When integrating AirWatch with directory services, you can determine which users can enroll devices into your corporate deployment.

You can restrict enrollment to only known users or to configured groups. Known users are users that already exist in the AirWatch Console. Configured groups are users associated to directory service groups if you choose to integrate with user groups. You can also limit the number of devices enrolled per organization group and save restrictions as a reusable policy.

These options are available by navigating to Groups & Settings > All Settings > Devices & Users > General > Enrollment and choosing the Restrictions tab. The Restrictions tab allows you to customize enrollment restriction policies by organization group and user group roles.

  • Create and assign existing enrollment Restrictions policies using the Policy Settings.
  • Assign the policy to a user group under the Group Assignment Settings area.
  • Blacklist or whitelist devices by platform, operating system, UDID, IMEI, and so on.

For information about integrating your directory services groups with AirWatch, see Map Directory Services Group Information.

Setting Description
User Access Control

All user access control options are supported by Workspace ONE Direct Enrollment.

Restrict Enrollment to Known Users – Enable to restrict enrollment only to users that already exist in the AirWatch Console. This applies to directory users you manually added to the AirWatch Console one by one or through batch import. It can also be used to lock down enrollment after an initial deployment that allowed anyone to enroll. This enables you to selectively allow users to enroll.

Disable this option to allow all directory users who do not already exist in the Admin Console to enroll into AirWatch. AirWatch user accounts are automatically created during enrollment.

Restrict Enrollment to Configured Groups – Enable to restrict enrollment and only allow users belonging to All Groups or Selected Groups (if you have integrated with user groups) to enroll devices. You should not select this option if you have not integrated with your directory services user groups.

Disable this option to allow all directory users to create new AirWatch user accounts during enrollment. In addition, you can select the Enterprise Wipe devices of users that are removed from configured groups option to automatically enterprise wipe any devices not belonging to any user group (if All Groups is selected) or a particular user group (if Selected Groups is selected).

One option for integrating with user groups is to create an "MDM Approved" directory service group, import it to AirWatch, then add existing directory service user groups to the "MDM Approved" group as they become eligible for AirWatch MDM.

Set limit for maximum enrolled devices at this OG and below

Enable and Enter Device Limit to limit the number of devices allowed to enroll in the current organization group (OG).

Setting a maximum enrolled devices is supported by Workspace ONE Direct Enrollment.

Note:

Restrictions do not apply for iOS devices enrolled through Apple's Device Enrollment Program (DEP), because the required device information is only received after the device has been enrolled.