Brian Reid – Microsoft 365 Subject Matter Expert

What Is The Value of enrollmentProfileName

In Microsoft EndPoint Manager there are a few different device registration scenarios that make use of a property called device.enrollmentProfileName. To find and apply other settings (apps, config, etc) to these devices later on you need to have a Dynamic Device Group based on this property. The problem is the value of the property is not available to view in PowerShell or the Endpoint Manager portal.

This value is used by AutoPilot, Apple Business Manager devices (aka DEP) and Android Fully Managed device profiles.

So how can I see what a devices value is so I can create a group to contain that device. I need to use the Graph Explorer.

In the Graph Explorer, using the Beta endpoint, I can get data for my device using the query https://graph.microsoft.com/beta/devices/{objectId}

This gets BETA endpoint graph data, which includes enrollmentProfileName. The version 1.0 endpoint does not return enrollmentProfileName in the response.

If you have never used the Graph Explorer before, here are the steps to get this info:

Open the Graph Explorer from https://developer.microsoft.com/en-us/graph/graph-explorer

Click Sign In button to the left, and once signed in, select Beta (highlighted) and paste in the query replacing /me with /devices/{objectID}

Graph Explorer to look for a device properties (beta endpoint)

You may not have permissions (consent) to view the data you need, so you might need to click on Modify Permissions tab (also highlighted above) to request and approve consent to access the data. This consent may need administrator approval depending upon your security settings in Azure AD.

Click Run Query button and view the results in the Response Preview section below:

Response to a Device query in the Graph

The value of enrollmentProfileName will be the profile the device was enrolled under, at the time of enrollment. Its possible that the profile was renamed or deleted since the device was enrolled, or that you have many profiles, and so actually working out which profile the device is under can be tricky.

Also a top tip – don’t name your profiles all starting with “Test”. In the tenant where the above screenshots where taken from we found DEP profiles called “Test…” and AutoPilot profiles called “Test…”, so creating dynamic device groups where the device.enrollmentProfileName -contains “Test” was returning too many devices!

Posted

in

, , , , , , ,

by

Brian Reid

Tags:

, , , ,

Comments

3 responses to “What Is The Value of enrollmentProfileName”

  1. Greg avatar
    Greg

    Thanks Brian!

    Unfortunately it looks like the the permission needed for this is one of Directory.Read.All, Directory.AccessAsUser.All, Directory.ReadWrite.All, which is frustrating because I already have all of the managedDevices permissions and getting additional approval might not go as quickly as I would like.

    I submitted a feature request here if anyone else is in the same boat:
    https://github.com/microsoftgraph/microsoft-graph-docs/issues/12561

    Reply
  2. Martin Zonderland avatar
    Martin Zonderland

    Is it possible to change the value of the enrollmentProfileName attribute of a device, so you don’t have to reset a device to get the correct enrollmentProfileName for filtering?

    Reply
    1. Brian Reid avatar
      Brian Reid

      No. I wanted to do this very thing the other week. This property is read only to mere mortals like you and me!

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.