MDM device import (Intune & Jamf)
Pull every managed device from Microsoft Intune or Jamf Pro straight into your hardware register, instead of exporting a spreadsheet. The import matches devices by serial number, so running it again only updates what changed.
:::note Before you begin You need:
- OnTrackio admin access on your workspace (
<slug>.app.ontrackio.com) — theadmin,it-admin, orsuper-adminrole reaches Admin → Bulk import. - Admin access to the source MDM (a Microsoft Entra app registration for Intune, or a Jamf Pro API client) to mint read-only credentials.
- The MDM connector configured and verified in Admin → Settings → Integrations — see Connect the MDM.
A typical fleet of 200–3,000 devices imports in about 10–30 seconds. :::
What you get
The import reads each device's identity and current assignment from the MDM and writes it to a Hardware record. It never touches fields you maintain by hand.
| Capability | Supported | Notes |
|---|---|---|
| Bulk import every managed device | Yes | One action per source, from Admin → Bulk import |
| Match existing assets by serial number | Yes | The serial is the dedup key — re-imports update in place |
| Create new assets for unseen serials | Yes | Asset tag generated with your standard convention |
| Assign to a person automatically | Yes | By exact email match to an active OnTrackio user |
| Infer the hardware category | Yes | Best-effort from model and OS — re-categorise after import |
| Preserve fields you edited | Yes | Friendly name, CPU, RAM, storage, purchase price, and purchase date are never overwritten |
| Re-run safely (idempotent) | Yes | Unchanged devices are counted, not duplicated |
| Skip devices with no serial | Yes | Autopilot-only or virtual registrations are ignored — they aren't asset-trackable |
| Email or notify employees | No | The importer is silent; nobody is prompted to acknowledge a device they already use |
Supported sources
| Source | Covers | Manufacturer | Credentials |
|---|---|---|---|
| Microsoft Intune | Windows plus cross-platform fleets bundled with Microsoft 365 | Read from each device | Entra app registration — tenant ID, client ID, client secret |
| Jamf Pro | Apple fleet (macOS, iOS, iPadOS) | Always Apple | Jamf API client — tenant URL, client ID, client secret |
:::note Connector vs. serial lookup The same Intune and Jamf credentials also power the Look up by serial button on the Hardware form. Configuring the connector once enables both — the per-serial lookup and the bulk MDM import described here. :::
Step 1 — Connect the MDM
Bulk import is available only after the source connector reports Configured. Set credentials once in Settings → Integrations.
Microsoft Intune
-
In Microsoft Entra, register an app and grant it the Microsoft Graph application permission
DeviceManagementManagedDevices.Read.Allwith admin consent. Create a client secret and copy its value. -
In OnTrackio, go to Admin → Settings → Integrations and select the Microsoft Intune card.
-
Fill in the fields below.
Field Required Notes Enable Microsoft Intune integration Yes Turn on to activate the connector Tenant ID Yes The Entra directory (tenant) ID — usually the same directory as your Microsoft SSO App registration client ID Yes The application (client) ID from the app registration App registration client secret Yes The secret value, not its ID. Encrypted at rest -
Select Test connection. OnTrackio requests an app-only Microsoft Graph bearer with the
.defaultscope; a2xxresponse confirms the credentials and admin consent. -
Select Save changes in the main settings panel.
Jamf Pro
-
In Jamf Pro, go to Settings → API roles and clients and create an API client with read access to computer inventory. Copy the client ID and the client secret (Jamf reveals the secret only once).
-
In OnTrackio, go to Admin → Settings → Integrations and select the Jamf Pro card.
-
Fill in the fields below.
Field Required Notes Enable Jamf Pro lookup Yes Turn on to activate the connector Tenant URL Yes For example https://acme.jamfcloud.com— no trailing slash, no/apiClient ID Yes The UUID from the API client Client Secret Yes The secret from the API client. Encrypted at rest -
Select Test connection. OnTrackio requests a bearer from
/api/oauth/token; a2xxresponse confirms the credentials. -
Select Save changes in the main settings panel.
:::warning Jamf secrets can't be re-read Jamf shows the client secret only at creation time. If you rotate or lose it, generate a new secret in Jamf and re-save it here — there's no way to recover the old value. :::
Step 2 — Run the import
- Go to Admin → Bulk import.
- Scroll to Import from your MDM. Each source shows a Configured or Not configured badge. If a source reads Not configured, finish Step 1 first.
- Under the configured source, select Import devices from Microsoft Intune (or Import devices from Jamf Pro).
- Confirm the prompt. OnTrackio pulls every managed device and creates or updates hardware records — this runs synchronously and may take 10–30 seconds for a typical fleet.
- Read the result banner. It summarises the run as created, updated, unchanged, and errors.
:::tip Re-run any time The import is idempotent: matching serials update in place and identical devices count as unchanged. Re-run after a hardware refresh to pull new enrolments without creating duplicates. :::
What the import writes
For each device, OnTrackio maps the MDM's record onto a Hardware row. New serials are created; known serials are updated field-by-field.
| Hardware field | Source | On re-import |
|---|---|---|
| Serial number | The MDM serial (the match key) | Never changes — it identifies the row |
| Manufacturer | Device manufacturer (Jamf is always Apple) | Overwritten when the MDM reports a value |
| Model | Human-readable model name | Overwritten when the MDM reports a value |
| Operating system | OS name | Overwritten when the MDM reports a value |
| OS version | OS version | Overwritten when the MDM reports a value |
| MAC address | Wi-Fi MAC (falls back to Ethernet) | Overwritten when the MDM reports a value |
| Asset tag | Generated with your standard convention | Set once on create; preserved after |
| Name | Derived (for example Alice's MacBook Pro) | Preserved — your renames stick |
| Category | Inferred from model and OS | Preserved — re-categorise freely |
| Status | assigned if the user matched, else available | Preserved |
| Condition | Defaults to good (MDMs don't report physical condition) | Preserved |
| CPU, RAM, storage | Left for you — raw specs go to the specifications JSON instead | Preserved |
| Purchase price, purchase date | Left for you — never sourced from the MDM | Preserved |
:::note Only MDM-sourced fields are touched Updates overwrite identity fields (manufacturer, model, OS, OS version, MAC) and only when the MDM still reports a value — a field the MDM stops reporting is left as-is, never nulled. Everything you typed by hand survives a re-import. :::
How assignment works
The MDM's assigned-user email is matched to an OnTrackio user. Matching is exact — there's no fuzzy lookup.
- OnTrackio reads the device's assigned-user email from the MDM (the user principal name for Intune, the inventory record's email for Jamf).
- It looks for an active OnTrackio user with that exact email.
- On a match, the device is created as assigned to that user, pre-acknowledged with a note
Imported from MDM (<source>). The employee isn't prompted to re-acknowledge a device they already hold. - With no match, the device imports unassigned. Assign it by hand later — see Assign and recover hardware.
:::tip Import people first Run the user import before the MDM import so assigned-user emails resolve. A device whose owner doesn't exist in OnTrackio yet imports unassigned. :::
Every bulk import is recorded in the audit log with the run counts and the source name, so you have evidence of when the register was last synced.
Troubleshooting
| Symptom | What to do |
|---|---|
| Source card reads Not configured on Bulk import | The connector isn't enabled or is missing credentials. Finish Step 1 in Settings → Integrations, then reload Bulk import. |
| Test connection fails for Intune | Microsoft returned an error. AADSTS7000215 means a bad client secret; AADSTS65001 means admin consent for DeviceManagementManagedDevices.Read.All is missing. Fix in Entra, then re-test. |
| Test connection fails for Jamf | The bearer request to /api/oauth/token was rejected. Confirm the Tenant URL has no trailing slash and no /api, and that the client ID and secret are current. |
| Result banner reports errors | Individual device rows failed during the run; the import still completed for the rest. Re-run to retry the failed rows — the importer is idempotent. |
| Devices missing after a successful import | Devices with no serial number are skipped by design (Autopilot-only or virtual registrations). Confirm the device reports a serial in the MDM. |
| A device imported unassigned that should have an owner | The assigned-user email had no exact match to an active OnTrackio user. Import or activate the user, then re-run, or assign the device by hand. |
| A friendly name or CPU value reverted after re-import | It shouldn't — those fields are preserved. Only manufacturer, model, OS, OS version, and MAC are overwritten from the MDM. |