You can configure an access policy rule in the Workspace ONE Access default access policy to authenticate users for device enrollment into Workspace ONE UEM.

When the device enrollment rule is applied, users who sign into the Workspace ONE Intelligent Hub app on a device that is not enrolled are authenticated according to the Device Enrollment rule. After they are authenticated, the Intelligent Hub app facilitates the enrollment with Workspace ONE UEM. After a device is enrolled, users are prompted to sign in to the Intelligent Hub using the authentication method configured in the default access policy for mobile single sign-on to an iOS or Android device.

You can configure an access policy rule in the Workspace ONE Access default access policy to authenticate users for device enrollment or registration through the Workspace ONE Intelligent Hub app into Workspace ONE UEM. This policy only applies to a user enrolling or registering with the Workspace ONE Intelligent Hub app. This policy does not apply to staging workflows nor Web or Apple DEP enrollments.


  • Workspace ONE Access must be enabled as the authentication source in Workspace ONE UEM.
    Note: To see which service is the source for authentication in the Intelligent Hub app, in the UEM console go to the Devices > Device Settings > Devices & Users > General > Enrollment > Authentication tab.
  • Authentication methods that are used for device enrollment authentication configured in Workspace ONE Access.
  • Workspace ONE Intelligent Hub app installed on iOS or Android device.


  1. In the Workspace ONE Access console, navigate to Manage > Policies and click EDIT DEFAULT POLICY.
  2. On the Definition page, verify the default policy name and click Next.
  3. On the Configuration page, click + ADD POLICY RULE.
    Option Description
    If a user's network range is Select the network range.
    and user accessing content from Select Device Enrollment as the device type.
    and user belongs to groups If this access rule is going to apply to specific groups, search for the groups in the search box.

    If no group is selected, the access policy rule applies to all users.

    Then perform this action Select Authenticate using....
    then the user may authenticate using Select the authentication method that the enrollment policy requires.

    To set up multi-factor authentication, click + and select the MFA method to use.

    If the preceding method fails or is not applicable, then You can configure fallback authentication.
    Reauthenticate after Select the length of the session, after which users must authenticate again.
  4. Click Save.
  5. Click ADD POLICY RULE to add rules for mobile single sign-on for iOS and Android devices.
  6. On the Configuration page, order the rules to make sure that the Device Enrollment rule is listed above the iOS and Android mobile SSO rules.