The Workspace ONE App is a legacy application and is no longer updated. The Workspace ONE Intelligent Hub app is the app that users now use to enroll their devices into Workspace ONE UEM and to access their company resources.

Admins can block new enrollments from the Workspace ONE app without blocking enrollment through the Workspace ONE Intelligent Hub app. You create an access policy rule for device enrollment through the Workspace ONE Intelligent Hub app and make it the first rule on the default access policy list.

See Configure Device Enrollment Policy Rules for Workspace ONE UEM Enrollments in Workspace ONE Access.

The legacy Workspace ONE app does not support the Device Enrollment access policy rule. When new users attempt to use the Workspace ONE app to enroll their iOS or Android device, they are denied access and cannot be authenticated. They must use the Workspace ONE Intelligent Hub app to enroll their devices before they can access their resources.

You can configure a custom denial message that displays when they are not authenticated to tell users that they must install the Workspace ONE Intelligent Hub app before they can enroll their device.

The Workspace ONE Intelligent Hub app allows users to authenticate initially using a password and successfully sends the enrollment flag to Workspace ONE UEM. The Mobile SSO policy rule handles subsequent access authentications since the device now has the certificate from the initial enrollment.

Prerequisites

  • Workspace ONE Access enabled as the authentication source in Workspace ONE UEM.
  • Hub Services configured with the unified Hub catalog.
  • Rules for mobile single sign-on for iOS and Android devices are configured in the default access policy.
  • Communicate to your users about the end of life for the Workspace ONE app and ask them to install the Intelligent Hub app.
    Note: Existing users can still log in using the Workspace ONE app.

Procedure

  1. In the Workspace ONE Access console, navigate to Manage > Policies and create the device enrollment rule.
    Workspace ONE Access Device Enrollment Access Policy Rule
  2. Click Advanced Properties and in the Custom Error Message text box, type an error message that tells users to download the Workspace ONE Intelligent Hub app and try again.
  3. On the Configuration page, order the rules to make sure that the Device Enrollment rule is listed above the iOS and Android mobile SSO rules.
    Workspace ONE Access Policy Order for Device Enrollment

Results

After the access policy is set up, the new user experience is as follows.

  1. Users who try to enroll with the Workspace ONE app are not authenticated because the first rule in the access policy is requesting enrollment with the Intelligent Hub app.
  2. User must install the Intelligent Hub app on their device.
  3. The first time users use the Intelligent Hub app to sign on, they are authenticated based on the device enrollment policy rule and are asked to enroll their device.
  4. The next time they use the Intelligent Hub app to access Workspace ONE, they are authenticated according to the mobile SSO rules.