The Enrollment settings page lets you configure several options related to device and user enrollment. It is divided into several tabs, which are detailed below. For additional information on the various enrollment methods and strategies, see Device Enrollment Overview.

Authentication Tab

  • Current Setting – Select whether to Inherit or Override the displayed settings. Inherit means use the settings of the current organization group's parent OG, while Override enables the settings for editing so you can modify the current OG's settings directly.
Setting Description
Add Email Domain

This button is used for setting up the AirWatch Auto-Discovery Service to associate your email domain to your environment.

Authentication Mode(s)

Select the allowed authentication types, which include:

  • Basic – Basic user accounts (ones you create manually in the AirWatch Console) can enroll.
  • Directory – Directory user accounts (ones that you have imported or allowed using directory service integration) can enroll. Directory users, with or without SAML, are supported by Workspace ONE Direct Enrollment.
  • Authentication Proxy – Allows users to enroll using Authentication Proxy user accounts. Users will authenticate to a web endpoint.
Devices Enrollment Mode

Select the preferred device enrollment mode, which includes:

  • Open Enrollment – Essentially allows anyone meeting the other enrollment criteria (authentication mode, restrictions, etc.) to enroll. Open enrollment is supported by Workspace ONE Direct Enrollment.
  • Registered Devices Only – Only allowed users to enroll using devices you or they have registered. Device registration is the process of adding corporate devices to the AirWatch Console before they are enrolled. For more information on registering devices, refer to the Enrollment section of the VMware AirWatch Mobile Device Management Guide. Allowing only registered devices to enroll is supported by Workspace ONE Direct Enrollment but only if registration tokens are not required.
Require Registration Token

Visible only when Registered Devices Only is selected.

If you restrict enrollment to registered devices only, you also have the option of requiring a registration token to be used for enrollment. This increases security by confirming that a particular user is authorized to enroll. You can send an email or SMS message with the enrollment token attached to users with AirWatch accounts. For more information on these settings, see Enable Registration Tokens and Create a Default Message .

Require Agent Enrollment for iOS Select this check box to require iOS device users to download and install the Agent before they can enroll.
Require Agent Enrollment for macOS Select this check box to require macOS device users to download and install the Agent before they can enroll.
  • Child Permission – Select the available behavior of child organization groups that exist below the currently selected organization group. Inherit only means child OGs are only allowed to inherit these settings. Override only means they override the settings, and Inherit or Override means you can choose to inherit or override settings in child OGs that exist below the currently selected OG.

Terms of Use Tab

  • Current Setting – Select whether to Inherit or Override the displayed settings. Inherit means use the settings of the current organization group's parent OG, while Override enables the settings for editing so you can modify the current OG's settings directly.
Setting Description
Require Enrollment Terms of Use Acceptance

Require that end users accept an end user license agreement (terms of service) at some point during the enrollment process.

Terms of use is fully supported by Workspace ONE Direct Enrollment.

Add New Enrollment Terms of Use

Click this button to open the Terms of Use dialog, where you can quickly create a custom enrollment terms of use message.

For more information on creating an enrollment terms of use, please see the Terms of Use section of the VMware AirWatch Mobile Device Management Guide, available on AirWatch Resources.

  • Child Permission – Select the available behavior of child organization groups that exist below the currently selected organization group. Inherit only means child OGs are only allowed to inherit these settings. Override only means they override the settings, and Inherit or Override means you can choose to inherit or override settings in child OGs that exist below the currently selected OG.

Grouping Tab

  • Current Setting – Select whether to Inherit or Override the displayed settings. Inherit means use the settings of the current organization group's parent OG, while Override enables the settings for editing so you can modify the current OG's settings directly.
Setting Description
Group ID Assignment Mode

All assignment modes are supported by Workspace ONE Direct Enrollment.

  • Default – Select this option if users are provided with Group IDs for enrollment. The Group ID used determines what organization group the user is assigned to.
  • Prompt User to Select Group ID – Enable this option to allow directory service users to select a Group ID from a list upon enrollment. The Group ID Assignment section lists available organization groups and their associated Group IDs. This listing does not require you to perform group assignment mapping, but does mean users have the potential to select an incorrect Group ID.
  • Automatically Select Based on User Group – This option only applies if you are integrating with user groups. Enable this option to ensure that users are automatically assigned to organization groups based on their directory service group assignments. The Group Assignment Settings section lists all the organization groups for the environment and their associated directory service user groups. Select the Edit Group Assignment button to modify the organization group/user group associations and set the rank of precedence each group has.

    For example, you have three groups, Executive, Sales, and Global, which are ranked in order of job role. Everyone is a member of Global, so if you were to rank that user group first, it puts all your users into a single organization group. By ranking Executives first instead, you ensure the few number of people belonging to that group are placed in their own organization group. By ranking Sales second, you ensure that all Sales employees are placed in an organization group specific to sales. Ranking Global third means anyone not already assigned to a group is placed in a separate organization group.

Default

Setting Description
Default Device Ownership

Select the default Device Ownership of devices enrollment into the current organization group.

Setting a default device ownership is supported by Workspace ONE Direct Enrollment.

Default Role

Select the default roles assigned to users at the current organization group, which can affect access to the Self-Service Portal.

Setting a default role is supported by Workspace ONE Direct Enrollment.

Default Action for Inactive Users

Select the default action that will impact Active Directory users if their devices become inactive.

Setting a defualt action for inactive users is supported by Workspace ONE Direct Enrollment.

User Group Sync

Setting Description
Sync User Groups in Real Time for Workspace ONE When enabled, Workspace ONE syncs user groups for a given user as they register with the AirWatch console. This should only be enabled if user groups change frequently, thereby negatively impacting performance.

User Role Mapping

Setting Description
Enable Directory Group-Based Mapping

Check this box to enable ranked assignments that link a directory user group to a specific AirWatch role. Users belonging to a particular group will be assigned the associated roles. If they belong to more than one group they will take the highest ranked pairing.

You can edit the order in which role-infused user groups are ranked by selecting the Edit assignment button.

This option is supported by Workspace ONE Direct Enrollment.

  • Child Permission – Select the available behavior of child organization groups that exist below the currently selected organization group. Inherit only means child OGs are only allowed to inherit these settings. Override only means they override the settings, and Inherit or Override means you can choose to inherit or override settings in child OGs that exist below the currently selected OG.

Restrictions Tab

  • Current Setting – Select whether to Inherit or Override the displayed settings. Inherit means use the settings of the current organization group's parent OG, while Override enables the settings for editing so you can modify the current OG's settings directly.

Enrollment Restrictions

Setting Description
User Access Control

All user access control options are supported by Workspace ONE Direct Enrollment.

Restrict Enrollment to Known Users – Enable to restrict enrollment only to users that already exist in the AirWatch Console. This applies to directory users you manually added to the AirWatch Console one by one or through batch import. It can also be used to lock down enrollment after an initial deployment that allowed anyone to enroll. This enables you to selectively allow users to enroll.

Disable this option to allow all directory users who do not already exist in the Admin Console to enroll into AirWatch. AirWatch user accounts are automatically created during enrollment.

Restrict Enrollment to Configured Groups – Enable to restrict enrollment and only allow users belonging to All Groups or Selected Groups (if you have integrated with user groups) to enroll devices. You should not select this option if you have not integrated with your directory services user groups.

Disable this option to allow all directory users to create new AirWatch user accounts during enrollment. In addition, you can select the Enterprise Wipe devices of users that are removed from configured groups option to automatically enterprise wipe any devices not belonging to any user group (if All Groups is selected) or a particular user group (if Selected Groups is selected).

One option for integrating with user groups is to create an "MDM Approved" directory service group, import it to AirWatch, then add existing directory service user groups to the "MDM Approved" group as they become eligible for AirWatch MDM.

Set limit for maximum enrolled devices at this OG and below

Enable and Enter Device Limit to limit the number of devices allowed to enroll in the current organization group (OG).

Setting a maximum enrolled devices is supported by Workspace ONE Direct Enrollment.

Policy Settings

  • Add Policy – Click this button to add an enrollment restriction policy, which lets you define allowed ownership types, enrollment types, device limits, and more.

    Setting Description
    Enrollment Restriction Policy Name Enter a name for your enrollment restriction policy.
    Organization

    Group
    Choose an organization group from the drop-down field. This is the OG to which your new enrollment restriction policy applies.
    Policy Type Select the type of enrollment restriction policy, which can be either Organization Group Default to apply to the selected organization group, or User Group Policy for specific User Groups through Group Assignment Settings on the Restrictions tab.
    Allowed

    Ownership Types

    Choose whether to permit or prevent Corporate - Dedicated, Corporate - Shared, and Employee Owned devices.

    Workspace ONE Direct Enrollment only supports the ownership types Corporate Dedicated and Employee Owned.

    Allowed

    Enrollment Types
    Choose whether to permit or prevent the enrollment of devices using MDM (AirWatch Agent) and AirWatch Container (for iOS/Android) apps.
    Device Limit per User

    Select Unlimited to allow users to enroll as many devices as they want. Setting a device limit per user is supported by Workspace ONE Direct Enrollment.

    Uncheck this box to enter values for the Device Limit Per User section, to define the maximum number of devices per ownership type.

    • Maximum Devices Per User
    • Shared Max Devices
    • Corporate Max Devices
    • Employee Owned Max Devices
    Allowed Device

    Types

    Select the Limit enrollment to specific platforms, models or operating systems checkbox to add additional device-specific restrictions.

    This option is supported by Workspace ONE Direct Enrollment.

    Note:

    Current Microsoft functionality dictates that you cannot blacklist Windows Phone devices by IMEI or UDID.

    Device Level Restrictions Mode

    This field is only available if Limit enrollment to specific platforms, models or operating systems is selected in the Allowed Device Types field.

    Determine the kind of device limitations you should have.

    • Only allow listed device types (Whitelist) – Select this option to explicitly allow only devices matching the parameters you enter and to block everything else.
    • Block listed device types (Blacklist) – Select this option to explicitly block devices matching the parameters you enter and to allow everything else.

    For either device-level restrictions mode, select Add Device Restriction to choose a Platform, Model, Manufacturer (specific to Android devices), Operating System, or Enterprise Version. You may also add a Device Limit per defined device restriction. You may add multiple device restrictions.

    You can also block specific devices based on their IMEI, Serial Number or UDID by navigating to Devices > Lifecycle > Enrollment Status and selecting Add. This is an effective way to block a single device and prevent it from re-enrolling without affecting other users' devices. Preventing re-enrollment is also available as an option when performing an Enterprise Wipe.

    This option is supported by Workspace ONE Direct Enrollment.

Group Assignment Settings

  • Edit Group Policies – This button enables you to configure ranked assignments that link a directory user group to a specific AirWatch enrollment restriction policy. Users belonging to a particular group must adhere to the associated restriction policy. If they belong to more than one group they will take the highest ranked pairing.
  • Child Permission – Select the available behavior of child organization groups that exist below the currently selected organization group. Inherit only means child OGs are only allowed to inherit these settings. Override only means they override the settings, and Inherit or Override means you can choose to inherit or override settings in child OGs that exist below the currently selected OG.

Optional Prompt Tab

The optional prompt settings let you configure various prompts that you set to display or not display during device enrollment. These optional prompts are web-based and are therefore cross-platform unless otherwise specified.

  • Current Setting – Select whether to Inherit or Override the displayed settings. Inherit means use the settings of the current organization group's parent OG, while Override enables the settings for editing so you can modify the current OG's settings directly.
Setting Description
Prompt for Device Ownership Type

You can prompt the end user to select their device ownership type. Otherwise, configure a default device ownership type for the current organization group.

This option is supported by Workspace ONE Direct Enrollment.

Display Welcome Message

You can display a welcome message for your users early in the device enrollment process. You may configure both the header and the body of this welcome message by navigating to System > Localization > Localization Editor. Next, select the labels 'EnrollmentWelcomeMessageHeader' and 'EnrollmentWelcomeMessageBody' respectively.

Display MDM Installation Message

You can display a message for your users during the device enrollment process. You can configure both the header and the body of this MDM installation message by navigating to System > Localization > Localization Editor. Next, select the labels 'EnrollmentMdmInstallationMessageHeader' and 'EnrollmentMdmInstallationMessageBody' respectively.

If you choose to customize your own header and body messages using the Localization Editor, you must opt to 'Override' in the Current Setting option. Doing so ensures that your customizations are used instead of the default messages.

In addition to making one-off localization changes, you can also make localization changes in bulk by uploading an edited comma separated values (CSV) file. Download this localization template CSV file by navigating to System > Localization > Localization Editor and select the Modify button. Edit the file per your preferences to affect bulk localization changes and upload it using the same screen.

Enable Enrollment Email Prompt

You can prompt the user to enter their email credentials during enrollment.

Note:

The Enrollment Email Prompt requests the email address from the end user to populate that option in the user record automatically. This data is beneficial to organizations deploying email to devices using the {EmailAddress} lookup value.

Enable Device Asset Number Prompt

You can prompt the user to enter the device asset number during enrollment.

This option is supported by Workspace ONE Direct Enrollment but only when Prompt for Device Ownership Type is enabled and only for Corporate Owned devices.

Display Enrollment Transition Messages (Android Only)

You can display or hide enrollment messages on Android devices.

Enable TLS Mutual Auth for Windows You can force Windows Phone and Windows Devices to use endpoints secured by TLS Mutual Authentication which requires an extra setup and configuration. Contact AirWatch Support for assistance.
  • Child Permission – Select the available behavior of child organization groups that exist below the currently selected organization group. Inherit only means child OGs are only allowed to inherit these settings. Override only means they override the settings, and Inherit or Override means you can choose to inherit or override settings in child OGs that exist below the currently selected OG.

Customization Tab

  • Current Setting – Select whether to Inherit or Override the displayed settings. Inherit means use the settings of the current organization group's parent OG, while Override enables the settings for editing so you can modify the current OG's settings directly.
Setting Description
Use specific Message Template for each Platform

Select this check box to use different enrollment message templates for the different platforms.

This option is supported by Workspace ONE Direct Enrollment.

Enrollment Support Email Enter the contact email for MDM support which will be displayed to users during enrollment.
Enrollment Support Phone Enter the contact phone number for MDM support which will be displayed to users during enrollment.
Post-Enrollment Landing URL (iOS Only)

Enter the URL of the webpage you want end users redirected to after they enroll their devices. This field can be blank.

This option is supported by Workspace ONE Direct Enrollment.

MDM Profile Message (iOS Only)

Enter the message you would like your users to see during the install MDM prompt. This field is optional and can be left blank.

This option is supported by Workspace ONE Direct Enrollment.

Use Custom MDM Applications

Configure MDM Apps by adding them as managed applications and assigning them to MDM application groups.

This option is supported by Workspace ONE Direct Enrollment.

  • Child Permission – Select the available behavior of child organization groups that exist below the currently selected organization group. Inherit only means child OGs are only allowed to inherit these settings. Override only means they override the settings, and Inherit or Override means you can choose to inherit or override settings in child OGs that exist below the currently selected OG.