Fleet & Endpoint Management

Fleet management handles the full lifecycle of endpoint devices -- laptops, desktops, mobile devices, kiosks, and IoT endpoints. It integrates with UEM platforms (Microsoft Intune, SCCM, Jamf, VMware Workspace ONE) to enforce compliance, deploy patches, and execute remote actions such as lock, wipe, and policy updates.

Supported UEM platforms

The platform ships with native adapters for four UEM platforms and supports manual device registration.

Platform	Capabilities	Auth methods
Microsoft Intune	Device compliance, app deployment, conditional access	OAuth2 (Azure AD)
Microsoft SCCM	Patch management, software distribution, inventory	API Key, Windows Auth
Jamf Pro	macOS/iOS management, profiles, remote commands	OAuth2, API Token
VMware Workspace ONE	UEM, device enrollment, app catalog	API Key, OAuth2
Manual	Direct registration via API for unmanaged devices	Bearer Token

The device model

The device model represents a managed endpoint in your fleet. Each device record captures hardware identity, operating system details, compliance posture, assigned user, and its origin UEM platform. Devices are automatically linked to CMDB Configuration Items via the ci_id reference.

Properties

Name
id
Type
string
Description
Unique identifier for the device.
Name
device_type
Type
string
Description
The hardware category. One of laptop, desktop, mobile, tablet, kiosk, iot_sensor, or printer.
Name
name
Type
string
Description
Human-readable device name, typically the hostname.
Name
serial_number
Type
string
Description
Hardware serial number used for reconciliation across UEM sources.
Name
os
Type
string
Description
Operating system name. Common values: Windows 11, macOS 14, Ubuntu 22.04, iOS 17, Android 14.
Name
os_version
Type
string
Description
Full OS version string, e.g. 10.0.22631.3007 or 14.3.1.
Name
status
Type
string
Description
Current device lifecycle status. One of active, inactive, lost, stolen, retired, or non_compliant.
Name
compliance_status
Type
string
Description
Compliance evaluation result. One of compliant, non_compliant, pending_evaluation, or not_applicable.
Name
compliance_issues
Type
array
Description
List of active compliance violations. Common values: encryption_disabled, os_outdated, antivirus_missing, password_policy_violation, jailbroken.
Name
last_check_in
Type
timestamp
Description
Timestamp of the most recent device heartbeat or check-in.
Name
assigned_user_id
Type
string
Description
The ID of the user currently assigned to this device.
Name
location
Type
string
Description
Current or last known physical location of the device.
Name
encryption_enabled
Type
boolean
Description
Whether full-disk encryption (BitLocker, FileVault, LUKS) is active.
Name
patch_level
Type
string
Description
Current cumulative patch level identifier, e.g. KB5034123 or 2024-01-security.
Name
installed_software
Type
array
Description
List of installed software objects, each containing name (string) and version (string).
Name
uem_source
Type
string
Description
The UEM platform that manages this device. One of intune, sccm, jamf, workspace_one, or manual.
Name
uem_device_id
Type
string
Description
The device identifier in the origin UEM platform.
Name
ci_id
Type
string
Description
Reference to the linked CMDB Configuration Item.
Name
created_at
Type
timestamp
Description
Timestamp of when the device was first registered.
Name
updated_at
Type
timestamp
Description
Timestamp of the most recent update to this device record.
Name
org_id
Type
string
Description
The organization this device belongs to.

GET/v1/fleet/devices

List all devices

This endpoint returns a paginated list of all managed devices in your fleet. By default, a maximum of twenty devices are shown per page. Results can be filtered by device type, status, compliance posture, UEM source, or assigned user.

Optional attributes

Name
limit
Type
integer
Description
Limit the number of devices returned. Default is 20, maximum is 100.
Name
cursor
Type
string
Description
Pagination cursor from a previous response.
Name
device_type
Type
string
Description
Filter by device type: laptop, desktop, mobile, tablet, kiosk, iot_sensor, or printer.
Name
status
Type
string
Description
Filter by lifecycle status: active, inactive, lost, stolen, retired, or non_compliant.
Name
compliance_status
Type
string
Description
Filter by compliance posture: compliant, non_compliant, pending_evaluation, or not_applicable.
Name
uem_source
Type
string
Description
Filter by UEM platform: intune, sccm, jamf, workspace_one, or manual.
Name
assigned_user_id
Type
string
Description
Filter devices assigned to a specific user.

Request

GET

/v1/fleet/devices

curl -G http://localhost:3000/v1/fleet/devices \
  -H "Authorization: Bearer {token}" \
  -d limit=10 \
  -d status=active \
  -d compliance_status=non_compliant

Response

{
  "has_more": true,
  "cursor": "eyJpZCI6ImRldl8wOWtMbVJ3VDN2WG4ifQ",
  "data": [
    {
      "id": "dev_7xKpQ2mR4wVb",
      "device_type": "laptop",
      "name": "WKST-PL-04821",
      "serial_number": "PF4KXYZ1",
      "os": "Windows 11",
      "os_version": "10.0.22631.3007",
      "status": "active",
      "compliance_status": "non_compliant",
      "compliance_issues": ["os_outdated", "antivirus_missing"],
      "last_check_in": 1708732800,
      "assigned_user_id": "usr_3nLsW8kF9xYt",
      "location": "Warsaw HQ - Floor 3",
      "encryption_enabled": true,
      "patch_level": "KB5034123",
      "installed_software": [
        { "name": "Microsoft 365", "version": "16.0.17231" },
        { "name": "Chrome", "version": "121.0.6167.160" }
      ],
      "uem_source": "intune",
      "uem_device_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
      "ci_id": "ci_Nw8pRtK4mXeQ",
      "created_at": 1706140800,
      "updated_at": 1708732800,
      "org_id": "org_5qMnY7jR2vBx"
    },
    {
      "id": "dev_9pRtH5jN2cEm",
      "device_type": "mobile",
      "name": "iPhone-JKowalski",
      "serial_number": "F2LXK9QR7V",
      "os": "iOS 17",
      "os_version": "17.3.1",
      "status": "active",
      "compliance_status": "non_compliant",
      "compliance_issues": ["password_policy_violation"],
      "last_check_in": 1708731900,
      "assigned_user_id": "usr_8kNpL7mS9wYr",
      "location": "Gdansk Office",
      "encryption_enabled": true,
      "patch_level": "2024-01-ios",
      "installed_software": [],
      "uem_source": "intune",
      "uem_device_id": "b2c3d4e5-f6a7-8901-bcde-f12345678901",
      "ci_id": "ci_Qw3pRtK8mXeL",
      "created_at": 1706227200,
      "updated_at": 1708731900,
      "org_id": "org_5qMnY7jR2vBx"
    }
  ]
}

POST/v1/fleet/devices

Register a device

This endpoint allows you to manually register a new device in the fleet. Use this for devices that are not yet managed by a UEM platform or for specialized hardware (kiosks, IoT sensors, printers) that require manual onboarding. UEM-synced devices are registered automatically during sync.

Required attributes

Name
device_type
Type
string
Description
The hardware category: laptop, desktop, mobile, tablet, kiosk, iot_sensor, or printer.
Name
name
Type
string
Description
Human-readable device name or hostname.
Name
serial_number
Type
string
Description
The hardware serial number.
Name
os
Type
string
Description
The operating system name.

Optional attributes

Name
os_version
Type
string
Description
Full OS version string.
Name
assigned_user_id
Type
string
Description
User to assign the device to.
Name
location
Type
string
Description
Physical location of the device.
Name
encryption_enabled
Type
boolean
Description
Whether full-disk encryption is active. Defaults to false.
Name
uem_source
Type
string
Description
UEM platform identifier. Defaults to manual.
Name
uem_device_id
Type
string
Description
Device ID in the UEM platform, if applicable.

Request

POST

/v1/fleet/devices

curl -X POST http://localhost:3000/v1/fleet/devices \
  -H "Authorization: Bearer {token}" \
  -H "Content-Type: application/json" \
  -d '{
    "device_type": "kiosk",
    "name": "KIOSK-LOBBY-01",
    "serial_number": "KSK20240001",
    "os": "Windows 11",
    "os_version": "10.0.22631.3007",
    "location": "Warsaw HQ - Main Lobby",
    "encryption_enabled": true
  }'

Response

{
  "id": "dev_4kPmN8rT2wXq",
  "device_type": "kiosk",
  "name": "KIOSK-LOBBY-01",
  "serial_number": "KSK20240001",
  "os": "Windows 11",
  "os_version": "10.0.22631.3007",
  "status": "active",
  "compliance_status": "pending_evaluation",
  "compliance_issues": [],
  "last_check_in": null,
  "assigned_user_id": null,
  "location": "Warsaw HQ - Main Lobby",
  "encryption_enabled": true,
  "patch_level": null,
  "installed_software": [],
  "uem_source": "manual",
  "uem_device_id": null,
  "ci_id": null,
  "created_at": 1708733100,
  "updated_at": 1708733100,
  "org_id": "org_5qMnY7jR2vBx"
}

GET/v1/fleet/devices/:id

Get device details

This endpoint retrieves the full detail record for a single managed device, including its compliance posture, installed software inventory, and CMDB linkage.

Request

GET

/v1/fleet/devices/dev_7xKpQ2mR4wVb

curl http://localhost:3000/v1/fleet/devices/dev_7xKpQ2mR4wVb \
  -H "Authorization: Bearer {token}"

Response

{
  "id": "dev_7xKpQ2mR4wVb",
  "device_type": "laptop",
  "name": "WKST-PL-04821",
  "serial_number": "PF4KXYZ1",
  "os": "Windows 11",
  "os_version": "10.0.22631.3007",
  "status": "active",
  "compliance_status": "non_compliant",
  "compliance_issues": ["os_outdated", "antivirus_missing"],
  "last_check_in": 1708732800,
  "assigned_user_id": "usr_3nLsW8kF9xYt",
  "location": "Warsaw HQ - Floor 3",
  "encryption_enabled": true,
  "patch_level": "KB5034123",
  "installed_software": [
    { "name": "Microsoft 365", "version": "16.0.17231" },
    { "name": "Chrome", "version": "121.0.6167.160" },
    { "name": "Visual Studio Code", "version": "1.86.0" },
    { "name": "Crowdstrike Falcon", "version": "7.06.17603" }
  ],
  "uem_source": "intune",
  "uem_device_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "ci_id": "ci_Nw8pRtK4mXeQ",
  "created_at": 1706140800,
  "updated_at": 1708732800,
  "org_id": "org_5qMnY7jR2vBx"
}

PATCH/v1/fleet/devices/:id

Update a device

This endpoint allows you to update information for an existing device. Only the fields you provide will be modified. To reassign a device to a different user, update the assigned_user_id field. To mark a device as lost or stolen, update the status field.

Optional attributes

Name
name
Type
string
Description
Updated device name.
Name
status
Type
string
Description
Updated lifecycle status: active, inactive, lost, stolen, retired, or non_compliant.
Name
assigned_user_id
Type
string
Description
Updated user assignment. Set to null to unassign.
Name
location
Type
string
Description
Updated physical location.
Name
encryption_enabled
Type
boolean
Description
Updated encryption status.

Request

PATCH

/v1/fleet/devices/dev_7xKpQ2mR4wVb

curl -X PATCH http://localhost:3000/v1/fleet/devices/dev_7xKpQ2mR4wVb \
  -H "Authorization: Bearer {token}" \
  -H "Content-Type: application/json" \
  -d '{
    "status": "lost",
    "location": "Last seen: Warsaw HQ - Floor 3"
  }'

Response

{
  "id": "dev_7xKpQ2mR4wVb",
  "device_type": "laptop",
  "name": "WKST-PL-04821",
  "serial_number": "PF4KXYZ1",
  "os": "Windows 11",
  "os_version": "10.0.22631.3007",
  "status": "lost",
  "compliance_status": "non_compliant",
  "compliance_issues": ["os_outdated", "antivirus_missing"],
  "last_check_in": 1708732800,
  "assigned_user_id": "usr_3nLsW8kF9xYt",
  "location": "Last seen: Warsaw HQ - Floor 3",
  "encryption_enabled": true,
  "patch_level": "KB5034123",
  "installed_software": [
    { "name": "Microsoft 365", "version": "16.0.17231" },
    { "name": "Chrome", "version": "121.0.6167.160" }
  ],
  "uem_source": "intune",
  "uem_device_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "ci_id": "ci_Nw8pRtK4mXeQ",
  "created_at": 1706140800,
  "updated_at": 1708733200,
  "org_id": "org_5qMnY7jR2vBx"
}

DELETE/v1/fleet/devices/:id

Retire a device

This endpoint retires a device from the fleet. The device record is soft-deleted: its status is set to retired and it is excluded from compliance reporting. The linked CMDB Configuration Item is updated accordingly. Historical audit logs are retained for 365 days.

Optional attributes

Name
reason
Type
string
Description
Reason for retirement, e.g. end_of_life, hardware_failure, replaced, lost_unrecoverable.
Name
wipe_requested
Type
boolean
Description
When set to true, a remote wipe command is sent to the device via the UEM platform before retirement. Defaults to false.

Request

DELETE

/v1/fleet/devices/dev_7xKpQ2mR4wVb

curl -X DELETE http://localhost:3000/v1/fleet/devices/dev_7xKpQ2mR4wVb \
  -H "Authorization: Bearer {token}" \
  -H "Content-Type: application/json" \
  -d '{"reason": "end_of_life", "wipe_requested": true}'

Response

{
  "id": "dev_7xKpQ2mR4wVb",
  "device_type": "laptop",
  "name": "WKST-PL-04821",
  "serial_number": "PF4KXYZ1",
  "status": "retired",
  "retired_at": 1708733400,
  "reason": "end_of_life",
  "wipe_requested": true,
  "wipe_status": "pending",
  "ci_id": "ci_Nw8pRtK4mXeQ",
  "audit_retained_until": 1740269400
}

POST/v1/fleet/devices/:id/actions

Execute remote action

This endpoint dispatches a remote action to a managed device through its UEM platform. Supported actions include lock, wipe, restart, policy update, and software installation. Actions are enqueued via BullMQ and processed asynchronously. The response returns an action ID you can poll for completion.

Required attributes

Name
action
Type
string
Description
The remote action to execute. One of lock, wipe, restart, update_policy, or install_software.

Optional attributes

Name
reason
Type
string
Description
Justification for the action, stored in audit logs.
Name
software_package
Type
object
Description
Required when action is install_software. Contains name (string) and version (string).
Name
policy_id
Type
string
Description
Required when action is update_policy. The compliance policy to push.
Name
wipe_keep_enrollment
Type
boolean
Description
When action is wipe, keep the device enrolled in UEM after wipe. Defaults to false.

Request

POST

/v1/fleet/devices/dev_7xKpQ2mR4wVb/actions

curl -X POST http://localhost:3000/v1/fleet/devices/dev_7xKpQ2mR4wVb/actions \
  -H "Authorization: Bearer {token}" \
  -H "Content-Type: application/json" \
  -d '{
    "action": "lock",
    "reason": "Device reported lost by user"
  }'

Response

{
  "action_id": "act_2kNpL7mS9wYr",
  "device_id": "dev_7xKpQ2mR4wVb",
  "action": "lock",
  "status": "queued",
  "reason": "Device reported lost by user",
  "uem_source": "intune",
  "queued_at": 1708733500,
  "estimated_completion": 1708733800,
  "initiated_by": "usr_3nLsW8kF9xYt"
}

GET/v1/fleet/devices/:id/compliance

Get compliance report

This endpoint returns a detailed compliance report for a single device. The report includes each evaluated policy, its pass/fail result, the timestamp of the last evaluation, and remediation steps for any violations.

Request

GET

/v1/fleet/devices/dev_7xKpQ2mR4wVb/compliance

curl http://localhost:3000/v1/fleet/devices/dev_7xKpQ2mR4wVb/compliance \
  -H "Authorization: Bearer {token}"

Response

{
  "device_id": "dev_7xKpQ2mR4wVb",
  "overall_status": "non_compliant",
  "evaluated_at": 1708732800,
  "next_evaluation_at": 1708819200,
  "policies": [
    {
      "policy_id": "pol_disk_encryption",
      "name": "Full Disk Encryption Required",
      "status": "compliant",
      "evaluated_at": 1708732800,
      "details": "BitLocker active, AES-256 encryption"
    },
    {
      "policy_id": "pol_os_update",
      "name": "OS Within Supported Version",
      "status": "non_compliant",
      "evaluated_at": 1708732800,
      "details": "Current: 10.0.22631.3007, Required: 10.0.22631.3085",
      "remediation": "Install KB5034765 cumulative update"
    },
    {
      "policy_id": "pol_antivirus",
      "name": "Antivirus Active and Updated",
      "status": "non_compliant",
      "evaluated_at": 1708732800,
      "details": "Crowdstrike Falcon agent not reporting. Last signal: 72h ago",
      "remediation": "Restart Crowdstrike Falcon service or reinstall agent"
    },
    {
      "policy_id": "pol_password",
      "name": "Password Policy Compliance",
      "status": "compliant",
      "evaluated_at": 1708732800,
      "details": "Password meets complexity and age requirements"
    },
    {
      "policy_id": "pol_firewall",
      "name": "Firewall Enabled",
      "status": "compliant",
      "evaluated_at": 1708732800,
      "details": "Windows Defender Firewall active on all profiles"
    }
  ],
  "risk_score": 72,
  "risk_level": "high"
}

POST/v1/fleet/sync

Trigger UEM sync

This endpoint triggers a synchronization from one or more UEM platforms. The sync job is enqueued via BullMQ and processed asynchronously. During sync, new devices are registered, existing devices are updated, and removed devices are marked inactive. Each synced device is automatically mapped to a CMDB Configuration Item using the Intune/Workspace ONE mapper.

Required attributes

Name
source
Type
string
Description
The UEM platform to sync from: intune, sccm, jamf, or workspace_one.

Optional attributes

Name
scope
Type
string
Description
Sync scope: full or incremental. Defaults to incremental.
Name
device_types
Type
array
Description
Restrict sync to specific device types, e.g. ["laptop", "desktop"].
Name
since
Type
timestamp
Description
Only sync devices modified after this timestamp. Applies to incremental scope.

Request

POST

/v1/fleet/sync

curl -X POST http://localhost:3000/v1/fleet/sync \
  -H "Authorization: Bearer {token}" \
  -H "Content-Type: application/json" \
  -d '{
    "source": "intune",
    "scope": "incremental",
    "since": 1708646400
  }'

Response

{
  "sync_job_id": "sync_6jHtK4pR8uWn",
  "source": "intune",
  "scope": "incremental",
  "status": "queued",
  "queued_at": 1708733600,
  "estimated_devices": 1247,
  "previous_sync_at": 1708646400
}

GET/v1/fleet/sync/status

Get sync status

This endpoint returns the current status of UEM synchronization jobs. You can check overall sync health or filter to a specific platform. The response includes progress metrics, error counts, and the timestamp of the last successful sync for each platform.

Optional attributes

Name
source
Type
string
Description
Filter by UEM platform: intune, sccm, jamf, or workspace_one.
Name
sync_job_id
Type
string
Description
Get status for a specific sync job by its ID.

Request

GET

/v1/fleet/sync/status

curl -G http://localhost:3000/v1/fleet/sync/status \
  -H "Authorization: Bearer {token}" \
  -d source=intune

Response

{
  "sources": [
    {
      "source": "intune",
      "status": "completed",
      "last_sync_at": 1708733600,
      "last_sync_duration_ms": 47200,
      "devices_synced": 1247,
      "devices_added": 12,
      "devices_updated": 834,
      "devices_removed": 3,
      "errors": 0,
      "next_scheduled_sync": 1708820000
    }
  ],
  "active_jobs": [],
  "total_managed_devices": 3842
}

GET/v1/fleet/compliance/summary

Fleet compliance summary

This endpoint returns fleet-wide compliance dashboard statistics. It provides aggregate counts by compliance status, device type, and UEM source, as well as the top compliance issues across the fleet. Use this to power compliance dashboards and executive reporting.

Optional attributes

Name
device_type
Type
string
Description
Filter summary to a specific device type.
Name
uem_source
Type
string
Description
Filter summary to a specific UEM platform.

Request

GET

/v1/fleet/compliance/summary

curl http://localhost:3000/v1/fleet/compliance/summary \
  -H "Authorization: Bearer {token}"

Response

{
  "total_devices": 3842,
  "by_compliance_status": {
    "compliant": 3214,
    "non_compliant": 487,
    "pending_evaluation": 98,
    "not_applicable": 43
  },
  "compliance_rate": 83.6,
  "by_device_type": {
    "laptop": { "total": 1847, "compliant": 1623, "non_compliant": 189, "pending_evaluation": 35 },
    "desktop": { "total": 982, "compliant": 891, "non_compliant": 78, "pending_evaluation": 13 },
    "mobile": { "total": 743, "compliant": 512, "non_compliant": 198, "pending_evaluation": 33 },
    "tablet": { "total": 156, "compliant": 112, "non_compliant": 27, "pending_evaluation": 17 },
    "kiosk": { "total": 71, "compliant": 65, "non_compliant": 6, "pending_evaluation": 0 },
    "iot_sensor": { "total": 34, "compliant": 8, "non_compliant": 0, "pending_evaluation": 0, "not_applicable": 26 },
    "printer": { "total": 9, "compliant": 3, "non_compliant": 0, "pending_evaluation": 0, "not_applicable": 6 }
  },
  "by_uem_source": {
    "intune": { "total": 2590, "compliant": 2198, "non_compliant": 312 },
    "sccm": { "total": 421, "compliant": 389, "non_compliant": 28 },
    "jamf": { "total": 614, "compliant": 498, "non_compliant": 97 },
    "workspace_one": { "total": 174, "compliant": 112, "non_compliant": 50 },
    "manual": { "total": 43, "compliant": 17, "non_compliant": 0 }
  },
  "top_compliance_issues": [
    { "issue": "os_outdated", "affected_devices": 231, "severity": "high" },
    { "issue": "antivirus_missing", "affected_devices": 127, "severity": "critical" },
    { "issue": "encryption_disabled", "affected_devices": 89, "severity": "critical" },
    { "issue": "password_policy_violation", "affected_devices": 74, "severity": "medium" },
    { "issue": "jailbroken", "affected_devices": 12, "severity": "critical" }
  ],
  "evaluated_at": 1708732800
}

GET/v1/fleet/patches

List available patches

This endpoint returns a list of available patches and their deployment status across the fleet. It shows which patches are pending, deployed, or failed, along with the number of devices in each state. Use this to track patch rollout progress and identify devices that need attention.

Optional attributes

Name
limit
Type
integer
Description
Limit the number of patches returned. Default is 20, maximum is 100.
Name
os
Type
string
Description
Filter patches by target operating system, e.g. Windows 11, macOS 14.
Name
severity
Type
string
Description
Filter by patch severity: critical, important, moderate, or low.
Name
status
Type
string
Description
Filter by deployment status: available, deploying, deployed, or failed.

Request

GET

/v1/fleet/patches

curl -G http://localhost:3000/v1/fleet/patches \
  -H "Authorization: Bearer {token}" \
  -d severity=critical \
  -d os=Windows+11

Response

{
  "has_more": true,
  "data": [
    {
      "patch_id": "KB5034765",
      "title": "2024-02 Cumulative Update for Windows 11 (22H2)",
      "os": "Windows 11",
      "severity": "critical",
      "release_date": 1707868800,
      "cve_ids": ["CVE-2024-21351", "CVE-2024-21412", "CVE-2024-21410"],
      "deployment_status": {
        "total_applicable": 1847,
        "deployed": 1412,
        "deploying": 203,
        "pending": 187,
        "failed": 45,
        "not_applicable": 1995
      },
      "deployment_rate": 76.4,
      "auto_deploy": true,
      "deploy_deadline": 1709078400
    },
    {
      "patch_id": "KB5034763",
      "title": "2024-02 Security Update for .NET Framework",
      "os": "Windows 11",
      "severity": "critical",
      "release_date": 1707868800,
      "cve_ids": ["CVE-2024-21386", "CVE-2024-21404"],
      "deployment_status": {
        "total_applicable": 1623,
        "deployed": 1580,
        "deploying": 12,
        "pending": 24,
        "failed": 7,
        "not_applicable": 2219
      },
      "deployment_rate": 97.4,
      "auto_deploy": true,
      "deploy_deadline": 1709078400
    }
  ]
}