As the admin, you determine which users and devices are allowed to enroll in Workspace ONE UEM. Options include authentication, management mode, Intelligent Hub, terms of use, grouping, restrictions, optional prompts, and customizations.
Configure Enrollment settings by navigating to
.What can you do with the Workspace ONE UEM Enrollment settings page?
- Choose between basic and directory authentication, which is a foundational decision that determines how the device operates and how it is managed. For more information, see Basic vs. Directory Services Enrollment.
- Select whether your organization 1) offers an open enrollment (where any device with an invitation can enroll) or 2) offers a restricted enrollment (where you compile a list of registered devices and only those devices are allowed to enroll).
- Select whether you manage devices with Hub Services or MDM. Furthermore, you can fine tune this decision on a per device basis using smart groups.
- Make agreement with the terms of use (which you and your organization author) a prerequisite to device enrollment. This protects your organization legally.
- Leverage any user groups you may have already defined in your active directory and automatically route those devices into corresponding UEM user groups immediately upon enrollment. You can optionally synchronize your AD user groups with your UEM user groups, although this option is very CPU-intensive.
- Select defaults for...
- ...device ownership (BYOD, COPE).
- ...user role, which is a predetermined list of things a device user, managed by UEM, can actually do. Optionally, you can automatically assign user role based upon what user group they belong to at enrollment time.
- ...what action to take when a user becomes inactive.
- Restrict device enrollment in several ways.
- ...accept only users your organization knows.
- ...accept only users that belong to a certain user group.
- ...set a limit to the number of devices in a specific organization group.
- Make personalized prompts that appear on the device as it enrolls, which fosters good communication between you and your users.
- Customize messaging to be platform-specific and include convenience options like email contact, support phone number, and post-enrollment landing URL.
- Save all these settings as a policy and over time, build a library of policies, each with their own settings that you can make active, for example, during hiring sprees.
Determine your Organizational group hierarchy
Before you review and modify settings, understand the two types of inheritance/override options for the organization group hierarchy available at the top and bottom of the settings page and determine your choices. For more information about these settings, see Override Versus Inherit Setting for Organization Groups.
- Current Setting – Select whether to Inherit or Override the displayed settings. Inherit means use the settings of the current organization group's parent OG, while Override enables the settings for editing so you can modify the current OG's settings directly.
- Child Permission – Select the available behavior of child organization groups that exist below the currently selected organization group. Inherit only means child OGs are only allowed to inherit these settings. Override only means they override the settings, and Inherit or Override means you can choose to inherit or override settings in child OGs that exist below the currently selected OG.
Authentication Tab
Setting | Description |
---|---|
Add Email Domain | This button is used for setting up the Auto-Discovery Service to register email domains to your environment. |
Authentication Mode(s) | Select the allowed authentication types, which include:
|
Source of Authentication for Intelligent Hub | Select the system the Intelligent Hub service uses as its source for users and authentication policies.
For details about Workspace ONE Intelligent Hub, see the VMware Workspace ONE Hub Services Documentation. For details about Workspace ONE Access, see the VMware Workspace ONE Access Documentation. |
Devices Enrollment Mode | Select the preferred device enrollment mode, which includes:
|
Require Registration Token | Visible only when Registered Devices Only is selected. If you restrict enrollment to registered devices only, you also have the option of requiring a registration token to be used for enrollment. This increases security by confirming that a particular user is authorized to enroll. You can send an email or SMS message with the enrollment token attached to users with Workspace ONE UEM accounts. |
Require Intelligent Hub Enrollment for iOS | Select this check box to require iOS device users to download and install the Workspace ONE Intelligent Hub before they can enroll. If deactivated, Web Enrollment is available. |
Require Intelligent Hub Enrollment for macOS | Select this check box to require macOS device users to download and install the Workspace ONE Intelligent Hub before they can enroll. If deactivated, Web Enrollment is available. |
Management Mode Tab
Devices enrolled through Intelligent Hub are MDM managed by default. Enable and select the appropriate groups below to allow devices to enroll without MDM management. Enrollment can be enabled based on the following criteria when utilizing smart groups: OS Version, Ownership Type, and User Group. Use Adaptive Management app policies to control device management levels for iOS devices enrolled without management.
Setting | Description |
---|---|
iOS | Enable iOS devices managed with Hub Services to enroll without being MDM managed. |
Android | Enable Android devices managed with Hub Services to enroll without being MDM managed. |
Windows | Enable Windows devices managed with Hub Services to enroll without being MDM managed. |
Hub Integration Tab
Configure Hub Services through the Intelligent Hub to enable integration options.
Setting | Description |
---|---|
Use Hub Services Features in Intelligent Hub | Enable to allow devices in this OG to connect to Workspace ONE Hub Services for features such as App Catalog and People. |
Terms of Use Tab
Setting | Description |
---|---|
Require Enrollment Terms of Use Acceptance | Require that end users accept an end user license agreement (terms of service) at some point during the enrollment process. Terms of use is fully supported by Workspace ONE Direct Enrollment. |
Add New Enrollment Terms of Use | Click this button to open the Terms of Use dialog, where you can quickly create a custom enrollment terms of use message. For more information on creating an enrollment terms of use, see the Terms of Use section of the VMware AirWatch Mobile Device Management Guide, available on docs.vmware.com. |
Grouping Tab
Setting | Description |
---|---|
Group ID Assignment Mode | Workspace ONE Direct Enrollment supports all assignment modes.
|
Default
Setting | Description |
---|---|
Default Device Ownership | Select the default Device Ownership of devices enrollment into the current organization group. Workspace ONE Direct Enrollment supports setting a default device ownership. |
Default Role | Select the default roles assigned to users at the current organization group, which can affect access to the Self-Service Portal. Workspace ONE Direct Enrollment supports setting a default role. |
Default Action for Inactive Users | Select the default action that impacts Active Directory users if their devices become inactive. Workspace ONE Direct Enrollment supports setting a default action for inactive users. |
User Group Sync
Setting | Description |
---|---|
Sync User Groups in Real Time for Workspace ONE | Workspace ONE can sync user groups for a given user as they register with the UEM console. Enabled by default, this feature is most effective when user groups are being used with great frequency for app assignment, profile assignment, policy assignment, or user mapping. This feature is CPU-intensive so unless your use case is similar to the above, disable this setting for improved performance and to prevent latency issues while launching the Workspace ONE application. |
User Role Mapping
Setting | Description |
---|---|
Enable Directory Group-Based Mapping | Select this box to enable ranked assignments that link a directory user group to a specific Workspace ONE UEM role. Users belonging to a particular group are assigned the associated roles. If they belong to more than one group, they take the highest ranked pairing. You can edit the order in which role-infused user groups are ranked by selecting the Edit assignment button. Workspace ONE Direct Enrollment supports directory group-based mapping. |
Restrictions Tab
Enrollment Restrictions
Setting | Description |
---|---|
User Access Control | Workspace ONE Direct Enrollment supports all user access control options. Restrict Enrollment to Known Users – Enable to restrict enrollment only to users that exist in the UEM console. This restriction applies to directory users you manually added to the UEM console one by one or through batch import. It can also be used to lock down enrollment after an initial deployment that allowed anyone to enroll. This option enables you to be selective about who can enroll. You can allow all directory users who do not have accounts in the UEM console to enroll into Workspace ONE UEM by disabling this option. User accounts are automatically created during enrollment.
Restrict Enrollment to Configured Groups – Enable to restrict enrollment and only allow users belonging to All Groups or Selected Groups (if you have integrated with user groups) to enroll devices. Do not select this option if you have not integrated with your directory services user groups.
Note: Restricting Enrollment to Configured Groups is only supported with Just-In-Time (JIT) user enrollment when each of the following are true:
You can create Workspace ONE UEM user accounts during enrollment by disabling the option to allow all directory users to enroll. Select Enterprise Wipe devices of users that are removed from configured groups to automatically enterprise wipe devices. If All Groups is selected, devices not belonging to any user group are removed. If Selected Groups is selected, then devices not belonging to a particular user group are removed. One option for integrating with user groups is to create an "MDM Approved" directory service group and import it to Workspace ONE UEM. After this import step, you can add existing directory service user groups to the "MDM Approved" group as they become eligible for Workspace ONE UEM. |
Set limit for maximum enrolled devices at this OG and below | Enable and Enter Device Limit to limit the number of devices allowed to enroll in the current organization group (OG). Workspace ONE Direct Enrollment supports this option. |
Policy Settings
- Add Policy – Click this button to add an enrollment restriction policy, which lets you define allowed ownership types, enrollment types, device limits, and more.
Setting Description Enrollment Restriction Policy Name Enter a name for your enrollment restriction policy. OrganizationGroup Select an organization group from the drop-down menu. This is the OG to which your new enrollment restriction policy applies. Policy Type Select the type of enrollment restriction policy, which can be either Organization Group Default to apply to the selected organization group, or User Group Policy for specific User Groups through Group Assignment Settings on the Restrictions tab. AllowedOwnership Types Select whether to permit or prevent Corporate - Dedicated, Corporate - Shared, and Employee Owned devices.
Workspace ONE Direct Enrollment only supports the ownership types Corporate Dedicated and Employee Owned.
AllowedEnrollment Types Select whether to permit or prevent the enrollment of devices using MDM (Workspace ONE Intelligent Hub) and AirWatch Container (for iOS/Android) apps. Device Limit per User Select Unlimited to allow users to enroll as many devices as they want. Workspace ONE Direct Enrollment supports setting a device limit per user.
Deselect this box to enter values for the Device Limit Per User section, to define the maximum number of devices per ownership type.
- Maximum Devices Per User
- Corporate Max Devices
- Shared Max Devices
- Employee Owned Max Devices
Allowed DeviceTypes Select the Limit enrollment to specific platforms, models or operating systems check box to add additional device-specific restrictions.
This option is supported by Workspace ONE Direct Enrollment.
Device Level Restrictions Mode This option is only available if Limit enrollment to specific platforms, models or operating systems is selected in the Allowed Device Types option.
Determine the kind of device limitations you should have.
- Only allow listed device types (Allowlist) – Select this option to explicitly allow only devices matching the parameters you enter and to block everything else.
- Block listed device types (Denylist) – Select this option to explicitly block devices matching the parameters you enter and to allow everything else.
For either device-level restrictions mode, select Add Device Restriction to choose a Platform, Model, Manufacturer (specific to Android devices), or Operating System. You may also add a Device Limit per defined device restriction. You may add multiple device restrictions.
You can also block specific devices based on their IMEI, Serial Number or UDID by navigating to Add. This is an effective way to block a single device and prevent it from re-enrolling without affecting other users' devices. Preventing re-enrollment is also available as an option when performing an Enterprise Wipe.
and selectingThis option is supported by Workspace ONE Direct Enrollment.
Management Requirements for Workspace ONE
Require MDM for Workspace ONE - Enable this feature and set the applicable devices to receive an MDM profile and to get managed when they enroll through Workspace ONE.
Group Assignment Settings
- Edit Group Policies – This button enables you to configure ranked assignments that link a directory user group to a specific Workspace ONE UEM enrollment restriction policy. Users belonging to a particular group must adhere to the associated restriction policy. If they belong to more than one group they will take the highest ranked pairing.
Optional Prompt Tab
The optional prompt settings let you configure various prompts that you set to display or not display during device enrollment. These optional prompts are web-based and are therefore cross-platform unless otherwise specified.
Setting | Description |
---|---|
Prompt for Device Ownership Type | You can prompt the end user to select their device ownership type. Otherwise, configure a default device ownership type for the current organization group. Workspace ONE Direct Enrollment supports prompting for device ownership type. |
Display Welcome Message | You can display a welcome message for your users early in the device enrollment process. You can configure both the header and the body of this welcome message by navigating to . Next, select the labels 'EnrollmentWelcomeMessageHeader' and 'EnrollmentWelcomeMessageBody' respectively. |
Display MDM Installation Message | You can display a message for your users during the device enrollment process. You can configure both the header and the body of this MDM installation message by navigating to . Next, select the labels 'EnrollmentMdmInstallationMessageHeader' and 'EnrollmentMdmInstallationMessageBody' respectively.If you opt to customize your own header and body messages using the Localization Editor, you must opt to 'Override' in the Current Setting option. Doing so ensures that your customizations are used instead of the default messages. In addition to making one-off localization changes, you can also make localization changes in bulk by uploading an edited comma-separated values (CSV) file. Download this localization template CSV file by navigating to Modify button. Edit the file per your preferences to affect bulk localization changes and upload it using the same screen. and select the |
Enable Enrollment Email Prompt | You can prompt the user to enter their email credentials during enrollment. The Enrollment Email Prompt requests the email address from the end user to populate that option in the user record automatically. This data is beneficial to organizations deploying email to devices using the {EmailAddress} lookup value. |
Enable Device Asset Number Prompt | You can prompt the user to enter the device asset number during enrollment. Workspace ONE Direct Enrollment supports enrollment email prompts but only when Prompt for Device Ownership Type is enabled and only for Corporate Owned devices. |
Display Enrollment Transition Messages (Android Only) | You can display or hide enrollment messages on Android devices. |
Enable the Status Tracking Page for OOBE | Enable this setting to display the status tracking page during the Out of Box Enrollment (OOBE) which displays the provisioning status of the device and informs the user which apps, resources, and policies have been installed. |
Enable TLS Mutual Auth for Windows | You can force Windows Devices to use endpoints secured by TLS Mutual Authentication which requires an extra setup and configuration. Contact Support for assistance. |
Display Authentication Screen Message (Windows Only) | You can provide your device end users with a customized log in hint about what they must use to enroll into the Workspace ONE UEM console. For example, if their enrollment authentication for UEM is the same as their Active Directory credentials, then you can include that as a hint. You can also include a link they can click to get help. This feature is currently supported by Windows devices only. You must provide your own localization by including translations of the hint in the same text box. |
Customization Tab
Setting | Description |
---|---|
Use specific Message Template for each Platform | Select this check box to use different enrollment message templates for the different platforms. This option is supported by Workspace ONE Direct Enrollment. |
Enrollment Support Email | Enter the contact email for MDM support which will be displayed to users during enrollment. |
Enrollment Support Phone | Enter the contact phone number for MDM support which will be displayed to users during enrollment. |
Post-Enrollment Landing URL (iOS Only) | Enter the URL of the webpage you want end users redirected to after they enroll their devices. This field can be blank. This option is supported by Workspace ONE Direct Enrollment. |
MDM Profile Message (iOS Only) | Enter the message you would like your users to see during the install MDM prompt. This field is optional and can be left blank. This option is supported by Workspace ONE Direct Enrollment. |
Use Custom MDM Applications | Configure MDM Apps by adding them as managed applications and assigning them to MDM application groups. This option is supported by Workspace ONE Direct Enrollment. |