "description": "Device supervised status. This property is read-only.", "readOnly": true }, "exchangeLastSuccessfulSyncDateTime": { "type": "string", "format": "date-time", "description": "Last time the device contacted Exchange. This property is read-only.", "readOnly": true }, "exchangeAccessState": { "type": "string", "description": "The Access State of the device in Exchange. This property is read-only.", "readOnly": true, "enum": [ "none", "unknown", "allowed", "blocked", "quarantined" ] }, "exchangeAccessStateReason": { "type": "string", "description": "The reason for the device's access state in Exchange. This property is read-only.", "readOnly": true, "enum": [ "none", "unknown", "exchangeGlobalRule", "exchangeIndividualRule", "exchangeDeviceRule", "exchangeUpgrade", "exchangeMailboxPolicy", "other", "compliant", "notCompliant", "notEnrolled", "unknownLocation", "mfaRequired", "azureADBlockDueToAccessPolicy", "compromisedPassword", "deviceNotKnownWithManagedApp" ] }, "remoteAssistanceSessionUrl": { "type": ["string", "null"], "format": "uri", "description": "URL that allows a Remote Assistance session to be established with the device. This property is read-only.", "readOnly": true }, "remoteAssistanceSessionErrorDetails": { "type": ["string", "null"], "description": "An error string that identifies issues when creating Remote Assistance session objects. This property is read-only.", "readOnly": true }, "isEncrypted": { "type": "boolean", "description": "Device encryption status. This property is read-only.", "readOnly": true }, "userPrincipalName": { "type": "string", "description": "Device user principal name. This property is read-only.", "readOnly": true }, "model": { "type": "string", "description": "Model of the device. This property is read-only.", "readOnly": true }, "manufacturer": { "type": "string", "description": "Manufacturer of the device. This property is read-only.", "readOnly": true }, "imei": { "type": "string", "description": "IMEI (International Mobile Equipment Identity). This property is read-only.", "readOnly": true }, "complianceGracePeriodExpirationDateTime": { "type": "string", "format": "date-time", "description": "The DateTime when device compliance grace period expires. This property is read-only.", "readOnly": true }, "serialNumber": { "type": "string", "description": "Serial number of the device. This property is read-only.", "readOnly": true }, "phoneNumber": { "type": "string", "description": "Phone number of the device. This property is read-only.", "readOnly": true }, "androidSecurityPatchLevel": { "type": "string", "description": "Android security patch level. This property is read-only.", "readOnly": true }, "userDisplayName": { "type": "string", "description": "User display name. This property is read-only.", "readOnly": true }, "configurationManagerClientEnabledFeatures": { "$ref": "#/$defs/configurationManagerClientEnabledFeatures", "description": "ConfigrMgr client enabled features. This property is read-only.", "readOnly": true }, "wiFiMacAddress": { "type": "string", "description": "Wi-Fi MAC address. This property is read-only.", "readOnly": true }, "deviceHealthAttestationState": { "$ref": "#/$defs/deviceHealthAttestationState", "description": "The device health attestation state. This property is read-only.", "readOnly": true }, "subscriberCarrier": { "type": "string", "description": "Subscriber carrier. This property is read-only.", "readOnly": true }, "meid": { "type": "string", "description": "MEID (Mobile Equipment Identifier). This property is read-only.", "readOnly": true }, "totalStorageSpaceInBytes": { "type": "integer", "description": "Total storage in bytes. This property is read-only.", "readOnly": true }, "freeStorageSpaceInBytes": { "type": "integer", "description": "Free storage in bytes. Default value is 0. This property is read-only.", "readOnly": true, "default": 0 }, "managedDeviceName": { "type": "string", "description": "Automatically generated name to identify a device. Can be overwritten to a user friendly name." }, "partnerReportedThreatState": { "type": "string", "description": "Indicates the threat state of a device when a Mobile Threat Defense partner is in use by the account and device. Read only. This property is read-only.", "readOnly": true, "enum": [ "unknown", "activated", "deactivated", "secured", "lowSeverity", "mediumSeverity", "highSeverity", "unresponsive", "compromised", "misconfigured" ] }, "requireUserEnrollmentApproval": { "type": ["boolean", "null"], "description": "Reports if the managed iOS device is user approval enrollment. This property is read-only.", "readOnly": true }, "managementCertificateExpirationDate": { "type": "string", "format": "date-time", "description": "Reports device management certificate expiration date. This property is read-only.", "readOnly": true }, "iccid": { "type": ["string", "null"], "description": "Integrated Circuit Card Identifier, the SIM card's unique identification number. This property is read-only.", "readOnly": true }, "udid": { "type": ["string", "null"], "description": "Unique Device Identifier for iOS and macOS devices. This property is read-only.", "readOnly": true }, "notes": { "type": ["string", "null"], "description": "Notes on the device created by IT Admin. Default is null." }, "ethernetMacAddress": { "type": ["string", "null"], "description": "Indicates Ethernet MAC Address of the device. This property is read-only.", "readOnly": true }, "physicalMemoryInBytes": { "type": "integer", "description": "Total memory in bytes. Default is 0. This property is read-only.", "readOnly": true, "default": 0 }, "enrollmentProfileName": { "type": ["string", "null"], "description": "Name of the enrollment profile assigned to the device. Default value is empty string. This property is read-only.", "readOnly": true } }, "required": [ "id" ], "$defs": { "deviceActionResult": { "type": "object", "title": "Device Action Result", "description": "Device action result returned from performing an action on a managed device.", "properties": { "@odata.type": { "type": "string", "const": "microsoft.graph.deviceActionResult" }, "actionName": { "type": "string", "description": "Action name." }, "actionState": { "type": "string", "description": "State of the action.", "enum": [ "none", "pending", "canceled", "active", "done", "failed", "notSupported" ] }, "startDateTime": { "type": "string", "format": "date-time", "description": "Time the action was initiated." }, "lastUpdatedDateTime": { "type": "string", "format": "date-time", "description": "Time the action state was last updated." } } }, "configurationManagerClientEnabledFeatures": { "type": "object", "title": "Configuration Manager Client Enabled Features", "description": "Represents the enabled features of the Configuration Manager client co-managed with Intune.", "properties": { "@odata.type": { "type": "string", "const": "microsoft.graph.configurationManagerClientEnabledFeatures" }, "inventory": { "type": "boolean", "description": "Whether inventory is managed by Intune." }, "modernApps": { "type": "boolean", "description": "Whether modern application is managed by Intune." }, "resourceAccess": { "type": "boolean", "description": "Whether resource access is managed by Intune." }, "deviceConfiguration": { "type": "boolean", "description": "Whether device configuration is managed by Intune." }, "compliancePolicy": { "type": "boolean", "description": "Whether compliance policy is managed by Intune." }, "windowsUpdateForBusiness": { "type": "boolean", "description": "Whether Windows Update for Business is managed by Intune." } } }, "deviceHealthAttestationState": { "type": "object", "title": "Device Health Attestation State", "description": "The device health attestation state, providing hardware-based security and health status information.", "properties": { "@odata.type": { "type": "string", "const": "microsoft.graph.deviceHealthAttestationState" }, "lastUpdateDateTime": { "type": "string", "description": "The timestamp of the last update." }, "contentNamespaceUrl": { "type": "string", "format": "uri", "description": "The DHA report version (namespace version)." }, "deviceHealthAttestationStatus": { "type": "string", "description": "The device health attestation status." }, "contentVersion": { "type": "string", "description": "The HealthAttestation state schema version." }, "issuedDateTime": { "type": "string", "format": "date-time", "description": "The DateTime when device was evaluated or issued to MDM." }, "attestationIdentityKey": { "type": "string", "description": "TWhen an Attestation Identity Key (AIK) is present on a device, it indicates that the device has an endorsement key (EK) certificate." }, "resetCount": { "type": "integer", "description": "The number of times a PC device has hibernated or resumed." }, "restartCount": { "type": "integer", "description": "The number of times a PC device has rebooted." }, "dataExcutionPolicy": { "type": "string", "description": "DEP policy defines a set of hardware and software technologies that perform additional checks on memory." }, "bitLockerStatus": { "type": "string", "description": "On or Off of BitLocker Drive Encryption." }, "bootManagerVersion": { "type": "string", "description": "The version of the Boot Manager." }, "codeIntegrityCheckVersion": { "type": "string", "description": "The version of the code integrity check." }, "secureBoot": { "type": "string", "description": "When Secure Boot is enabled, the core components must have correct cryptographic signatures." }, "bootDebugging": { "type": "string", "description": "When bootDebugging is enabled, it is used to provide diagnostic information during development." }, "operatingSystemKernelDebugging": { "type": "string", "description": "When operatingSystemKernelDebugging is enabled, it allows kernel debugging." }, "codeIntegrity": { "type": "string", "description": "When code integrity is enabled, code execution is restricted to integrity verified code." }, "testSigning": { "type": "string", "description": "When test signing is allowed, the device does not enforce signature validation during boot." }, "safeMode": { "type": "string", "description": "Safe mode is a troubleshooting option for Windows that starts the computer in a limited state." }, "windowsPE": { "type": "string", "description": "Operating system running with limited services that is used to prepare a computer for Windows." }, "earlyLaunchAntiMalwareDriverProtection": { "type": "string", "description": "ELAM provides protection for the computers in your network when they start up." }, "virtualSecureMode": { "type": "string", "description": "VSM is a container that protects high value assets from a compromised kernel." }, "pcrHashAlgorithm": { "type": "string", "description": "Informational attribute that identifies the HASH algorithm that was used by TPM." }, "bootAppSecurityVersion": { "type": "string", "description": "The security version number of the Boot Application." }, "bootManagerSecurityVersion": { "type": "string", "description": "The security version number of the Boot Manager." }, "tpmVersion": { "type": "string", "description": "The security version number of the Boot Application." }, "pcr0": { "type": "string", "description": "A fingerprint of the legacy BIOS configuration measured in PCR[0]." }, "secureBootConfigurationPolicyFingerPrint": { "type": "string", "description": "Fingerprint of the Custom Secure Boot Configuration Policy." }, "codeIntegrityPolicy": { "type": "string", "description": "The Code Integrity policy that is controlling the security of the boot environment." }, "bootRevisionListInfo": { "type": "string", "description": "The Boot Revision List that was loaded during initial boot on the attested device." }, "operatingSystemRevListInfo": { "type": "string", "description": "The Operating System Revision List that was loaded during initial boot on the attested device." }, "healthStatusMismatchInfo": { "type": "string", "description": "This attribute appears if DHA-Service detects an integrity issue." }, "healthAttestationSupportedStatus": { "type": "string", "description": "This attribute indicates if DHA is supported for the device." } } } }, "examples": [ { "@odata.type": "#microsoft.graph.managedDevice", "id": "705c034c-034c-705c-4c03-5c704c035c70", "userId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "deviceName": "DESKTOP-ABC123", "managedDeviceOwnerType": "company", "enrolledDateTime": "2024-01-15T10:30:00Z", "lastSyncDateTime": "2026-03-01T14:22:00Z", "operatingSystem": "Windows", "complianceState": "compliant", "jailBroken": "False", "managementAgent": "mdm", "osVersion": "10.0.22631.3007", "easActivated": false, "azureADRegistered": true, "deviceEnrollmentType": "windowsAzureADJoin", "isSupervised": false, "isEncrypted": true, "userPrincipalName": "user@contoso.com", "model": "Surface Pro 9", "manufacturer": "Microsoft Corporation", "serialNumber": "012345678901", "userDisplayName": "Jane Doe", "wiFiMacAddress": "AA:BB:CC:DD:EE:FF", "totalStorageSpaceInBytes": 512110190592, "freeStorageSpaceInBytes": 256055095296, "managedDeviceName": "user_Windows_3/1/2026_2:22 PM", "partnerReportedThreatState": "secured", "physicalMemoryInBytes": 17179869184, "notes": null } ] }