When users receive a new Dell® Windows 10 device with out-of-box (OOBE) provisioning enabled in the Workspace ONE UEM Windows 10 Provisioning Service, you can configure an authentication method in Workspace ONE Access to manage Workspace ONE Intelligent Hub app log ins.

IMPORTANT: WORKSPACE ONE APPLICATION EOL

The Workspace ONE App and Web Portal is end-of-life on May 15, 2022. Customers who have the Workspace ONE Apps deployed should migrate users immediately to the Workspace ONE Intelligent Hub app, available in the App Store and Play Store.

To deliver this OOBE with the Workspace ONE Intelligent Hub app, you must enable the External Access Token authentication method as part of the Workspace ONE UEM integration. Then the authentication method is enabled in the built-in provider. You then create an access policy rule to use the External Access Token authentication method.

The Workspace ONE OOBE runs the Workspace ONE Intelligent Hub app without requiring users to enter their sign-in credentials a second time. If this authentication method is not enabled, users must sign in to Workspace ONE in addition to signing in to the device during the Windows registration process.

Activate the External Access Token

In the Workspace ONE Access service, the External Access Token authentication method is unique to the Workspace ONE UEM integration and is required for both single sign-on (SSO) and triggering the out-of-box experience (OOBE) in the Workspace ONE Intelligent Hub app on Windows 10 devices.

When using External Access Token authentication, Workspace ONE UEM must be integrated with Workspace ONE Access.

  • External Access Token Authentication enabled on the Integrations > UEM Integration page .
  • AirWatch Provisioning Service for Windows 10 devices configured.

The configuration of External Access Token is read-only and is based off the Workspace ONE UEM configuration with the Workspace ONE Access service The exception is the token lifetime field.

  1. In the Workspace ONE Access console Integrations > Authentication Methods page, select Workspace ONE UEM External Access Token.
  2. In the Workspace ONE UEM External Access Token page, click CONFIGURE and configure the settings.
    Option Description
    Enable Workspace ONE UEM External Access Token Authentication This check box is enabled on the Components > UEM Integration page in the admin console.
    Workspace ONE UEM Admin Console URL Pre-populated with the Workspace ONE UEM admin console URL.

    Workspace ONE UEM API Key

    Pre-populated with the Workspace ONE UEM Admin API key.

    Certificate Used for Authentication Pre-populated with the AirWatch Cloud Connector certificate.
    Password for Certificate Pre-populated with the password for the AirWatch Cloud Connector certificate.
    Workspace ONE UEM External Access Token Lifetime in Seconds The access token is used to validate the authentication with Workspace ONE Access. Access tokens have a limited lifetime. The time configured is the maximum time that the access token is valid. The token life is editable and defaulted to 600 seconds, which is 10 minutes.

    If the access token expires, users are prompted to authenticate again in the Workspace ONE Intelligent Hub app.

  3. Click SAVE.

Associate the Workspace ONE UEM External Access Token authentication method in the built-in identity provider. See Configure a Built-in Identity Provider in Workspace ONE Access

After the Workspace ONE UEM External Access Token is associated to the built-in identity provider, create an access policy rule to use this authentication method. See Create Access Policy in Workspace ONE Access for Workspace ONE Intelligent Hub Out-of-Box Experience Process.