Favicon

You are here: Home > API Reference > Windows > Windows Enrollment Tokens > List all Windows enrollment tokens

List all Windows enrollment tokens

Required Permission: mdm.windows.enrollmentToken.list

Retrieve paginated collection of enrollment tokens with optional filtering by assigned user, policy, or deletion status for organization management.

GET
/v1/organizations/:organizationId/mdm/windows/enterprise/enrollment-tokens/
Copy to clipboard

List all Windows enrollment tokens

Required Permission: mdm.windows.enrollmentToken.list

Retrieve paginated collection of enrollment tokens with optional filtering by assigned user, policy, or deletion status for organization management.

Request

Add parameter in header authorization
Example: Authorization: Bearer <token>
organizationId string
required
Match pattern: ^(([a-fA-F0-9]{24})|([a-zA-Z0-9\\-]{3,}))$
page integer
optional
Page number for paginated results starting from 1 enabling efficient navigation through large token datasets reducing API response sizes and improving performance.
limit integer
optional
Maximum enrollment tokens returned per page controlling response size and enabling customized list views balancing data completeness against loading performance.
sort string
optional
Ordering criteria using a field-to-direction mapping to organize results based on specific attributes like creation date, name, or status.
Match pattern: ^[\w.]*((:asc)|(:desc))?$
mdm-user string
optional
MDM user identifier filtering token list to display only tokens associated with specific user enabling user-focused management and ownership tracking.
Match pattern: ^[a-fA-F0-9]{24}$
win-policy string
optional
Windows policy identifier filtering tokens to show only those assigning specified policy enabling policy-centric auditing and deployment verification workflows.
Match pattern: ^[a-fA-F0-9]{24}$
show-deleted boolean
optional
Include revoked tokens in query results when enabled revealing historical deletion actions and enabling recovery workflows or compliance auditing of removed tokens.

Responses

200 Response application/json
status boolean optional
data object optional
items array [object] optional
id string optional
Unique enrollment token identifier assigned at creation used throughout platform for referencing token in device registration workflows, admin interfaces, and audit logs.
Match pattern: ^[a-fA-F0-9]{24}$
organizationId string optional
Organization workspace owning this token determining access permissions, billing attribution, and device association enabling multi-tenant isolation and administrative boundaries.
Match pattern: ^[a-fA-F0-9]{24}$
winEnterpriseId string optional
Windows enterprise configuration defining MDM server endpoints, authentication certificates, and enrollment protocols governing device registration and management communication.
Match pattern: ^[a-fA-F0-9]{24}$
winDeviceId string optional
Windows device completing enrollment using this token establishing ownership relationship and enabling tracking which tokens provisioned which devices for audit purposes.
Match pattern: ^[a-fA-F0-9]{24}$
mdmUser object optional
MDM user account receiving token ownership establishing device responsibility, determining permission scope, and enabling user-specific policy application and communication.
id string optional
MDM user account identifier linking enrolled devices to responsible individuals for ownership tracking and administrative accountability.
Match pattern: ^[a-fA-F0-9]{24}$
email string optional
User email address enabling enrollment invitation delivery, account identification, and serving as primary communication channel for device management notifications.
≤ 128 characters
displayName string optional
Human-readable token label appearing in administrative interfaces, email notifications, and management reports helping administrators identify token purpose and target users.
≤ 128 characters
tags array [string] optional
Classification tags automatically applied to enrolled devices enabling organizational grouping, policy targeting, and fleet segmentation for streamlined device management workflows.
state string optional
Token lifecycle status tracking usage and availability with PENDING indicating unused token, DONE after enrollment completion, DELETED when revoked, EXPIRED when time-limited validity elapsed.
PENDING DONE DELETED EXPIRED
config object optional
Platform-specific enrollment configuration parameters containing advanced settings, custom workflows, and integration options tailored to organizational deployment requirements.
type string optional
Token category classification determining enrollment workflow behavior, permission requirements, and processing logic differentiating standard enrollment from specialized provisioning scenarios.
≤ 128 characters
subType string optional
Token variant providing additional workflow context enabling fine-grained categorization and specialized handling for different enrollment scenarios within organization.
≤ 128 characters
updatedAt string optional
Most recent modification timestamp recorded in ISO-8601 format tracking configuration changes, policy updates, and administrative edits for audit compliance and change history.
Format: date-time
createdAt string optional
Token creation timestamp in ISO-8601 format marking generation moment used for calculating age, enforcing retention policies, and providing audit trail foundation.
Format: date-time
expireAt string optional
Token expiration timestamp blocking device enrollment after specified time enforcing time-limited provisioning for security compliance, null value indicating permanent validity without expiration.
Format: date-time
enrollmentLink string optional
Complete enrollment URL sent to end users via email or messaging enabling one-click device registration by embedding authentication credentials and configuration parameters.
≤ 500 characters
enrollCode string optional
Short alphanumeric code facilitating manual token entry during enrollment serving as accessible alternative when link clicking impractical or for phone-based configuration entry.
≤ 128 characters
winPolicyId string optional
Legacy single policy reference maintained for backward compatibility with deprecated enrollment workflows, superseded by winPolicyAssignments enabling multi-policy composition.
Match pattern: ^[a-fA-F0-9]{24}$
winPolicyAssignments array [object] optional
Policy composition assignments including full embedded policy objects with priority values enabling complete configuration preview and conflict resolution analysis.
winPolicyId string optional
Match pattern: ^[a-fA-F0-9]{24}$
winPolicy object optional
id string optional
Unique identifier for this specific resource instance in the system following a standardized format enabling targeted operations, relationship mapping, and tracking across all platform endpoints and data stores.
Match pattern: ^[a-fA-F0-9]{24}$
organizationId string optional
Organization identifier indicating workspace ownership for access control and data isolation across multi-tenant environments.
Match pattern: ^[a-fA-F0-9]{24}$
winEnterpriseId string optional
Windows enterprise configuration identifier linking policy to specific enrollment settings and device management context.
Match pattern: ^[a-fA-F0-9]{24}$
name string optional
Policy display name shown in interfaces and used for identification in listings and device assignments.
≤ 256 characters
config object optional
OMA-DM configuration object containing registry settings, security policies, and device restrictions to apply on managed Windows devices.
applications array [object] optional
Array of application assignments included in policy enabling bundled deployment and management of software packages.
applicationsInfo array [object] optional
Application metadata array containing name, version, and publisher details for included apps displayed in interfaces.
bookmarks array [object] optional
scripts array [object] optional
Array of script assignments included in policy enabling automated PowerShell or batch command operations.
scriptsInfo array [object] optional
Script metadata array containing name, description, and timing details for included scripts providing comprehensive script information in interfaces.
admxConfigs array [object] optional
Array of ADMX configuration assignments enabling group policy template settings for advanced Windows configurations.
admxConfigsInfo array [object] optional
ADMX configuration metadata array containing template details, settings types, and descriptions.
agentConfiguration object optional
MDM agent configuration settings controlling agent deployment, permissions, and capabilities on managed devices.
assets array [object] optional
Array of file asset assignments included in policy enabling deployment of certificates, configuration files, or resources.
assetsInfo array [object] optional
Asset metadata array containing file names, types, and sizes for included resources displayed in administrative interfaces.
version integer optional
Internal version counter for policy changes enabling conflict detection and synchronization tracking across device updates and modifications.
≥ 0
segmentId integer optional
Segment identifier for scoping policy into an specific segment
≥ 0
updatedAt string optional
ISO 8601 timestamp indicating the last time this record was modified in the database useful for tracking changes, synchronization processes, and maintaining audit trails of all modifications.
Format: date-time
createdAt string optional
ISO 8601 timestamp indicating when this record was initially created in the database providing historical context, chronological ordering capabilities, and analytics for lifecycle tracking and reporting.
Format: date-time
priority integer optional
≥ 0
summary object optional
Computed metadata aggregating token status information for UI display, dashboard visualization, and business logic evaluation without requiring field-by-field calculations.
expirationTimestamp string optional
Calculated expiration time combining creation timestamp and duration for streamlined validity checks and countdown displays in administrative interfaces.
Format: date-time
sendEmail boolean optional
Automated enrollment invitation email delivery flag triggering immediate notification to MDM user upon token creation containing enrollment instructions and access credentials.
emailText string optional
Custom message body embedded in enrollment invitation email providing personalized instructions, organizational context, and user-specific guidance enhancing onboarding experience.
segmentId integer optional
Segment identifier for scoping enrollment token into an specific segment
≥ 0
totalDocs integer optional
limit integer optional
hasPrevPage boolean optional
hasNextPage boolean optional
page integer optional
totalPages integer optional
prevPage integer optional
nextPage integer optional
lean boolean optional 
{
    "status": true,
    "data": {
        "items": [
            {
                "id": "698efa6ed851667d9c0aec88",
                "organizationId": "698efa6ed851667d9c0aec88",
                "winEnterpriseId": "698efa6ed851667d9c0aec88",
                "winDeviceId": "698efa6ed851667d9c0aec88",
                "mdmUser": {
                    "id": "698efa6ed851667d9c0aec88",
                    "email": "[email protected]"
                },
                "displayName": "Engineering Laptop - John Doe",
                "tags": [
                    "engineering",
                    "laptop",
                    "corporate"
                ],
                "state": "PENDING",
                "config": {},
                "type": "enrollment",
                "subType": "standard",
                "updatedAt": "2026-02-10T12: 00:00Z",
                "createdAt": "2026-01-15T09: 30:00Z",
                "expireAt": "2026-03-15T09: 30:00Z",
                "enrollmentLink": "https://mdm.company.com/enroll?token=abc123def456",
                "enrollCode": "ABC123",
                "winPolicyId": "698efa6ed851667d9c0aec88",
                "winPolicyAssignments": [
                    {
                        "winPolicyId": "698efa6ed851667d9c0aec88",
                        "winPolicy": {
                            "id": "698efa6ed851667d9c0aec88",
                            "name": "Corporate Security Policy"
                        },
                        "priority": 100
                    }
                ],
                "summary": {
                    "expirationTimestamp": "2026-03-15T09: 30:00Z"
                },
                "sendEmail": true,
                "emailText": "Welcome to the corporate device management program. Click the link to enroll your device.",
                "segmentId": "1"
            }
        ],
        "totalDocs": 0,
        "limit": 0,
        "hasPrevPage": true,
        "hasNextPage": true,
        "page": 0,
        "totalPages": 0,
        "prevPage": 0,
        "nextPage": 0,
        "lean": true
    }
}
401 Response application/json
status boolean optional
false
error object optional
code number optional
4004
message string optional
Invalid Token
{
    "status": false,
    "error": {
        "code": 4002,
        "message": "No auth token"
    }
}
404 Response application/json
status boolean optional
false
error object optional
code number optional
3001
message string optional
Entity not found
{
    "status": false,
    "error": {
        "code": 3001,
        "message": "Entity not found"
    }
}