Create Windows enrollment template

POST

/v1/organizations/:organizationId/mdm/windows/enterprise/enrollment-templates/

Create Windows enrollment template

Required Permission: mdm.windows.enrollmentTemplate.create

Create new Windows enrollment template defining device registration workflow with authentication requirements, auto-enrollment rules, and policy assignment for onboarding.

Request

Add parameter in header authorization

Example: Authorization: Bearer <token>

organizationId string

required

Match pattern: ^(([a-fA-F0-9]{24})|([a-zA-Z0-9\\-]{3,}))$

Body Params application/json

name string required

Required display name for the new enrollment template, must be unique within the organization.

≤ 128 characters

description string optional

Optional explanatory text describing the template purpose and target device types.

≤ 256 characters

rules array [object] optional

Required auto-enrollment rules array defining device classification and policy assignment. Must include at least one rule with winPolicyId or winPolicyAssignments.

name string optional

≤ 256 characters

displayNamePattern string optional

≤ 256 characters

tags array [string] optional

conditions array [object] optional

tags array [array] optional

auxiliaryFields array [array] optional

patterns array [string] optional

identifiers array [string] optional

winPolicyId string optional

Match pattern: ^[a-fA-F0-9]{24}$

winPolicyAssignments array [object] optional

winPolicyId string optional

Match pattern: ^[a-fA-F0-9]{24}$

priority integer required

≥ 0 · ≤ 10000

segmentId integer optional

≥ 0

auxiliaryFields array [object] optional

Custom data collection fields displayed during enrollment to capture additional device or user metadata for rule evaluation.

type string optional

select text

key string required

≤ 128 characters

title string optional

≤ 128 characters

description string optional

≤ 256 characters

options array [string] optional

loginProviderTypes array [string] optional

Authentication provider types enabled for enrollment, determining which identity systems users can authenticate through.

allowAutoContinue boolean optional

Flag enabling automatic progression through enrollment steps when authentication succeeds, reducing manual interaction.

entraId object optional

Microsoft Entra ID integration configuration for Azure AD-based device registration and management.

mobilityApp object optional

Enterprise Mobility Management application credentials registered in Entra ID for MDM enrollment authority.

tenantId string required

Azure Active Directory tenant identifier where the mobility application is registered.

≤ 256 characters

clientId string required

Application (client) ID of the registered Mobility Management application in Entra ID.

≤ 256 characters

clientSecret string required

Client secret credential for authenticating the mobility application with Microsoft Graph API.

≤ 256 characters

segmentId integer optional

Segment identifier for scoping smart enrollment into an specific segment

≥ 0

{
    "name": "Corporate Device Enrollment",
    "description": "Standard enrollment workflow for corporate Windows devices with Entra ID integration",
    "rules": [
        {
            "name": "string",
            "displayNamePattern": "string",
            "tags": [
                "string"
            ],
            "conditions": [
                {
                    "tags": [
                        [
                            "string"
                        ]
                    ],
                    "auxiliaryFields": [
                        [
                            "string"
                        ]
                    ],
                    "patterns": [
                        "string"
                    ],
                    "identifiers": [
                        "string"
                    ]
                }
            ],
            "winPolicyId": "string",
            "winPolicyAssignments": [
                {
                    "winPolicyId": "string",
                    "priority": 0
                }
            ],
            "segmentId": 0
        }
    ],
    "auxiliaryFields": [
        {
            "type": "select",
            "key": "string",
            "title": "string",
            "description": "string",
            "options": [
                "string"
            ]
        }
    ],
    "loginProviderTypes": [
        "ldap",
        "saml",
        "google"
    ],
    "allowAutoContinue": true,
    "entraId": {
        "mobilityApp": {
            "tenantId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
            "clientId": "b2c3d4e5-f6a7-8901-bcde-f12345678901",
            "clientSecret": "ABC~123def456GHI789jkl012MNO"
        }
    },
    "segmentId": "1"
}

Responses

200 Response application/json

status boolean optional

data object optional

id string optional

Unique identifier for the Windows enrollment template.

Match pattern: ^[a-fA-F0-9]{24}$

name string optional

Display name of the enrollment template used in management interfaces.

≤ 128 characters

description string optional

Optional explanatory text describing the template purpose and target device types.

≤ 256 characters

rules array [object] optional

Auto-enrollment rules array defining device classification, tagging, and policy assignment logic based on enrollment context.

name string optional

≤ 256 characters

displayNamePattern string optional

≤ 256 characters

tags array [string] optional

conditions array [object] optional

tags array [array] optional

auxiliaryFields array [array] optional

patterns array [string] optional

identifiers array [string] optional

winPolicyAssignments array [object] optional

winPolicyId string optional

Match pattern: ^[a-fA-F0-9]{24}$

priority integer required

≥ 0 · ≤ 10000

segmentId integer optional

≥ 0

auxiliaryFields array [object] optional

Custom data collection fields displayed during enrollment to capture additional device or user metadata for rule evaluation.

type string optional

select text

key string required

≤ 128 characters

title string optional

≤ 128 characters

description string optional

≤ 256 characters

options array [string] optional

loginProviderTypes array [string] optional

Authentication provider types enabled for enrollment, determining which identity systems users can authenticate through.

allowAutoContinue boolean optional

Flag enabling automatic progression through enrollment steps when authentication succeeds, reducing manual interaction.

winEnrollmentTokenId string optional

Reference to the associated enrollment token entity managing device provisioning credentials.

Match pattern: ^[a-fA-F0-9]{24}$

winEnrollmentToken object optional

Complete enrollment token object containing provisioning server URL and authentication credentials.

entraId object optional

Microsoft Entra ID integration configuration for Azure AD-based device registration and management.

mobilityApp object optional

Enterprise Mobility Management application credentials registered in Entra ID for MDM enrollment authority.

tenantId string optional

Azure Active Directory tenant identifier where the mobility application is registered.

≤ 256 characters

clientId string optional

Application (client) ID of the registered Mobility Management application in Entra ID.

≤ 256 characters

clientSecret string optional

Client secret credential for authenticating the mobility application with Microsoft Graph API.

≤ 256 characters

devicesCount integer optional

Total number of devices currently enrolled using this template across all organizations.

≥ 0

segmentId integer optional

Segment identifier for scoping smart enrollment into an specific segment

≥ 0

updatedAt string optional

Timestamp of the most recent template modification in ISO-8601 format.

Format: date-time

createdAt string optional

Timestamp when the enrollment template was initially created in ISO-8601 format.

Format: date-time

{
    "status": true,
    "data": {
        "id": "698e06f56544c9857506df0c",
        "name": "Corporate Device Enrollment",
        "description": "Standard enrollment workflow for corporate Windows devices with Entra ID integration",
        "rules": [
            {
                "name": "string",
                "displayNamePattern": "string",
                "tags": [
                    "string"
                ],
                "conditions": [
                    {
                        "tags": [
                            [
                                "string"
                            ]
                        ],
                        "auxiliaryFields": [
                            [
                                "string"
                            ]
                        ],
                        "patterns": [
                            "string"
                        ],
                        "identifiers": [
                            "string"
                        ]
                    }
                ],
                "winPolicyAssignments": [
                    {
                        "winPolicyId": "string",
                        "priority": 0
                    }
                ],
                "segmentId": 0
            }
        ],
        "auxiliaryFields": [
            {
                "type": "select",
                "key": "string",
                "title": "string",
                "description": "string",
                "options": [
                    "string"
                ]
            }
        ],
        "loginProviderTypes": [
            "ldap",
            "saml",
            "google"
        ],
        "allowAutoContinue": true,
        "winEnrollmentTokenId": "698e06f56544c9857506df0c",
        "winEnrollmentToken": {
            "id": "698e06f56544c9857506df0c",
            "token": "enroll_abc123def456",
            "serverUrl": "https://mdm.company.com/enroll"
        },
        "entraId": {
            "mobilityApp": {
                "tenantId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
                "clientId": "b2c3d4e5-f6a7-8901-bcde-f12345678901",
                "clientSecret": "ABC~123def456GHI789jkl012MNO"
            }
        },
        "devicesCount": 247,
        "segmentId": "1",
        "updatedAt": "2026-02-10T12: 00:00Z",
        "createdAt": "2026-01-15T09: 30:00Z"
    }
}

400 Response application/json

status boolean optional

false

error object optional

code number optional

5209

message string optional

Invalid input

{
    "status": false,
    "error": {
        "code": 5050,
        "message": "Feature not allowed for you billing plan"
    }
}

401 Response application/json

status boolean optional

false

error object optional

code number optional

4001

message string optional

Unauthorized

{
    "status": false,
    "error": {
        "code": 4002,
        "message": "No auth token"
    }
}

404 Response application/json

status boolean optional

false

error object optional

code number optional

3001

message string optional

Entity not found

{
    "status": false,
    "error": {
        "code": 3001,
        "message": "Entity not found"
    }
}