Your organization must evaluate the number and kinds of devices your employees own. They must also determine which devices to use in your work environment. After this work is complete, you can save these enrollment restrictions as a policy.
- Navigate to Devices > Device Settings > Devices & Users > General > Enrollment.
- Select the Restrictions tab and then select Add Policy located in the Policy Settings section.
In the Add/Edit Enrollment Restriction Policy screen, add an enrollment restriction policy.
Setting Description Enrollment Restriction Policy Name Enter a name for your enrollment restriction policy. Organization
Choose an organization group from the drop-down field. This is the OG to which your new enrollment restriction policy applies. Policy Type Select the type of enrollment restriction policy, which can be either Organization Group Default to apply to the selected organization group, or User Group Policy for specific User Groups through Group Assignment Settings on the Restrictions tab. Allowed
Choose whether to permit or prevent Corporate - Dedicated, Corporate - Shared, and Employee Owned devices.
Workspace ONE Direct Enrollment only supports the ownership types Corporate Dedicated and Employee Owned.
Choose whether to permit or prevent the enrollment of devices using MDM (AirWatch Agent) and AirWatch Container (for iOS/Android) apps. Device Limit per User
Select Unlimited to allow users to enroll as many devices as they want. Setting a device limit per user is supported by Workspace ONE Direct Enrollment.
Uncheck this box to enter values for the Device Limit Per User section, to define the maximum number of devices per ownership type.
- Maximum Devices Per User
- Shared Max Devices
- Corporate Max Devices
- Employee Owned Max Devices
Select the Limit enrollment to specific platforms, models or operating systems checkbox to add additional device-specific restrictions.
This option is supported by Workspace ONE Direct Enrollment.Note:
Current Microsoft functionality dictates that you cannot blacklist Windows Phone devices by IMEI or UDID.
Device Level Restrictions Mode
This field is only available if Limit enrollment to specific platforms, models or operating systems is selected in the Allowed Device Types field.
Determine the kind of device limitations you should have.
- Only allow listed device types (Whitelist) – Select this option to explicitly allow only devices matching the parameters you enter and to block everything else.
- Block listed device types (Blacklist) – Select this option to explicitly block devices matching the parameters you enter and to allow everything else.
For either device-level restrictions mode, select Add Device Restriction to choose a Platform, Model, Manufacturer (specific to Android devices), or Operating System. You may also add a Device Limit per defined device restriction. You may add multiple device restrictions.
You can also block specific devices based on their IMEI, Serial Number or UDID by navigating to Devices > Lifecycle > Enrollment Status and selecting Add. This is an effective way to block a single device and prevent it from re-enrolling without affecting other users' devices. Preventing re-enrollment is also available as an option when performing an Enterprise Wipe.
This option is supported by Workspace ONE Direct Enrollment.
- Select Save to save your changes and navigate back to the Devices & Users / General / Enrollment screen.