To authenticate users before they register their Workspace ONE Intelligent Hub iOS and Android devices in Workspace ONE UEM, in Workspace ONE Access enable UEM Token as the authentication method. In the Workspace ONE UEM console, change the source of authentication from Workspace ONE UEM to Workspace ONE Access.

In the Workspace ONE UEM service, a registration token is created when users register their devices in Workspace ONE UEM. If UEM Token authentication is not enabled in Workspace ONE Access, users are authenticated in the Workspace ONE UEM service. After which users are required to authenticate again with Workspace ONE Access.

When UEM Token authentication is enabled, Workspace ONE Access is used to identify and authenticate users’ devices that are in registered mode. Android devices, which do not have a Workspace ONE UEM certificate at the time of enrollment, are also identified and authenticated.

The Workspace ONE Intelligent Hub app coordinates between the Workspace ONE UEM service and the Workspace ONE Access tenants to confirm the user and validity of the UEM enrollment token.

Note: UEM Token authentication works with Workspace ONE UEM version 2210 and later.


  • Workspace ONE UEM version 22.10 or later integrated with Workspace ONE Access (Cloud-only).
  • Users configured in Active Directory.

    Local basic users synced from the Workspace ONE UEM service are not supported for UEM Token.

  • Workspace ONE Intelligent Hub iOS and Android versions 22.6 or later.
  • Workspace ONE UEM console configured with Workspace ONE Access as the source of authentication.
      1. In Workspace ONE UEM console, select the Customer OG and navigate to Devices & Users > General > Enrollment > Authentication.
      2. Enable Workspace ONE Access as the Source of Authentication for Intelligent Hub.
      3. In Devices Enrollment Mode, select Registered Devices Only.
      4. Enable Require Registration Token.


  1. In the Workspace ONE Access console Integrations > Authentication Methods page, select UEM Token.
  2. Click CONFIGURE and enable UEM Token Authentication Adapter.
  3. Click SAVE.
  4. Navigate to the Identity Providers page and select the built-in identity provider that is already configured.
    1. In the Authentication Methods section, enable UEM Token.
    2. Click Save.

Create a Device Enrollment Policy Rule

In the default_access_Policy_ set, create a device enrollment rule or if you have an existing device enrollment rule edit the rule, to set up UEM token as the authentication method to use.

  1. In the Workspace ONE Access console, navigate to Resources > Policies and click default_access_policy_set.
  2. Click EDIT and click NEXT.
  3. On the Configuration page, to add a new device enrollment rule click + ADD POLICY RULE otherwise edit the existing device enrollment rule.



    If a user's network range is

    Select the network range that workers can use to sign in and access apps.

    and user accessing content from

    Select the type of device that this rule applies to. Select Device Enrollment for a policy rule that applies to all cases of access.

    and user belongs to groups

    If this access rule is going to apply to specific groups, search for the groups in the search box.

    If no group is selected, the access policy rule applies to all users.

    Then perform this action

    Select Authenticate using...

    then the user may authenticate using

    Select UEM Token.

    (optional) Click + to add a second factor authentication, such as Password or Authenticator App.

  4. Click SAVE.
  5. Click NEXT.
  6. On the Configuration page, review the authentication order. You can drag the rule rows to change the order that rules are applied.