How Do You Enroll Devices In Workspace ONE UEM?

Enrolling devices in bulk normally happens for new customers seeking to bring end user devices in their environment under the Workspace ONE UEM umbrella. These detailed use cases show every step to bulk enrolling your devices in three of the most popular paths, bring your own device (BYOD), corporate owned personally enabled (COPE), and shared devices.

Bring Your Own Device (BYOD)

Privacy Concerns

You can take preemptive steps to address privacy concerns your device end users might have. For detailed instructions on configuring privacy settings in Workspace ONE UEM, see Privacy for BYOD Deployments.

1. Integrate with Directory Services

Set up Directory Services with a Wizard

The Workspace ONE UEM console provides a simplified wizard that streamlines the directory services setup process. The wizard includes steps that integrate either Security Assertion Markup Language (SAML), Lightweight Directory Access Protocol (LDAP) or both. The wizard also automates the provisioning of Workspace ONE UEM applications to VMware Identity Manager, greatly simplifying the process.

For more information about integrating Workspace ONE UEM with Workspace ONE Access and deploying Workspace ONE with single sign-on to devices, see Workspace ONE UEM Integration with Workspace ONE Access.

Note: If you already configured SAML or LDAP settings on your directory services server, the UEM console detects it automatically.

  1. Access the directory services setup wizard from two places.

    • The main UEM console Getting Started Wizard.

    • Navigate to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services and select Start Setup Wizard.

      This screenshot displays the Advanced section drop down of the Directory Services system settings, where you can enable Azure AD for identity services and enable SAML for authentication.

  2. Upon launching the wizard, select Configure to follow the steps.

Set up Directory Services Manually

Alternatively, you can Skip the wizard and configure directory services manually to configure settings on your own.

2. Configure Enrollment Options

  1. Change to the customer type OG from which you want to manage all your BYOD devices. Configuring enrollment options is easier when you are in the correct OG. For more information see Changing Organization Groups.

  2. Navigate to Groups & Settings > All Settings > Devices & Users > Enrollment. If the options under the first tab, Authentication are dimmed and not selectable, select the Override option in Current Setting to enable all these options. this partial screenshot shows the Authentication tab for Enrollment settings

    1. Under the Authentication tab, select the Add Email Domain button. The Add Email Domain screen displays.
    2. Enter your business email domain, for example acme.com, and a confirmation email address, for example [email protected]. If you operate multiple domains, repeat steps 1 and 2 for each domain your employees use. The email address you enter here receives enrollment confirmations.
    3. Under Authentication Mode(s) deselect Basic and select Directory. Leave Authentication Proxy unchecked.
    4. Under Source of Authentication for Intelligent Hub, enable Workspace ONE UEM. If you use other VMware products such as vRA, vShield, NSX and so on, then select Workspace ONE Access instead.
    5. Under Devices Enrollment Mode, select Open Enrollment. This setting means you are not making a list of devices that are allowed to enroll and you are not requiring a registration token.
    6. For the next three iOS and macOS options, inspect the info badges next to each option to determine which options make the best sense for your userbase.
    7. Select Save.

  3. While still in Groups & Settings > All Settings > Devices & Users > Enrollment, select the Management Mode tab. If the options are dimmed and not selectable, select the Override option in Current Setting to enable all these options. this partial screenshot shows the Management Mode tab for Enrollment settings

    Devices enrolled with Intelligent Hub are MDM managed by default. The Management Mode tab lets you opt out of MDM management, on a per platform basis, for devices you want to enroll in Workspace ONE UEM in favor of an alternate management mechanism such as app-based, registered mode, or unmanaged. Enable the platform and select the appropriate Smart Group to allow those devices to enroll without MDM management. Enrollment can be enabled based on the following criteria when utilizing smart groups: OS Version, Ownership Type, and User Group. Use Adaptive Management app policies to control device management levels for iOS devices enrolled without management. If you want to keep MDM Management, then skip this enrollment tab and proceed to step 4 (Hub Integration).

    1. For each platform you want to opt out of MDM management in favor of an alternate management mechanism, select the Enabled button for that platform.

    2. Under All [platform] devices in this Organization Group, select Enabled if you want all devices that enroll in this OG to opt out of MDM management. Those devices can be managed in registered mode or they can be managed at the application level. They can also remain unmanaged. Select Disabled and click the text box to activate the drop down menu. Select the name of the smart group to assign content to those devices. Any like-platform devices that enroll in this OG but are not included in the smart group are enrolled as MDM managed.

      If you have not created this smart group yet, select the Create Smart Group button at the bottom of the drop down menu. Then follow the instructions in Create a Smart Group, making sure to take the Criteria path and also to make sure your platforms match: make an iOS smart group for the iOS Management Mode, make an Android smart group for the Android Management Mode, and so on.

    3. Select Save.

  4. While still in Groups & Settings > All Settings > Devices & Users > Enrollment, select the Hub Integration tab. If the options are dimmed and not selectable, select the Override option in Current Setting to enable all these options. this partial screenshot shows the Hub Integration tab for Enrollment settings

    1. Under Use Hub Services Features in Intelligent Hub, select Enabled to allow devices in this Organization Group to connect to Workspace ONE Hub Services for features such as App Catalog and People. Select Disabled to opt out of those Hub Services features.
    2. Select Save.

  5. While still in Groups & Settings > All Settings > Devices & Users > Enrollment, select the Terms of Use tab. If the options are dimmed and not selectable, select the Override option in Current Setting to enable all these options. this partial screenshot shows the Terms of Use tab for Enrollment settings

    1. Under Require Enrollment Terms of Use Acceptance, select Enabled to require your end users to agree to the terms of use that you specify before they are allowed to enroll. Select Disabled to make acceptance of the Terms of Use optional for enrollment.
    2. (Optional) Select the Add New Enrollment Terms of Use button and the Create New Terms of Use screen displays, allowing you to enter a terms of use agreement. You can specify options including Platforms, Device Ownership, Enrollment Type, and Language. Confer with your legal team for the purpose of crafting an effective terms of use agreement. Select Save to save the agreement.
    3. Select Save to save your Terms of Use tab selections.

  6. While still in Groups & Settings > All Settings > Devices & Users > Enrollment, select the Grouping tab. If the options are dimmed and not selectable, select the Override option in Current Setting to enable all these options. this partial screenshot shows the Grouping tab for Enrollment settings

    1. Under Group ID Assignment Mode, select Default.
    2. Under the Default section, for Default Device Ownership, select Employee Owned, which is the main characteristic of a BYOD deployment.
    3. Under the Default section, for Default Role, select Basic Access, Full Access, or select a role that you have prepared.
    4. Under the Default section, for Default Action For Inactive Users, select Enterprise Wipe Currently Enrolled Devices. This option applies the greatest safeguard against intellectual/corporate data loss in the case of device theft or when a device goes missing.
    5. Under User Group Sync section, for Sync User Groups in Real Time for Workspace ONE, select Disabled. When enabled, Workspace ONE synchronizes user groups for a given user as they register with the UEM Console. Due to its impact on Workspace ONE UEM performance, enable this option only if user groups frequently change since they affect whether a device should be allowed to register.
    6. Under User Role Mapping section, for Enable Directory Group-Based Mapping, deselect the check box here to opt out of applying roles based on the user groups in your directory services. Enable the check box to account for all the user groups in your directory service and use that information to assign specific roles. For instance, you can apply "Role x" to everyone in your directory service user group "Managers" while applying "Role y" to everyone in another user group.

  7. While still in Groups & Settings > All Settings > Devices & Users > Enrollment, select the Restrictions tab. If the options are dimmed and not selectable, select the Override option in Current Setting to enable all these options.

    this partial screenshot shows the Restrictions tab for Enrollment settings

    1. If your device end users have not been added as users to Workspace ONE UEM and they are enrolling devices for the first time, then under User Access Control, leave the check box blank (deselected) for Restrict Enrollment to Known Users. However, if you have bulk imported users or sent them to the Self Service Portal to add themselves, then you might consider enabling this check box.
    2. If you have not integrated your directory service with user groups, then under User Access Control, leave the check box blank (deselected) for Restrict Enrollment to Configured Groups. However, if you purposefully integrated your directory service with Workspace ONE UEM that creates user groups in UEM based on your user groups in directory services, then consider enabling this check box to limit enrollment to only those users who are part of one of those directory service user groups.

    this partial screenshot shows the Restrictions tab for Enrollment settings 3. Under the Policy Settings section, you can select the Add Policy button to manually limit enrollment based on factors you decide. These factors include ownership type, enrollment type, device platform, device model, and operating system.

    This screenshot shows the Add/Edit Enrollment Restriction Policy screen, which lets you limit enrollment easily

    You can define multiple policies, for example one policy per platform, specifying a minimum model or OS version, and allow only those devices to enroll. This can be a powerful tool as you can see later in step 5.

    this partial screenshot shows the Restrictions tab for Enrollment settings 4. Under the Management Requirements for Workspace ONE section, when Require MDM for Workspace ONE is enabled, devices that fit the assigned criteria are prompted to enroll immediately upon log in to Workspace ONE. Those devices that do not fit the assigned criteria are allowed to log in with an unmanaged state. They may come under management later using Adaptive Management. This option requires Workspace ONE application 3.2 or later.

    this partial screenshot shows the Restrictions tab for Enrollment settings 5. Under the Group Assignment Settings section, you can apply policies you define in step 3 and send qualifying devices to the user group of your choosing.

    For example, if you made a restriction policy that allowed only Employee Owned (BYOD) Android devices version 10 or later and a second restriction policy that allowed only Employee Owned (BYOD) iPhones version 15 or later, you can configure it such that Android users are added to one user group and iPhone users are added to another user group. Such organization can be useful in the future for content management.

  8. The remaining tabs, Optional Prompt and Customization, are device end user friendly options that are less critical to BYOD functionality. For detailed instructions about each available option, see Optional Prompt and Customization.

3. Enroll with Intelligent Hub

Enrolling a device with the Workspace ONE Intelligent Hub is the main option for Android, iOS, and Windows devices in Workspace ONE Express and Workspace ONE UEM.

  1. Download and install the Workspace ONE Intelligent Hub from the Google Play Store (for Android devices) or from the App Store (for Apple devices).

    Downloading the Workspace ONE Intelligent Hub from public application stores requires either an Apple ID or a Google Account.

    Windows 10 devices must point the default browser on the device to https://getwsone.com to download the Hub.

  2. Run the Workspace ONE Intelligent Hub upon the completion of the download or return to your browser session.

    Important: To ensure a successful installation and running of the Workspace ONE Intelligent Hub on your Android device, it must have a minimum of 60 MB of space available. You can allocate CPU and Run Time Memory on a per app basis on the Android platform. If an app uses more resources than allocated, Android devices optimize themselves by stopping such an app.

  3. Enter your email address when prompted. The Workspace ONE console checks if your address was added to the environment. In which case, you are already configured as an end user and your organization group is already assigned.

    If the Workspace ONE console cannot identify you as an end user based on your email address, you are prompted to enter your Server, Group ID, and Credentials. Your Administrator can provide the environment URL and group ID.

  4. Finalize the enrollment by following all remaining prompts. You can use your email address in place of user name. If two users have the same email, the enrollment fails.

The device is now enrolled with the Workspace ONE Intelligent Hub app. In the Summary tab of the Device Details View for this device, the security panel displays "Hub Registered" to reflect this enrollment method.

Corporate Owned Personally Enabled (COPE) Workspace ONE Direct Enrollment

Direct Enrollment represents the smoothest way to enroll devices that are corporate-owned and personally enabled (COPE). The COPE model offers businesses a way to strike a balance between the consumerization of devices and the security and control required by IT.

As an administrator, you can configure Direct Enrollment with the options you want. These options include an optional prompt, restrict by device type, limit by user group, and defer the installation of apps to the user.

Direct Enrollment is deactivated by default. To enable Workspace ONE Direct Enrollment, take the following steps.

  1. Switch to the organization group for which you want to enable Direct Enrollment for Workspace ONE. The OG you want to move to is the one in which you plan to contain all the COPE devices that enroll. This same OG is the one you select in the near future to manage smart groups which you use to deliver device profiles for COPE, compliance policies for COPE, apps for COPE, and other content for COPE.

  2. Navigate to Groups & Settings > All Settings > Devices & Users > General > Enrollment and select the Restrictions tab.

  3. Scroll down to the Management Requirements for Workspace ONE and select your configuration options. If necessary, select to Override the parent OG's settings.

    this partial screenshot shows the Restrictions tab for Enrollment settings

    Setting Description
    Require MDM for Workspace ONE Prompt qualified devices and users to be enrolled immediately upon logging in to Workspace ONE.
    Devices outside the defined criteria are allowed to enroll in an unmanaged state and can come under management later (Adaptive Management).
    Assigned User Group This setting specifies the user group you want to include in the direct enrollment process. You can also select All Users which is the default selection when you enable Require MDM for Workspace ONE.
    iOS Enable this setting to include iOS devices. Deactivated makes iOS devices not eligible for direct enrollment, though they can still enroll into Workspace ONE UEM in an unmanaged state.
    Android Legacy Enable this option to include legacy Android devices. Deactivated makes legacy Android devices not eligible for direct enrollment, though they can still enroll into Workspace ONE UEM in an unmanaged state.
    Android Enterprise Enable this setting to include Android Enterprise devices. Deactivated makes Android Enterprise devices not eligible for direct enrollment, though they can still enroll into Workspace ONE UEM in an unmanaged state.

The remaining steps are meant for the end user to take. Sending an email with detailed enrollment steps to your end users is generally the way to accomplish this.

  1. Direct the end user to download, install, and run the Workspace ONE app from the platform-specific app store or repository.
  2. Enter the server URL or email address. You can include this information in the enrollment email to end users.
  3. Enter your directory services user name and password.
  4. Install or enable Workspace Services by selecting affirmative steps specific to your platform.
    1. iOS – allow the server to open Settings, enter your device passcode, install an unsigned device profile, and open a screen in Workspace.
    2. Android Legacy – Install Workspace ONE Intelligent Hub, allow it to make and manage phone calls, select ownership for your device with an option to enter the device asset number, activate the device admin application, then sign into Workspace ONE.
    3. Android Enterprise – Accept (or decline) the terms of use agreement, set up the work profile, and create the Workspace ONE passcode.
  5. When Workspace ONE finishes the install routine, end users can Continue to install apps.
  6. End users can install individual apps selected from a list, Install all, or Skip this step entirely.

Workspace ONE Direct Enrollment Supported Options

Navigate to Groups & Settings > All Settings > Devices & Users > General > Enrollment, select each applicable tab, and make your selections based on compatibility with Workspace ONE Direct Enrollment.

Authentication

The following authentication options are compatible with Workspace ONE Direct Enrollment.

  • Directory Users.
  • SAML plus Active Directory Users are supported "on-the-fly". SAML without LDAP users is supported so long as the user record pre-exists in Workspace ONE UEM at the time of initial log in.
  • Basic Users, Staging Users, SAML without Directory Users, and Authentication Proxy users are not currently supported.
  • Open Enrollment.
  • Workspace ONE does not audit the Require Workspace ONE Intelligent Hub for iOS or macOS settings, which are used to block web enrollment on their respective platforms.

Terms of Use

All terms of use options are compatible with Workspace ONE Direct Enrollment.

Grouping

All grouping options are compatible with Workspace ONE Direct Enrollment.

Restrictions

The following restrictions options are compatible with Workspace ONE Direct Enrollment.

  • Known Users and Configured Groups.
  • Maximum Enrolled Device Limit.
  • Policy settings are partially supported.
    • Allowed Ownership Types – Workspace ONE only prompts for employee-owned and Corporate Dedicated. If you do not want either, deactivate optional prompt and use the default ownership type.
    • Allowed Enrollment Types are not supported.
  • Device Platform, Device Model, and OS Restrictions are supported.
  • User Group Restrictions.

Optional Prompts

The following optional prompts options are compatible with Workspace ONE Direct Enrollment.

  • Prompt for Device Ownership.
  • Prompt for Asset Number (supported only when Prompt for Device Ownership is enabled).
  • All other optional prompts are not supported.

Customization

The following customization options are compatible with Workspace ONE Direct Enrollment.

  • Use specific Message Template for each Platform.
  • Post-enrollment Landing URL (iOS only).
  • MDM Profile Message (iOS only).
  • Use Custom MDM Applications.
  • Enrollment Support Email and Enrollment Support Phone are not supported.

Staging

Device staging in this COPE model using the Direct Enrollment process is not supported. If you must stage a device, whether for single or multiple users, you must enroll the device using Workspace ONE Intelligent Hub given the following platform specific configurations:

Shared Devices

check-circle-line exclamation-circle-line close-line
Scroll to top icon