The Token-based authentication offers the easiest way for a user to enroll their device. With this enrollment setting, AirWatch generates a token, which is placed within the enrollment URL.

For single-token authentication, the user accesses the link from the device to complete an enrollment and the AirWatch server references the token provided to the user.

For added security, set an expiration time (in hours) for each token. Setting an expiration minimizes the potential for another user to gain access to any information and features available to that device.

You may also decide to implement two factor authentication to take end-user identity verification a step further. With this authentication setting, the user must enter their user name and password upon accessing the enrollment link with the provided token.


  • Minimal work for an end user to enroll and authenticate their device.
  • Secure token use by setting expiration.
  • User does not need credentials for single-token authentication.


  • Requires either Simple Mail Transfer Protocol (SMTP) or Short Message Service (SMS) integration to send tokens to device.


  1. Administrator authorizes user device registration.
  2. Single use token generated and sent to user from AirWatch.
  3. User receives a token and navigates to enrollment URL. User is prompted for token and optionally two-factor authentication.
  4. Device enrollment process.
  5. AirWatch marks token as expired.

SMTP is included with SaaS deployments.