You must meet the UEM Console requirements as well as the hardware, software, and network recommendations to successfully deploy the SEG.

UEM Console Requirements

  • AirWatch Console 9.0.3 or later
  • REST API must be enabled for the Organization Group type, Customer.
Prerequisite: Enable REST API

To configure the REST API URL for your Workspace ONE UEM environment:

  1. Navigate to Groups & Settings > All Settings > System > Advanced > API > REST API.
  2. The Workspace ONE UEM gets the API certificate from the REST API URL that is on the Site URLs page. For SaaS deployments, use the format as

You can configure the SEG V2 at a container organization group that inherits the REST API settings from a customer type organization group.

Hardware Requirements

A SEG V2 server can be either a virtual or physical server .

Note the following when deploying SEG V2:

  • An Intel processor is required. CPU Cores should each be 2.0 GHz or higher.
  • The minimum requirements for a single SEG server are 2 CPU cores and 4 GB RAM.
  • When installing the SEG servers in a load balanced configuration, sizing requirements can be viewed as cumulative. For example, a SEG environment requiring 4 CPU Cores and 8 GB RAM can be supported by either:
    • One single SEG server with 4 CPU cores and 8 GB RAM.
    • Two load-balanced SEG servers, each with 2 CPU cores and 4 GB RAM.
  • 5 GB disk space needed per SEG and dependent software. This does not include system monitoring tools or additional server applications.

Software Requirements

  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016

Networking Requirements

Source Component Destination Component Protocol Port Description
Devices (from Internet and Wi-Fi) SEG HTTPS 443 Devices request mail from SEG
Console Server SEG HTTPS 443 Console makes administrative commands to SEG 
SEG Workspace ONE UEM REST API (Device Services (DS) or Console Server (CN) server) HTTP or HTTPS 80 or 443 SEG retrieves the configuration and general compliance policy information
SEG Internal hostname or IP of all other SEG servers TCP 5701 or 41232 If SEG Clustering is used, then SEG communicates to shared policy cache across other SEGs for updates and replication.
SEG localhost HTTP 44444 Admin accesses the SEG server status and diagnostic information from the localhost machine.
Device Services SEG HTTPS 443 Enrollment events and real-time compliance communicates to SEG.
SEG  Exchange HTTP or HTTPS 80 or 443 Verify the following URL is trusted from the browser on the SEG server and gives a prompt for credentials. Exchange server: http(s)://Exchange_ActiveSync_FQDN/Microsoft-server-ActiveSync


Requirement Notes

Remote access to Windows Servers available to Workspace ONE UEM and administrator rights

Set up the Remote Desktop Connection Manager for multiple server management, download the installer from

Installation of Notepad++ (Recommended)  
Ensure Exchange ActiveSync is enabled for a test account  
Note the following additional important considerations and recommendations:
  • Ensure that the SEG URL is either in camel case or lower case.
    • Supported :
      • microsoft-server-activesync
      • Microsoft-Server-ActiveSync
    • Not supported: Microsoft-Server-Activesync
  • The SEG V2 requires that TLS 1.1 or 1.2 is supported on the client's email server, preferably TLS 1.2. It is recommended that the client follow the guidelines of the email system and the OS manufacturer.

Remote Access to Servers

Ensure that you have remote access to the servers where Workspace ONE UEM is installed. Typically, Workspace ONE UEM consultants perform installations remotely over a web meeting or screen share. Some customers also provide Workspace ONE UEM with VPN credentials to directly access the environment as well.