This site will be decommissioned on January 30th 2025. After that date content will be available at techdocs.broadcom.com.

 

Enrolling Windows Devices into Workspace ONE UEM

Workspace ONE UEM supports several different methods to enroll your Windows devices. Learn which enrollment workflow best services your needs based on your Workspace ONE UEM deployment, enterprise integrations, and device operating system.

Enrollment Basics

Simplify your end-user enrollments by setting up the Windows Auto-Discovery Services (WADS) in your Workspace ONE UEM environment. WADS supports an on-premises solution and cloud-based WADS.

The enrollment methods use either the native MDM functionality of the Windows operating system, Workspace ONE Intelligent Hub for Windows, or Azure AD integration.

If you want to use Workspace ONE UEM to manage Windows devices managed by SCCM, you must download the VMware AirWatch SCCM Integration Client. Use this client to enroll SCCM-managed devices into Workspace ONE UEM.

  • Workspace ONE Intelligent Hub for Windows Enrollment

    The simplest enrollment workflow uses Workspace ONE Intelligent Hub for Windows to enroll devices. End users simply download Workspace ONE Intelligent Hub from getwsone.com and follow the prompts to enroll.

    Consider using Workspace ONE Intelligent Hub for the Windows Enrollment workflow. Workspace ONE UEM supports additional enrollment flows that meet specific use cases.

  • Azure AD Integration Enrollment

    Through integration with Microsoft Azure Active Directory, Windows devices automatically enroll into Workspace ONE UEM with minimal end-user interaction. Azure AD integration enrollment simplifies enrollment for both end users and admins. Azure AD integration enrollment supports three different enrollment flows: Join Azure AD, Out of Box Experience enrollment, and Office 365 enrollment. All methods require configuring Azure AD integration with Workspace ONE UEM.

    Before you can enroll your devices using Azure AD integration, you must configure Workspace ONE UEM and Azure AD.

  • Native MDM Enrollment

    Workspace ONE UEM supports enrolling Windows Desktop devices using the native MDM enrollment workflow. The name of the native MDM solution varies based on the version of Windows. This enrollment flow changes based on the version of Windows and if you use WADS.

    Only users with local admin permissions on the device can enroll a device into Workspace ONE UEM and enable MDM.

  • Device Staging

    If you want to configure device management on a Windows device before shipping it to your end user, consider using Windows Desktop device staging. This enrollment workflow allows you to enroll a device through Workspace ONE Intelligent Hub, install device-level profiles, and then ship the device to end users. The two methods of device staging are manual installation and command-line installation. Manual installation requires devices to be domain-joined to an Azure AD integration. Command-line installation works for all Windows devices.

  • Windows Desktop Auto-Enrollment

    Workspace ONE UEM supports the auto-enrollment of specific Windows Desktop devices purchased from Dell. Auto-enrollment simplifies the enrollment process by automatically enrolling registered devices following the Out-of-Box-Experience.

    Windows Provisioning Service by VMware only applies to select Dell Enterprise devices with the correct Windows image. The auto-enrollment functionality must be purchased as part of the purchase order from Dell.

  • Bulk Provisioning and Enrollment

    Bulk provisioning creates a pre-configured package that stages Windows devices and enrolls them intoWorkspace ONE UEM. Bulk provisioning requires downloading the Microsoft Assessment and Development Kit and installing the Imaging and Configuration Designer tool. This tool creates the provisioning packages used to image devices.

    With the bulk provisioning workflow, you can include Workspace ONE UEM settings in the provisioning package so that provisioned devices automatically enroll during the initial Out of Box Experience.

  • Registered Mode - Enroll Without Device Management

    To allow some Windows devices to enroll into Workspace ONE UEM without device management services, you can enable Registered Mode. Assign this mode to an entire organization group or with smart groups.

Workspace ONE Intelligent Hub for Windows Enrollment

Workspace ONE Intelligent Hub provides a single resource for enrollment and facilitates communication between the device and the Workspace ONE UEM console. Use Workspace ONE Intelligent Hub to enroll your Windows devices. Workspace ONE Intelligent Hub provides a simplified enrollment flow for end users that is quick and easy enrollment.

Consider using Workspace ONE Intelligent Hub for Windows to enroll your Windows Desktop devices as it provides the simplest enrollment flow for users. If you have Workspace ONE configured, downloading Workspace ONE Intelligent Hub from https://getwsone.com/ also downloads the Workspace ONE app. When you finish enrolling with Workspace ONE Intelligent Hub, the Workspace ONE app auto-launches and configures based on your Workspace ONE UEM deployment.

The Workspace ONE Intelligent Hub provides extra functionality to your Windows Desktop devices including location services.

You can simplify enrollment for your end users by using Windows Auto-Discovery. Windows Auto-Discovery enables end users to enter their email address to fill in the text boxes automatically with their enrollment credentials.

AirWatch Cloud Messaging (AWCM) enables real-time policy and command delivery to Workspace ONE Intelligent Hub. Without AWCM, Workspace ONE Intelligent Hub only receives policy and command delivery during its normal check-in intervals set in the Workspace ONE UEM console. Consider using AWCM for real-time policy and command delivery to Windows Desktop devices.

Procedure to Enroll with the VMware Workspace ONE Intelligent Hub

  1. On the Windows Desktop device, navigate to https://getwsone.com.
  2. Install Workspace ONE Intelligent Hub. When the installation is finished, start Workspace ONE Intelligent Hub.
  3. Enter the email address and select Next.
  4. If you are not using Windows Auto-Discovery, complete the following settings.
    1. Enter the Server URL and select Next.
    2. Enter the Group ID and select Next.
    3. Enter the Username and Password.
  5. Accept the terms of use.
  6. Select Done.
  7. Open Workspace ONE Intelligent Hub and complete the enrollment.

Native MDM Enrollment for Windows Desktop

Windows Desktop enrollment methods all use the Work Access native MDM Client. Use the native MDM enrollment to enroll both corporate owned and BYOD devices through the same enrollment flow. You can enroll with or without Windows Auto Discovery.

Work Access first processes an Azure AD work flow for domains connected to Office 365 or Azure AD when you select Connect and does not automatically complete the enrollment workflow. If you use Office 365 or Azure AD without a premium license, consider using the Workspace ONE Intelligent Hub to enroll Windows devices instead of native MDM enrollment. To complete the enrollment workflow using native MDM enrollment, select Connect twice. If you have an Azure AD premium license, you can enabled Require Management in your Azure instance to have native MDM enrollment complete the enrollment flow after the Azure work flow. You can use native MDM enrollment without issue if you do not use Office 365 or Azure AD.

Only users who have local admin permissions on the device can enroll a device into Workspace ONE UEM and enable MDM. Domain Admin permissions do not work for enrolling a device. To enroll a device with a standard user, you must use Bulk Provisioning for Windows devices.

By using the Windows Auto-Discovery Service, you simplify enrollment for your end user by reducing the necessary interaction during enrollment.

Devices joined to a domain can enroll using the native Workplace enrollment. The email address entered in the settings is auto-populated with the Active Directory UPN attribute. If the end user wants to use a different email address, they must download the optional update.

Enroll Through Work Access With Windows Auto Discovery

Work Access is the native MDM enrollment method for Windows devices. Enrolling through Work Access and using Windows Auto Discovery provides a quick and easy enrollment flow for end users.

Prerequisites

Registering your domain in Workspace ONE UEM removes the need to enter the Group ID during enrollment.

Note: Consider using the Workspace ONE Intelligent Hub for Windows to enroll your Windows devices instead of using native MDM enrollment. The native MDM enrollment flow does not enroll devices into MDM if you use Office 365 or Azure AD on the same domain.

Procedure

  1. Navigate on the device to Settings > Accounts > Work Access and select Enroll in to device management. The Work Access menu is displayed, showing enroll in to divice management option
  2. Enter the user name you provided to your end user into the Email text box, followed by the domain for the environment in the format [email protected] (such as [email protected]). Select Continue.
  3. Enter the Group ID and select Next.
  4. Enter your username and password and select Next. These credentials may be your directory services credentials or dedicated credentials specific to your Workspace ONE UEM environment.
  5. Optional: Review the End User License Agreement and select Accept to agree to the terms of use.
  6. Optional: Select Yes to save sign-in info.

Results

The device then attempts to connect to Workspace ONE UEM. If it connects successfully, a briefcase icon displays with Workspace ONE UEM written next to it. This icon shows your successful connection to Workspace ONE UEM.

Work Access menu shows a successful connection with briefcase icon

Enroll Through Work Access Without Windows Auto Discovery

Work Access is the native MDM enrollment method for Windows devices. Enrolling through Work Access without WADS requires manually entering end-user credentials.

Consider using the Workspace ONE Intelligent Hub for Windows to enroll your Windows devices instead of using native MDM enrollment. The native MDM enrollment flow does not enroll devices into MDM if you use Office 365 or Azure AD on the same domain.

Procedure

  1. Navigate on the device to Settings > Accounts > Work Access and select Enroll in to device management. The Work access menu is displayed, showing enroll in to divice management option
  2. Enter the user name you provided to your end user into the Email text box, followed by the domain for the environment in the format [email protected] (such as [email protected]).
  3. Enter server address as follows: <DeviceServicesURL>/DeviceServices/Discovery.aws. Do not include 'https://' in the URL. Example: ds156.awmdm.com/deviceservices/discovery.aws.
  4. Select Continue.
  5. Enter the Group ID and select Next.
  6. Enter your username and password and select Next. These credentials may be your directory services credentials, or dedicated credentials specific to your Workspace ONE UEM environment.
  7. Optional: Review the End-User License Agreement and select Accept to agree to the terms of use. This step is optional and only displays if you choose to enable it.
  8. Optional: Select Yes to save sign-in info.

Results

The device then attempts to connect to Workspace ONE UEM. If it connects successfully, a briefcase icon displays with Workspace ONE UEM written next to it. This icon shows your successful connection to Workspace ONE UEM.

Work Access menu shows a successful connection with briefcase icon

Windows Device Staging Enrollment

With device staging, you can configure your Windows devices for device management by Workspace ONE UEM before you send the devices to your end users. Learn how to enroll and configure your devices with Workspace ONE Intelligent Hub on behalf of your end users.

Device staging enrollment enables you to enroll your Windows device into Workspace ONE UEM. This enrollment requires the Workspace ONE Intelligent Hub to start. After the device enrolls, any assigned device-level profiles download to the device. Once the device is fully enrolled and configured, you can ship the device to your end users. When the end user signs in to the device, the Workspace ONE Intelligent Hub updates the device record in the Workspace ONE UEM console. Workspace ONE UEM reassigns the device to the end user and pushes any user-level profiles to the device.

The two staging methods are:

  • Manual Installation – Download and install the Workspace ONE Intelligent Hub and enter enrollment credentials. This method requires devices to be domain-joined before enrollment.
  • Command Line Installation – Download the Workspace ONE Intelligent Hub and then install and enroll the device using the command line.

The enrollment completes by either updating the UEM console device registry when a user enrolls into a domain-joined device or by comparing the enrolled user name against a list of previously registers serial numbers.

Bulk Import Device Serial Numbers

Import device serial numbers for use with device staging to quickly add devices to the Workspace ONE UEM Console. The bulk import requires a CSV file with all the serial numbers to import.

Procedure

  1. Navigate to Accounts > Users > List View or Devices > Lifecycle > Enrollment Status.
  2. Select Add and then Batch Import to display the Batch Import screen.
  3. Complete each of the required options. Batch Name, Batch Description, and Batch Type.
  4. Within the Batch File (.csv) option is a list of task-based templates you can use to load users and their devices in bulk.
  5. Select the appropriate download template and save the comma-separated values (CSV) file to somewhere accessible.
  6. Locate the saved CSV file, open it with Excel, and enter all the relevant information for each of the devices that you want to import. Each template is pre-populated with sample entries demonstrating the type of information (and its format) intended to be placed in each column. Fields in the CSV file denoted with an asterisk are required.
  7. Save the completed template as a CSV file. In the UEM console, select the Choose File button from the Batch Import screen, navigate to the path where you saved the completed CSV file and select it.
  8. Select Save to complete registration for all listed users and corresponding devices.

Carbon Black and Workspace ONE Intelligent Hub for Windows

Do you use Carbon Black for endpoint protection on your Windows devices? You can install Carbon Black on your Windows devices when you install the Workspace ONE Intelligent Hub for Windows.

Enroll your Windows devices with this command-line staging process. Enter Carbon Black specific silent enrollment parameters and their respective URL values that you generated in Carbon Black. Entering the generated URLs instructs the Workspace ONE Intelligent Hub to retrieve the URLs for the Carbon Black sensor kit and the Carbon Black sensor configuration file for installation.

After you install Carbon Black and the Workspace ONE Intelligent Hub, upload the Carbon Black public app to the Workspace ONE UEM console and publish the app to your Windows devices.

For details on how to generate the required URLs for the Carbon Black sensor kit and the Carbon Black sensor configuration file, access the content in the Carbon Black Cloud User Guide. You can sign in to VMware Carbon Black Cloud and select Help > User Guide. Type workspace one in the search bar and press Enter.

Where Are The Carbon Black Parameters?

The Carbon Black parameters are listed in this topic in the Silent Enrollment Parameters and Values section. You can also find them in the Carbon Black Cloud console at Inventory > Endpoints > Sensor Options > Configure Workspace ONE sensor kit. If you do not see this option in the Carbon Black Cloud console, contact your Carbon Black support to enable the feature.

Enroll Through Command-Line Staging

Simplify enrollment for end users by staging your Windows Desktop devices using the Windows Command Line. This enrollment method for Workspace ONE UEM enrolls the device and downloads device-level profiles base on the user credentials entered.

Important: Do not change the name of the AirWatchAgent.msi file as this breaks the staging command. Also, Do not use bulk serial number import if you want to use command-line staging.

Note: Do not use this product to install Workspace ONE Intelligent Hub for Windows silently on BYOD devices. If you silently install onto BYOD devices, you are solely responsible for providing any necessary notices to your device end users regarding your use of silent installation and the data collected from the silently installed apps. You are responsible for obtaining any legally required consents from your device end users, and otherwise complying with all applicable laws.

Procedure

  1. Navigate to https://getwsone.com/ to download Workspace ONE Intelligent Hub for Windows.

    Only download Workspace ONE Intelligent Hub. Do not start the executable or select Run as that initiates a standard enrollment process and defeats the purpose of silent enrollment. If necessary, move Workspace ONE Intelligent Hub from the download folder to a local or network drive folder.

  2. Open a command line or create a BAT file and enter all the necessary paths, parameters, and values.

  3. Run the command.

Results

After the command runs, the device enrolls into Workspace ONE UEM. If the device is domain-joined, Workspace ONE Intelligent Hub updates the Workspace ONE UEM console device registry with the correct user.

Enroll Through Manual Device Staging

Simplify enrollment for end users by staging your Windows devices using the Workspace ONE Intelligent Hub. This enrollment method enrolls the device and downloads device-level profiles so the end user must only log in to the device to begin using it.

Prerequisites

These devices must be joined to a domain.

  1. Navigate to https://getwsone.com/ to download the Workspace ONE Intelligent Hub Installer.
  2. Start the installer once the download completes.
  3. Select Run to begin the installation.
  4. Select Email if you have Auto-Discovery enabled, otherwise select Server Detail.
  5. Complete the settings required based on the authentication type selected.
    1. Enter the email address to auto-fill the server details screen. Select Next and the details are entered.
    2. Enter the Server Name and Group ID if you are not using Auto-Discovery to complete the settings. Select Next.
  6. Enter the staging Username and Password and select Next.
  7. Complete any optional screens.
  8. Select Finish to complete the enrollment.

Results

Once the Workspace ONE Intelligent Hub detects a staging user, the Workspace ONE Intelligent Hub listener runs and listens for the next Windows login. When the end user logs into the device, the Workspace ONE Intelligent Hublistener reads the user UPN and email from the device registry. This information is sent to the Workspace ONE UEM console and the device registry is updated to register the device to the user.

Silent Enrollment Parameters and Values

Silent enrollment requires command-line entries or a BAT file to control how the Workspace ONE Intelligent Hub downloads and installs onto Windows devices.

Note: Do not use this product to install Workspace ONE Intelligent Hub for Windows silently on BYOD devices. If you silently install to BYOD devices, you are solely responsible for providing any necessary notices to your device end users regarding your use of silent installation and the data collected from the silently installed apps. You are responsible for obtaining any legally required consents from your device end users, and otherwise complying with all applicable laws.

The following tables list the enrollment parameters you can enter into a command line or into a BAT file, and the respective values for each parameter. If you are Enrolling on Behalf of Others (EOBO), ensure you use the EOBO parameters.

General Parameters

Enrollment Parameters Values to Add to Parameter
All MSI parameters These parameters control the app installation behavior.

/quiet - Completely silent
/q - Controls the UI levels for installation
passive - Minimal controls for the user to guide the application
/L - Log levels and log paths. For more information, see https://docs.microsoft.com/en-us/windows/win32/msi/command-line-options.
ASSIGNTOLOGGEDINUSER Select Y to assign the device to the domain user that is logged in. Enter this parameter as the last argument in the command line.
DEVICEOWNERSHIPTYPE^ Select CD for Corporate Dedicated.
Select CS for Corporate Shared.
Select EO for Employee Owned.
Select N for None.
DOWNLOADSBUNDLE This parameter controls the download of the Workspace ONE application during enrollment. Select TRUE, to download the Workspace ONE app installer during the installation of Workspace ONE Intelligent Hub. If you enroll a device using Workspace ONE Intelligent Hub, installing Workspace ONE is not optional.

If you do not set DOWNLOADSBUNDLE to TRUE, the Workspace ONE app installer does not download regardless of the UI-level used.
ENROLL Select Y to enroll.
Select N for image only.

The agent tries to enroll in silent mode only if this parameter is set to Y.
IMAGE This flag takes priority over everything, if this flag is set to Y, the agent is put into image mode.

Select Y for image.
Select N for enrollment.
INSTALLDIR^ Enter the directory path if you want to change the installation path.

Note: If this parameter is not present, the Workspace ONE Intelligent Hub uses the default path: C:\Program Files (x86)\AirWatch.
LGName Enter the organization group name.
PASSWORD Enter the password for the user you are enrolling or the staging user password if staging the device on the behalf of a user.
SERVER Enter the enrollment URL.
USERNAME Enter the user name for the user you are enrolling or the staging user name if staging the device on the behalf of a user.

Items denoted with a caret (^) are optional.

EOBO Parameters

Enrollment Parameters Values to Add to Parameter
SECURITYTYPE EOBO Workflow Only: Use this parameter if a user account is added to the Workspace ONE UEM console during the enrollment process.

Select D for Directory.

Select B for Basic User.
STAGEEMAIL^ EOBO Workflow Only: Enter the email address for the user you are enrolling.
STAGEEMAILUSRNAME^ EOBO Workflow Only: Enter the email user name for the user you are enrolling.
STAGEPASSWORD EOBO Workflow Only: Enter the password for the user you are enrolling.
STAGEUSERNAME EOBO Workflow Only: Enter user name for the enrolling user.

Items denoted with a caret (^) are optional.

Carbon Black Parameters

Enrollment Parameters Values to Add to Parameter
CBSENSORCONFIGURL^ Use this parameter to instruct the Workspace ONE Intelligent Hub for Windows to retrieve the Carbon Black configuration file URL.

Enter the URL for the sensor configuration file that you generated in Carbon Black.
CBSENSORURL^ Use this parameter to instruct the Workspace ONE Intelligent Hub for Windows to retrieve the applicable Carbon Black sensor kit URL.

Enter the URL for the sensor kit that you generated in Carbon Black.

Items denoted with a caret (^) are optional.

Examples of Silent Enrollment

View examples of various use cases using enrollment parameters and the values that you can enter into a command line or use to create a BAT file. Initiating any one of these examples silently enrolls the Windows device without prompting the user to select any of the acknowledgment buttons.

  • Agent Install for Image Only Without Enrollment

    The following is an example of installing the Workspace ONE Intelligent Hub for image only without enrollment using minimum parameters required for image only.

    AirwatchAgent.msi /quiet ENROLL=N IMAGE=Y

  • Basic User Enrollment

    The following is an example of using minimum parameters required for basic enrollment only:

    AirwatchAgent.msi /quiet ENROLL=YIMAGE=n SERVER=companyURL.com LGName=locationgroupid USERNAME=TestUsr PASSWORD=test

  • Workspace ONE Intelligent Hub Installed Elsewhere

    The following is an example of the AirwatchAgent.msi located in a different location:

    C:AirwatchAgent.msi /quiet ENROLL=Y IMAGE=n SERVER=companyURL.com LGName=locationgroupid USERNAME=TestUsr PASSWORD=test

  • Installation Directory and Workspace ONE Intelligent Hub on Network Drive

    The following is an example of the installation directory parameter with the Workspace ONE Intelligent Hub on a network drive.

    Important: Add extra quotes for the INSTALLDIR parameter when there is space within the parameter.

    Q:AirwatchAgent.msi /quiet INSTALLDIR="E:Install Win32" ENROLL=Y IMAGE=n SERVER=companyURL.com LGName=locationgroupid USERNAME=TestUsr PASSWORD=test

  • Available Parameters and Values

    The following snippet is an example of the syntax using most of the available parameters and values.

    msiexec.exe /I “<Path>AirwatchAgent.msi” /quiet ENROLL=<Y/N>IMAGE=<Y/N>SERVER=<CompanyURL>LGNAME=<Location Group ID>USERNAME=<Staging Username>PASSWORD=<Staging Username Password>STAGEUSERNAME=<Enrolling Username>SECURITYTYPE=<D/B>STAGEEMAILUSRNAME=<User Enrolling>STAGEPASSWORD=<Password for User Enrolling>STAGEEMAIL=<Email Address for User Enrolling>DEVICEOWNERSHIPTYPE<CD/CS/EO/N>ASSIGNTOLOGGEDINUSER=<Y/N>

Workspace ONE UEM and Azure AD Integration

Through integration with Microsoft Azure Active Directory, you can automatically enroll your Windows devices into Workspace ONE UEM with minimal end-user interaction. Learn how Azure AD integration simplifies enrolling your Windows devices.

Before you can enroll your devices using Azure AD Integration, you must configure Workspace ONE UEM and Azure AD. The configuration requires entering information into your Azure AD and Workspace ONE UEM deployments to facilitate communication. Setup is different depending on your environment. Follow the appropriate procedure for your SaaS or on-premises deployment.

Azure AD integration enrollment supports three different enrollment flows.

  • Join Azure AD
  • Out of Box Experience enrollment
  • Office 365 enrollment

All methods require configuring Azure AD integration with Workspace ONE UEM.

Important: Enrollment through Azure AD integration requires Windows and Azure Active Directory Premium License.

SaaS Environments: Azure AD as an Identity Service

Before you can use Azure AD to enroll your Windows devices, you must configure Workspace ONE UEM to use Azure AD as an identity service. Enabling Azure AD requires entering data in both the Azure Management Portal and in Workspace ONE UEM. Use tabs in your browser to have both instances open to help with entering data in both consoles.

Prerequisites

  • You must have a Premium Azure AD P1 or P2 subscription to integrate Azure AD with Workspace ONE UEM.
  • Azure AD integration with Workspace ONE UEM must be configured at the tenant where Active Directory (such as LDAP) is configured. -If you have a custom domain name associated with your Saas instance, please see the next section (On-Premises Environments or SaaS Environment with a Custom Domain Name) for those specific instructions instead.

Important: Configure and Save LDAP First
If you are setting the Current Setting to Override on the Directory Services system settings page in Workspace ONE UEM, you must configure and save the LDAP settings before enabling Azure AD for identity services.

Procedure

  1. In Workspace ONE UEM, enable the integration with Azure AD, enter the Azure AD Tenant ID, and retrieve MDM enrollment URLs to enter into Azure.
    1. Select the applicable organization group.
    2. Navigate to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services.
    3. On the Server tab, enable Azure AD Integration.
    4. In another tab in your browser, log in to the Azure Management Portal with your Microsoft account or organizational account to get the Azure AD Tenant ID.
      1. Select Azure Active Directory to view the Overview page.
      2. Copy the Azure AD Tenant ID from the Azure AD Overview page
    5. Go back to the Workspace ONE UEM console instance and paste the Azure AD Tenant ID into in the Directory ID text box.
    6. Continuing in the Workspace ONE UEM instance, enable Use Azure AD For Identity Services.
      Note the MDM discovery URL and the MDM Terms of Use URL because you must enter them into Azure. You can copy them between tabs if you are using multiple browser tabs or consider copying them somewhere on your PC.
  2. In Azure AD, add the Workspace ONE UEM app and add the MDM URLs.
    1. In the Azure Management Portal instance, select your directory and navigate to the Mobility (MDM and MAM) tab.
    2. Select Add Application, select the AirWatch by VMware app, and choose Add.
    3. Select the AirWatch by VMware app that you just added to change the MDM user scope to All.
    4. Copy your MDM Terms of Use URL from your PC or from the browser tab with the Workspace ONE UEM instance, and paste it into the MDM terms of use URL text box in Azure.
    5. Copy your MDM discovery URL from your PC or from the browser tab with the Workspace ONE UEM console instance and paste it into the MDM discovery URL text box in Azure.
    6. Save your settings.
  3. In Workspace ONE UEM, enter the Azure AD Primary domain and save the settings.
    1. In the Azure Management Portal instance, go to the Azure AD Overview page and copy the Primary domain from the Azure AD Overview page.
    2. On the browser tab with the Workspace ONE UEM console instance, paste the Primary domain string in the Tenant Name text box.
    3. Save the settings on the Workspace ONE UEM Directory Services page.
  4. In Azure, assign premium licenses.
    1. In the Microsoft Azure console, select Azure Active Directory > Licenses.
    2. Select All Products and select the proper license in the list.
    3. Select Assign, select the users or groups for the license, and select Assign to complete the process.

On-Premises Environments or SaaS Environment with a Custom Domain Name: Azure AD as an Identity Service

Before you can use Azure AD to enroll your Windows devices, you must configure Workspace ONE UEM to use Azure AD as an identity service. Enabling Azure AD requires entering data in both the Azure Management Portal and in Workspace ONE UEM. Use tabs in your browser to have both instances open to help with entering data in both consoles.

Prerequisites

  • You must have a Premium Azure AD P1 or P2 subscription to integrate Azure AD with Workspace ONE UEM.
  • Azure AD integration with Workspace ONE UEM must be configured at the tenant where Active Directory (such as LDAP) is configured.
  • In the Azure Active Directory portal, add a custom domain for your domain name with Microsoft Azure. Follow Microsoft's documentation at Add your custom domain name using the Azure Active Directory portal.

Important: Configure and Save LDAP First
If you are setting the Current Setting to Override on the Directory Services system settings page in Workspace ONE UEM, you must configure and save the LDAP settings before enabling Azure AD for identity services.

Procedure

  1. In Workspace ONE UEM, enable the integration with Azure AD, enter the Azure AD Tenant ID, and retrieve MDM enrollment URLs to enter into Azure.
    1. Select the applicable organization group.
    2. Navigate to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services.
    3. On the Server tab, enable Azure AD Integration.
    4. In another tab in your browser, log in to the Azure Management Portal with your Microsoft account or organizational account and get the Azure AD Tenant ID.
      1. Select Azure Active Directory to view the Overview page.
      2. Copy the Azure AD Tenant ID from the Azure AD Overview page.
    5. Go to the Workspace ONE UEM console instance and paste the Azure AD Tenant ID into in the Directory ID text box.
    6. Continuing in the Workspace ONE UEM instance, enable Use Azure AD For Identity Services.
      Note the MDM discovery URL and the MDM Terms of Use URL because you must enter them into Azure. You can copy them between tabs if you are using multiple browser tabs or consider copying them somewhere on your PC.
  2. In Azure AD, add the on-premises version of the Workspace ONE UEM app and add the MDM URLs.
    1. In the Azure Management Portal instance, select your directory and navigate to the Mobility (MDM and MAM) tab.
    2. Select Add Application and select the On Premises MDM app. Then, choose Add.
    3. Select the On Premises MDM app that you just added to set the MDM user scope to All or Some.
    4. Select a group of users.
    5. Copy your MDM Terms of Use URL from your PC or from the browser tab with the Workspace ONE UEM instance, and paste it into the MDM terms of use URL text box in Azure.
    6. Copy your MDM discovery URL from your PC or from the browser tab with the Workspace ONE UEM console instance and paste it into the MDM discovery URL text box in Azure.
    7. Save your settings.
  3. In the Azure Management Portal, add your Workspace ONE UEM device services URL.
    1. In the Workspace ONE UEM instance, go to Groups & Settings > All Settings > System > Advanced > Site URLs and copy your Device Services URL.
    2. In the Azure Management Portal instance, select On-Premises MDM application settings > Expose an API.
    3. Select Edit for Application ID URI and enter your device services URL in the Application ID URI text box.
    4. Save the settings.
      Note: Saving the settings works if you performed the prerequisite task of adding a custom domain name. If you see an error, check that you added your custom domain to Azure.
  4. In Workspace ONE UEM, enter the Azure AD Primary domain and save the settings.
    1. In the Azure Management Portal instance, go to the Azure AD Overview page and copy the Primary domain from the Azure AD Overview page.
    2. In the Workspace ONE UEM console instance, paste the Primary domain string in the Tenant Name text box.
    3. Save the settings on the Workspace ONE UEM Directory Services page.
  5. In Azure, assign premium licenses.
    1. In the Microsoft Azure console, select Azure Active Directory > Licenses.
    2. Select All Products and select the proper license in the list.
    3. Select Assign, select the users or groups for the license, and select Assign to complete the process.

Enroll a Device with Azure AD

Enroll devices with Azure AD integration to enroll a device into the correct organization group in Workspace ONE UEM automatically. Devices enrolled through Azure AD join completely, meaning all users on the device join the domain.

This enrollment flow is for devices not already joined to Azure AD.

Procedure

  1. Navigate on the Windows device to Settings > Accounts > Access Work or School. Select Continue.
  2. Enter your Email Address. Select Next.
  3. Ensure that the Workspace ONE UEM welcome page displays. Select Continue.
  4. Select Accept if terms of use are enabled.
  5. Select Join to confirm that you want to enroll in Workspace ONE UEM.
  6. Select Finish to complete joining your device to Workspace ONE UEM. Your device now downloads the applicable policies and profiles.

Enroll an Azure AD Managed Device into Workspace ONE UEM

Devices that are joined to Azure AD use a different enrollment flow than devices enrolling through Azure AD integration. Use this enrollment flow to enroll a device that is already joined to Azure AD into Workspace ONE UEM.

Prerequisites

  • Windows OS build 14393.82 and above.
  • KB update KB3176934 installed.
  • No MDM applications installed under your Azure AD management portal.
  • Azure AD account configured on the device.

Procedure

  1. On the device, navigate to Settings > Accounts > Access work or school and select Enroll only in device management. You may also enroll through the Workspace ONE Intelligent Hub for Windows.

  2. Complete the enrollment process. You must enter an email address with a different domain than your Azure AD account.

    1. If you are using Windows Auto-Discovery, see Enroll Through Work Access With Windows Auto-Discovery.
    2. If you are not using Windows Auto-Discovery, see Enroll Through Work Access Without Windows Auto-Discovery.

  3. Navigate to Settings > Accounts > Access work or school and ensure that there is an Azure AD account and a Workspace ONE UEM MDM account added.

    Azure AD and Workspace ONE UEM accounts

Enroll Through Out of Box Experience

Out of Box Experience (OOBE) enrollment automatically enrolls a device into the correct organization group as part of the initial setup and configuration of a Windows device.

Important: The OOBE enrollment flow does not support Enterprise Wipe. If you perform an enterprise wipe, users cannot log into the device as connection to Azure AD has been broken. You must create a local admin account before sending an Enterprise Wipe or you get locked out of the device and forced to reset the device.

Note: The custom settings profiles cannot be tracked during OOBE and will not apply during provisioning.

Prerequisites

The OOBE process can take some time to complete on end-user devices. Consider enabling the progress display for the install status. This display allows end users to know where they are in the process. To enable the display, navigate to Groups & Settings > All Settings > General > Enrollment > Optional Prompt. To display the status of profiles during enrollment, you must enabled the Track Profile Status during OOBE Provisioning option in the General profile settings.

An animated GIF displaying the Out of Box Experience Progress Display in action

Procedure

  1. Power on the device and follow the steps to configure Windows until you reach the Choose how you'll connect screen.

    Choose how you'll connect screen

  2. Select Join Azure AD. Select Continue.

  3. Enter your Azure AD/Workspace ONE UEM email address as the Work or school account.

    Enter your email

  4. Enter your Password. Select Sign In.

  5. Ensure that the Welcome to AirWatch screen displays. Select Continue.

    Ensure you get the welcome screen

  6. Select the Device Ownership type and enter the Asset Number if applicable. Select Next.

  7. Select Accept if terms of use are enabled.

  8. Select Join to confirm that you want to enroll in Workspace ONE UEM.

  9. Select Finish to complete joining your device to Workspace ONE UEM. Your device now downloads the applicable policies and profiles.

Enroll Through Office 365 Apps

If your organization uses Office 365 and Azure AD integration, end users can enroll their devices the first time they open an Office 365 app.

Procedure

  1. Select Add a Work Account the first time you open an Office 365 application.
  2. Enter your Email Address and Password. Select Sign In.
  3. Ensure that the Workspace ONE UEM welcome page displays. Select Continue.
  4. Select Accept if terms of use are enabled.
  5. Select Join to confirm that you want to enroll in Workspace ONE UEM.
  6. Select Finish to complete joining your device to Workspace ONE UEM. Your device now downloads the applicable policies and profiles.

Bulk Provisioning and Enrollment for Windows Devices

Bulk provisioning lets you create a pre-configured package that stages Windows devices and enrolls them into Workspace ONE UEM. Learn how to use bulk provisioning to enroll and configure multiple devices with a standard user account.

This enrollment flow is the only way to enroll a device with a standard user account. Admin permissions are still required run the pre-configured package. Bulk provisioning only supports single user standard staging.

To use bulk provisioning, download the Microsoft Assessment and Development Kit and installing the Imaging and Configuration Designer (ICD) tool. The ICD creates provisioning packages used to image devices. As part of these provisioning packages, you can include Workspace ONE UEM configuration settings so that provisioned devices are automatically enrolled into Workspace ONE UEM during the initial Out of Box Experience (OOBE).

To map the devices to the correct end user automatically, register the devices per user or using a bulk import before creating the provisioning package.

Enroll with Bulk Provisioning

The Microsoft Imaging and Configuration Designer tool allows you to create a provisioning package to enroll multiple Windows devices into Workspace ONE UEM quickly and easily. Once the package is installed, the device automatically enrolls into Workspace ONE UEM.

Procedure

  1. Download the Microsoft Assessment and Deployment Kit for Windows and install the Windows Imaging and Configuration Designer tool (ICD).

  2. Start the Windows ICD and select New Provisioning Package.

  3. Enter a Project Name and select the settings to view and configure. The typical choice is the Common to all Windows desktop editions option.

  4. (Optional) Import a provisioning package if you want to create a provisioning package based on the settings of a previous package.

  5. Navigate to Runtime Settings > Workplace > Enrollments.

  6. In the Workspace ONE UEM console, navigate to Groups & Settings > All Settings > Devices & Users > Windows > Windows Desktop > Staging and Provisioning.When you navigate to this settings page, a staging user is created and URLs pertaining to the created staging user display. You can create your own staging user for use with bulk provisioning but the settings displayed on this settings page do not apply to any created users.

  7. Copy the UPN and paste it into the UPN text box of the ICD.

  8. Select the down arrow next to Enrollments in the Available Customizations window.

    Enrollments in the Available Customizations window are shown

  9. Configure the following settings.

    1. Select AuthPolicy and select the value displayed in the Workspace ONE UEM console.
    2. Select DiscoveryServiceFullURL and copy the URL displayed in the Workspace ONE UEM console.
    3. Select EnrollmentServiceFullURL and copy the URL displayed in the Workspace ONE UEM console.
    4. Select PolicyServiceFullURL and copy the URL displayed in the Workspace ONE UEM console.
    5. Select Secret and copy the value displayed in the Workspace ONE UEM console.

  10. Select File > Save to save the project.

  11. Select Export > Provisioning Package to create a package for use with bulk provisioning then select Next.

  12. Save the Encryption password for later use if you choose to encrypt the package and then select Next.

  13. Save the package to a USB drive for transfer to each device you want to provision. You can also email the package to the device.

  14. Select Build to create the package.

Install Bulk Provisioning Packages

After you create the provisioning packages using the Microsoft Imaging and Configuration Designer, you must install the provisioning package onto the end-user devices.

  1. On the device you want to provision, navigate to Settings > Accounts > Work Access and select Add or remove a package for work or school. If the package was emailed, start the package from your mail client.

  2. Select Add a package and select the Removable Media choice as the method to add the package.

  3. Select the correct package from the list provided.

    If you added the device to the user account in the Workspace ONE UEM console before provisioning, the device is assigned upon enrollment.

Enroll with Registered Mode

Windows devices enrolled through the Workspace ONE Intelligent Hub or OOBE are MDM managed by default. To allow Windows devices to enroll without MDM management, you can enable registered mode (unmanaged) for an entire organization group or with smart groups and specific criteria.

Registered mode supports the listed enrollment methods.

  • Staging Users
    • Command line staging
    • Manual device staging
    • Silent enrollment parameters and values
  • Workspace ONE Intelligent Hub for Windows with SAML authentication

Enable registered mode by organization groups or by smart groups. When you use smart groups, group devices for registered mode by OS version, platform, ownership type, or users.

With registered mode enrollment, users can use a subset of Workspace ONE services without MDM management including Workspace ONE Assist, VMware Workspace ONE Tunnel, Digital Experience Employee Management (DEEM), and Workspace ONE Hub Services.

Procedure

  1. In the Workspace ONE UEM console, select the organization group to be enabled with registered mode enrollment and navigate to Devices > Devices Settings > Device & Users > General > Enrollment > Management Mode.
  2. For Current Setting, select Override.
  3. For Windows, select Enabled.
  4. Select Enabled for All Windows devices in this Organization Group.
  5. Optionally, you can add smart groups that are enabled for registered mode enrollments in Windows Smart Groups.
  6. Save your settings.

Results

Users with Windows devices from the configured smart group or the specified organization group can use product capabilities without MDM management. Device information and management capabilities from with the console are limited. Only the relevant profiles are installed on these devices.

Post-Enrollment Onboarding Settings

Admins have been shifting from imaging-based workflows to just-in-time provisioning over-the-air. In these provisioning scenarios, it is important to inform users about what is happening while their devices enroll. Workspace ONE Intelligent Hub for Windows displays and notifies the statuses of applications that are actively downloading and installing during the Windows enrollment process. This feature also provides a way to customize the user messaging during setup.

Considerations

  • Post-enrollment onboarding settings are enabled by default on Windows devices managed in Workspace ONE UEM.
  • The feature works in Workspace ONE UEM 2105 or later.
  • The feature works with the Workspace ONE Intelligent Hub for Windows 21.05 and later.
  • Enrolling through the Workspace ONE Intelligent Hub for Windows is not required as this feature works for any enrollment method, including Web Enrollment. However, you must install the app on devices to apply configurations and to display the experience.

Behaviors of the Workspace ONE Intelligent Hub

  • When installed, the Workspace ONE Intelligent Hub for Windows detects the enrollment and launches the experience.
    Note: The experience does not apply to upgrade scenarios. It only impacts new enrollments.
  • Directly after enrollment, the Workspace ONE Intelligent Hub launches and displays your customizations and tracks all apps which are set to Automatic deployment.

Deactivate the Post-Enrollment Onboarding Experience

  1. Select the applicable organization group.
  2. In the Workspace ONE UEM console, go to Groups & Settings > All Settings > Devices & Users > General > Enrollment > Optional Prompt > Windows > Enable Post-Enrollment Onboarding Experience.
  3. Deactivate the setting.

Customize the Post-Enrollment Onboarding Experience Message

  1. Select the applicable organization group.
  2. In the Workspace ONE UEM console, go to Groups & Settings > All Settings > Devices & Users > General > Enrollment > Optional Prompt > Windows > Enable Post-Enrollment Onboarding Experience.
  3. If this feature was deactivated previously, select Enabled. The feature is enabled by default.
  4. When post-enrollment onboarding is enabled, you can customize the Welcome Header, Welcome Subheader, and Body Text fields of the post-enrollment onboarding experience message using text and lookup values.

Windows Enrollment Statuses

If you look at enrollment settings on the Devices > Devices Settings > Devices & Users > General > Enrollment page, you see three general enrollment scenarios for Windows devices.

  • Open Enrollment

    Allows anyone meeting other enrollment criteria (authentication mode, restrictions, and so on) to enroll.

  • Registered Devices Only

    Allows users to enroll using devices you or they have registered. Device registration is the process of adding corporate devices to the Workspace ONE UEM console before they are enrolled. This matrix applies to devices that register without a token.

  • Require Registration Token

    If you restrict enrollment to registered devices only, you also have the option of requiring a registration token to be used for enrollment. This increases security by confirming that a particular user is authorized to enroll.

Device Type

The type of device guides how the Workspace ONE UEM system tracks and displays the device's enrollment status.

  • Allowlisted devices - The Workspace ONE UEM admin adds a list of devices that are pre-approved to enroll.
  • Denylisted devices - The Workspace ONE UEM admin adds a list of devices that are not allowed to enroll.
  • Registered devices (without attributes) - The Workspace ONE UEM admin registers devices by adding device information to the console. If the admin does not enter device attributes, the system uses device information, which includes user, platform, model, and ownership type.
  • Registered devices (with attributes) - The Workspace ONE UEM admin registers devices by adding device attributes to the console. Device attributes include UDID, IMEI, and serial number.

Enrollment Lifecycle for Devices

Device enrollment with Workspace ONE UEM has three general stages.

  1. (Optional) Admins register devices or users self-register their devices in Workspace ONE UEM.

    Registration helps restrict enrollment.

  2. Device users or admins enroll devices with Workspace ONE UEM.

  3. Device users or admins unenroll devices with Workspace ONE UEM.

Console Displays Set Statuses

The enrollment type, device type, and stage of enrollment dictate the Enrollment Status and Token Status displayed for Windows devices on the Devices > Lifecycle > Enrollment Status page.

Open Enrollment

Type Registered devices - Enrollment Status Registered devices - Token Status Enrolled devices - Enrollment Status Enrolled devices - Token Status Unenrolled devices - Enrollment Status Unenrolled devices - Token Status
Allowlisted device Registered Compliant Enrolled Compliant Unenrolled Compliant
Denylisted device Denylisted Non-Compliant Not Applicable Not Applicable Not Applicable Not Applicable
Registered device without attributes Attributes are Serial Number, IMEI, and UDID. Registered Registration Active Enrolled Registration Active Registered Registration Active
Registered device with attributes Attributes are Serial Number, IMEI, and UDID. Registered Registration Active Enrolled Registration Active Registered Registration Active

Registered Devices Only (No Token)

Type Registered devices - Enrollment Status Registered devices - Token Status Enrolled devices - Enrollment Status Enrolled devices - Token Status Unenrolled devices - Enrollment Status Unenrolled devices - Token Status
Allowlisted device Registered Compliant Enrolled Compliant Unenrolled Compliant
Denylisted device Denylisted Non-Compliant Not Applicable Not Applicable Not Applicable Not Applicable
Registered device without attributes Attributes are Serial Number, IMEI, and UDID. Registered Registration Active Enrolled Registration Active Registered Registration Active
Registered device with attributes Attributes are Serial Number, IMEI, and UDID. Registered Registration Active Enrolled Expired Registered Registration Active

Require Registration Token

Type Registered devices - Enrollment Status Registered devices - Token Status Enrolled devices - Enrollment Status Enrolled devices - Token Status Unenrolled devices - Enrollment Status Unenrolled devices - Token Status
Registered device without attributes Attributes are Serial Number, IMEI, and UDID. Registered Registration Active Enrolled Not Applicable Unenrolled Registration Expired
Registered device with attributes Attributes are Serial Number, IMEI, and UDID. Registered Registration Active Enrolled Not Applicable Unenrolled Registration Expired s
check-circle-line exclamation-circle-line close-line
Scroll to top icon