Hey team! 
During this morning’s Workflows Office Hours (10/23/2025), we received a great question:
How can we create a Workflow that identifies which devices are managed vs. unmanaged — by combining data from both the
/devices endpoint and the /devices/{deviceId}/users endpoint?
As many of you know, the management status is only returned by:
GET /api/v1/devices/{deviceId}/users
This means that simply listing devices alone won’t tell you whether they are managed. Instead, the approach required is:
-
List all devices via /devices
-
For each device, call /devices/{deviceId}/users
-
Inspect each user assignment to determine if that device is managed or unmanaged
Why is management status tied to the user?
Management state is tracked at the device + user level because the client certificate lives in the user context.
This leads to cases where:
A device is managed for one user
The same device may appear unmanaged for another user
…and it only shows as managed after a successful FastPass authentication.
So yes, it may feel unusual, but it reflects how trust is established in real-world device usage.
I created a sample Workflow that:
-
Retrieves all devices
-
Iterates through each device’s user assignments
-
Extracts management status
-
Writes results to a Workflows Table for reporting
Just after I completed my template I found another way to get a report using the GET api/v1/devices with the expand=userSummary and there is a support article with a Postman script to create a nice report in html https://support.okta.com/help/s/article/create-a-csv-report-of-devices-and-enrolled-users-using-an-api?language=en_US
getDeviceManagementStatus.folder (49.3 KB)
If you’d like to try it out, let me know — happy to share the template!