Android Device Enrollment Overview

Each Android device in your organization's deployment must be enrolled before it can communicate with the Workspace ONE UEM console and access internal content and features.

The Workspace ONE Intelligent Hub provides a single resource to enroll a device and provides device and connection details. Hub-based enrollment allows you to:

  • Authenticate users using basic or directory services, such as AD/LDAP/Domino, SAML, tokens, or proxies.
  • Register devices in bulk or allow users to self-register.
  • Define approved OS versions, models, and maximum number of devices per user.
  • Authenticate enrollment using Workspace ONE Access during auto enrollment.

Devices & Users / Android / Android EMM Registration

Android EMM Registration lets you configure the various options for enrolling with Android. This page uses a wizard to help you set up the integration for devices. Enable these settings before beginning enrollment.

Enrollment Settings

Setting Description
Work Managed Enrollment Type (Non-G suite only) Choose if devices should be associated with the enrollment user or device. When using paid apps, User Based is preferred for optimal license allocation and most BYOD use cases. For scenarios where a single user will not be associated with the device (such as Kiosks), Device Based is preferred.
If you are operating on a closed network or cannot communicate with Google Play, select AOSP/Closed Network. A Google account is not created on these devices. Public app management through managed Google Play is not available using AOSP/Closed Network Enrollment. This setting will only apply to the devices enrolled with that organization group. The Parent Organization can still have devices on Work Managed enrollment using a Google account.
In some instances, you might want to enroll GMS and non-GMS devices in the same organization group without having to create multiple organization groups for device management. If you are using QR code enrollment for these devices, you can configure the Enrollment Configuration wizard to force AOSP/ Closed Network enrollment regardless of the enrollment type set in this field.
If Device-Based is selected, only Device based accounts should be used which applies to COPE on Android 8.0. Android 10, and Android 11 devices. This is useful for staging and single use scenarios such as kiosk devices.
Fully-Managed Device Enrollments Choose whether enrolled devices will use Work Managed Device or Corporate Owned Personally Enabled mode.
Work Profile Enterprise Wipe User Message Customize a toast message to display on user devices when you have performed an enterprise wipe from the UEM console. When you perform and enterprise wipe from the Device Details page, this message is also generated. The user does not need to take any action on their device. The message displays after the enterprise wipe is complete.

Enrollment Restrictions

Setting Description
Define the enrollment method for this Organization Group Select whether to Always use Android, or Always Use Android (Legacy), Define assignment group that use Android.
If you select Define Assignment Group that use Android, all unassigned devices default to use Android (Legacy).
Assignment Groups Select a smart group from the drop-down menu.
When a smart group(s) is selected, devices or users that do not belong to that group(s) will go through Android legacy enrollment (device administrator). Devices that belong to smart group will enroll in Work Profile or Work Managed assuming they support these enrollment modes.
Allow Work Profile Enrollment Use this setting to block employee-owned devices from enrolling in Work Profile mode.

Device Protection for Android Devices

Android OS 5.1 and above have a feature called Device Protection which requires Google credentials to be entered before and after a device can be reset. When a device is ready to be enrolled as a Work Managed device for Android, the device must be factory reset.

Any existing Google account has to be removed from the device and the secure lock screen disabled to avoid triggering Device Protection so that the Workspace ONE Intelligent Hub can be installed during enrollment. Using the device from the factory reset state also prevents the new user from being locked out of the device.

In the event the previous owner changed the Google account password, you must wait three days before factory resetting any of your Android 5.1+ devices for enrollment unless you have explicitly disabled Android Device Protection on them. If you factory reset one of your Android devices before those three days are up and then attempt to sign into that device with your Google account, you will be met with an error message and not allowed to log into the device with any account until 72 hours after the password reset occurred.

Enable Unmanaged Enrollment for Android Devices

To allow some Android devices to enroll into Workspace ONE UEM without Google services, you must enable Registered Mode

Devices enrolled through the Intelligent Hub app are MDM managed by default. To allow some Android devices to enroll without MDM management you must enable the unmanaged mode for a smart group.

The selection criteria available is OS version, ownership type, and user group.

In the unmanaged enrollment, users can access applications that require a basic level of security. When users try to access an app that requires management, users are guided through the MDM enrollment process. You use the adaptive management app policies to control device management levels for Android devices enrolled without management.

  1. In the Workspace ONE UEM console, select the organization group to be enabled with unmanaged enrollment and navigate to the Devices > Devices Settings > Devices & Users > General > Enrollment > Management Mode page.

  2. In Current Settings, click Override.

  3. For Android, select Enabled.

  4. In Smart Groups, add the smart group that is enabled for unmanaged enrollments.

  5. Click Save.

Users with Android devices from the configured smart group are entitled unmanaged access to apps. Users can use the Workspace ONE Intelligent Hub app to access applications that require a basic level of security without the device being enrolled into Workspace ONE UEM Mobile Device Management.

check-circle-line exclamation-circle-line close-line
Scroll to top icon