As the admin, you determine which users and devices are allowed to enroll in Workspace ONE UEM. Options include authentication, management mode, Intelligent Hub, terms of use, grouping, restrictions, optional prompts, and customizations.

Configure Enrollment settings by navigating to Groups & Settings > All Settings > Devices & Users > General > Enrollment.

What can you do with the Workspace ONE UEM Enrollment settings page?

The Enrollment settings page allows you to:
  • Choose between basic and directory authentication, which is a foundational decision that determines how the device operates and how it is managed. For more information, see Basic vs. Directory Services Enrollment.
  • Select whether your organization 1) offers an open enrollment (where any device with an invitation can enroll) or 2) offers a restricted enrollment (where you compile a list of registered devices and only those devices are allowed to enroll).
  • Select whether you manage devices with Hub Services or MDM. Furthermore, you can fine tune this decision on a per device basis using smart groups.
  • Make agreement with the terms of use (which you and your organization author) a prerequisite to device enrollment. This protects your organization legally.
  • Leverage any user groups you may have already defined in your active directory and automatically route those devices into corresponding UEM user groups immediately upon enrollment. You can optionally synchronize your AD user groups with your UEM user groups, although this option is very CPU-intensive.
  • Select defaults for...
    • ...device ownership (BYOD, COPE).
    • ...user role, which is a predetermined list of things a device user, managed by UEM, can actually do. Optionally, you can automatically assign user role based upon what user group they belong to at enrollment time.
    • ...what action to take when a user becomes inactive.
  • Restrict device enrollment in several ways.
    • ...accept only users your organization knows.
    • ...accept only users that belong to a certain user group.
    • ...set a limit to the number of devices in a specific organization group.
  • Make personalized prompts that appear on the device as it enrolls, which fosters good communication between you and your users.
  • Customize messaging to be platform-specific and include convenience options like email contact, support phone number, and post-enrollment landing URL.
  • Save all these settings as a policy and over time, build a library of policies, each with their own settings that you can make active, for example, during hiring sprees.

Determine your Organizational group hierarchy

Before you review and modify settings, understand the two types of inheritance/override options for the organization group hierarchy available at the top and bottom of the settings page and determine your choices. For more information about these settings, see Override Versus Inherit Setting for Organization Groups.

  • Current Setting – Select whether to Inherit or Override the displayed settings. Inherit means use the settings of the current organization group's parent OG, while Override enables the settings for editing so you can modify the current OG's settings directly.
  • Child Permission – Select the available behavior of child organization groups that exist below the currently selected organization group. Inherit only means child OGs are only allowed to inherit these settings. Override only means they override the settings, and Inherit or Override means you can choose to inherit or override settings in child OGs that exist below the currently selected OG.

Authentication Tab

Setting Description
Add Email Domain This button is used for setting up the Auto-Discovery Service to register email domains to your environment.
Authentication Mode(s)

Select the allowed authentication types, which include:

  • Basic – Basic user accounts (ones you create manually in the UEM console) can enroll.
  • Directory – Directory user accounts (ones that you have imported or allowed using directory service integration) can enroll. Workspace ONE Direct Enrollment supports Directory users with or without SAML.
  • Authentication Proxy – Allows users to enroll using Authentication Proxy user accounts. Users authenticate to a web endpoint.
    • Enter Authentication Proxy URL, Authentication Proxy URL Backup, and Authentication Method Type (choose between HTTP Basic and Exchange ActiveSync).
Source of Authentication for Intelligent Hub

Select the system the Intelligent Hub service uses as its source for users and authentication policies.

  • Workspace ONE UEM – Select this setting if you want Hub Services to use Workspace ONE UEM as the source of users and auth policies.

    When you configure the Hub Configuration page for Hub Services, enter the Hub Services tenant URL.

  • Workspace ONE Access – Select this setting if you want Hub Services to use Workspace ONE Access as the source of users and auth policies.

    When you configure the Hub Configuration page for Hub Services, enter the Workspace ONE Access tenant URL.

    Note: If you enable Workspace ONE Access as the source of authentication for Intelligent Hub, and you use a command line to enroll for staging purposes, then this configuration is bypassed in favor of the credentials supplied in the command line.

For details about Workspace ONE Intelligent Hub, see the VMware Workspace ONE Hub Services Documentation.

For details about Workspace ONE Access, see the VMware Workspace ONE Access Documentation.

Devices Enrollment Mode

Select the preferred device enrollment mode, which includes:

  • Open Enrollment – Essentially allows anyone meeting the other enrollment criteria (authentication mode, restrictions, and so on) to enroll. Workspace ONE Direct Enrollment supports open enrollment.
  • Registered Devices Only – Only allowed users to enroll using devices you or they have registered. Device registration is the process of adding corporate devices to the UEM console before they are enrolled. Workspace ONE Direct Enrollment supports allowing only registered devices to enroll but only if registration tokens are not required.
Require Registration Token

Visible only when Registered Devices Only is selected.

If you restrict enrollment to registered devices only, you also have the option of requiring a registration token to be used for enrollment. This increases security by confirming that a particular user is authorized to enroll. You can send an email or SMS message with the enrollment token attached to users with Workspace ONE UEM accounts.

Require Intelligent Hub Enrollment for iOS Select this check box to require iOS device users to download and install the Workspace ONE Intelligent Hub before they can enroll. If deactivated, Web Enrollment is available.
Require Intelligent Hub Enrollment for macOS Select this check box to require macOS device users to download and install the Workspace ONE Intelligent Hub before they can enroll. If deactivated, Web Enrollment is available.

Management Mode Tab

Devices enrolled through Intelligent Hub are MDM managed by default. Enable and select the appropriate groups below to allow devices to enroll without MDM management. Enrollment can be enabled based on the following criteria when utilizing smart groups: OS Version, Ownership Type, and User Group. Use Adaptive Management app policies to control device management levels for iOS devices enrolled without management.

Setting Description
iOS Enable iOS devices managed with Hub Services to enroll without being MDM managed.
Android Enable Android devices managed with Hub Services to enroll without being MDM managed.
Windows Enable Windows devices managed with Hub Services to enroll without being MDM managed.

Hub Integration Tab

Configure Hub Services through the Intelligent Hub to enable integration options.

Setting Description
Use Hub Services Features in Intelligent Hub Enable to allow devices in this OG to connect to Workspace ONE Hub Services for features such as App Catalog and People.

Terms of Use Tab

Setting Description
Require Enrollment Terms of Use Acceptance

Require that end users accept an end user license agreement (terms of service) at some point during the enrollment process.

Terms of use is fully supported by Workspace ONE Direct Enrollment.

Add New Enrollment Terms of Use

Click this button to open the Terms of Use dialog, where you can quickly create a custom enrollment terms of use message.

For more information on creating an enrollment terms of use, see the Terms of Use section of the VMware AirWatch Mobile Device Management Guide, available on docs.vmware.com.

Grouping Tab

Setting Description
Group ID Assignment Mode

Workspace ONE Direct Enrollment supports all assignment modes.

  • Default - Select this option if users are provided with Group IDs for enrollment. The Group ID used determines what organization group the user is assigned to.
  • Prompt User to Select Group ID - Enable this option to allow directory service users to select a Group ID from a list upon enrollment. The Group ID Assignment section lists available organization groups and their associated Group IDs. This listing does not require you to perform group assignment mapping, but does mean users have the potential to select an incorrect Group ID.
  • Automatically Select Based on User Group - This option only applies if you are integrating with user groups. Enable this option to ensure that users are automatically assigned to organization groups based on their directory service group assignments.

    The Group Assignment Settings section lists all the organization groups for the environment and their associated directory service user groups.

    Select the Edit Group Assignment button to modify the organization group/user group associations and set the rank of precedence each group has.

    For example, you have three groups, Executive, Sales, and Global, which are ranked in order of job role. Everyone is a member of Global, so if you were to rank that user group first, it puts all your users into a single organization group.

    Instead, if you rank Executives first, you ensure the small number of people belonging to that group are placed in their own organization group. Then rank Sales second, and you ensure that all Sales employees are placed in an organization group specific to sales. Rank Global last and anyone not already assigned to a group is placed in a separate organization group.

Default

Setting Description
Default Device Ownership

Select the default Device Ownership of devices enrollment into the current organization group.

Workspace ONE Direct Enrollment supports setting a default device ownership.

Default Role

Select the default roles assigned to users at the current organization group, which can affect access to the Self-Service Portal.

Workspace ONE Direct Enrollment supports setting a default role.

Default Action for Inactive Users

Select the default action that impacts Active Directory users if their devices become inactive.

Workspace ONE Direct Enrollment supports setting a default action for inactive users.

User Group Sync

Setting Description
Sync User Groups in Real Time for Workspace ONE

Workspace ONE can sync user groups for a given user as they register with the UEM console.

Enabled by default, this feature is most effective when user groups are being used with great frequency for app assignment, profile assignment, policy assignment, or user mapping.

This feature is CPU-intensive so unless your use case is similar to the above, disable this setting for improved performance and to prevent latency issues while launching the Workspace ONE application.

User Role Mapping

Setting Description
Enable Directory Group-Based Mapping

Select this box to enable ranked assignments that link a directory user group to a specific Workspace ONE UEM role. Users belonging to a particular group are assigned the associated roles. If they belong to more than one group, they take the highest ranked pairing.

You can edit the order in which role-infused user groups are ranked by selecting the Edit assignment button.

Workspace ONE Direct Enrollment supports directory group-based mapping.

Restrictions Tab

Enrollment Restrictions

Setting Description
User Access Control

Workspace ONE Direct Enrollment supports all user access control options.

Restrict Enrollment to Known Users – Enable to restrict enrollment only to users that exist in the UEM console. This restriction applies to directory users you manually added to the UEM console one by one or through batch import. It can also be used to lock down enrollment after an initial deployment that allowed anyone to enroll. This option enables you to be selective about who can enroll.

You can allow all directory users who do not have accounts in the UEM console to enroll into Workspace ONE UEM by disabling this option. User accounts are automatically created during enrollment.

Restrict Enrollment to Configured Groups – Enable to restrict enrollment and only allow users belonging to All Groups or Selected Groups (if you have integrated with user groups) to enroll devices. Do not select this option if you have not integrated with your directory services user groups.
Note: Restricting Enrollment to Configured Groups is only supported with Just-In-Time (JIT) user enrollment when each of the following are true:
  • Workspace ONE UEM is configured as the source of authentication for Workspace ONE Intelligent Hub, which you configure by navigating to Groups & Settings > All Settings > Devices & Users > General > Enrollment and select the Authentication tab.
  • SAML for authentication is deactivated for enrollment users. Configure this by navigating to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services and reference the Directory Services System Settings Documentation.

You can create Workspace ONE UEM user accounts during enrollment by disabling the option to allow all directory users to enroll. Select Enterprise Wipe devices of users that are removed from configured groups to automatically enterprise wipe devices. If All Groups is selected, devices not belonging to any user group are removed. If Selected Groups is selected, then devices not belonging to a particular user group are removed.

One option for integrating with user groups is to create an "MDM Approved" directory service group and import it to Workspace ONE UEM. After this import step, you can add existing directory service user groups to the "MDM Approved" group as they become eligible for Workspace ONE UEM.

Set limit for maximum enrolled devices at this OG and below

Enable and Enter Device Limit to limit the number of devices allowed to enroll in the current organization group (OG).

Workspace ONE Direct Enrollment supports this option.

Policy Settings

  • Add Policy – Click this button to add an enrollment restriction policy, which lets you define allowed ownership types, enrollment types, device limits, and more.
    Setting Description
    Enrollment Restriction Policy Name Enter a name for your enrollment restriction policy.
    OrganizationGroup Select an organization group from the drop-down menu. This is the OG to which your new enrollment restriction policy applies.
    Policy Type Select the type of enrollment restriction policy, which can be either Organization Group Default to apply to the selected organization group, or User Group Policy for specific User Groups through Group Assignment Settings on the Restrictions tab.
    AllowedOwnership Types

    Select whether to permit or prevent Corporate - Dedicated, Corporate - Shared, and Employee Owned devices.

    Workspace ONE Direct Enrollment only supports the ownership types Corporate Dedicated and Employee Owned.

    AllowedEnrollment Types Select whether to permit or prevent the enrollment of devices using MDM (Workspace ONE Intelligent Hub) and AirWatch Container (for iOS/Android) apps.
    Device Limit per User

    Select Unlimited to allow users to enroll as many devices as they want. Workspace ONE Direct Enrollment supports setting a device limit per user.

    Deselect this box to enter values for the Device Limit Per User section, to define the maximum number of devices per ownership type.

    • Maximum Devices Per User
    • Corporate Max Devices
    • Shared Max Devices
    • Employee Owned Max Devices
    Allowed DeviceTypes

    Select the Limit enrollment to specific platforms, models or operating systems check box to add additional device-specific restrictions.

    This option is supported by Workspace ONE Direct Enrollment.

    Device Level Restrictions Mode

    This option is only available if Limit enrollment to specific platforms, models or operating systems is selected in the Allowed Device Types option.

    Determine the kind of device limitations you should have.

    • Only allow listed device types (Allowlist) – Select this option to explicitly allow only devices matching the parameters you enter and to block everything else.
    • Block listed device types (Denylist) – Select this option to explicitly block devices matching the parameters you enter and to allow everything else.

    For either device-level restrictions mode, select Add Device Restriction to choose a Platform, Model, Manufacturer (specific to Android devices), or Operating System. You may also add a Device Limit per defined device restriction. You may add multiple device restrictions.

    You can also block specific devices based on their IMEI, Serial Number or UDID by navigating to Devices > Lifecycle > Enrollment Status and selecting Add. This is an effective way to block a single device and prevent it from re-enrolling without affecting other users' devices. Preventing re-enrollment is also available as an option when performing an Enterprise Wipe.

    This option is supported by Workspace ONE Direct Enrollment.

Management Requirements for Workspace ONE

Require MDM for Workspace ONE - Enable this feature and set the applicable devices to receive an MDM profile and to get managed when they enroll through Workspace ONE.

Group Assignment Settings

  • Edit Group Policies – This button enables you to configure ranked assignments that link a directory user group to a specific Workspace ONE UEM enrollment restriction policy. Users belonging to a particular group must adhere to the associated restriction policy. If they belong to more than one group they will take the highest ranked pairing.

Optional Prompt Tab

The optional prompt settings let you configure various prompts that you set to display or not display during device enrollment. These optional prompts are web-based and are therefore cross-platform unless otherwise specified.

Setting Description
Prompt for Device Ownership Type

You can prompt the end user to select their device ownership type. Otherwise, configure a default device ownership type for the current organization group.

Workspace ONE Direct Enrollment supports prompting for device ownership type.

Display Welcome Message

You can display a welcome message for your users early in the device enrollment process. You can configure both the header and the body of this welcome message by navigating to System > Localization > Localization Editor. Next, select the labels 'EnrollmentWelcomeMessageHeader' and 'EnrollmentWelcomeMessageBody' respectively.

Display MDM Installation Message

You can display a message for your users during the device enrollment process. You can configure both the header and the body of this MDM installation message by navigating to System > Localization > Localization Editor. Next, select the labels 'EnrollmentMdmInstallationMessageHeader' and 'EnrollmentMdmInstallationMessageBody' respectively.

If you opt to customize your own header and body messages using the Localization Editor, you must opt to 'Override' in the Current Setting option. Doing so ensures that your customizations are used instead of the default messages.

In addition to making one-off localization changes, you can also make localization changes in bulk by uploading an edited comma-separated values (CSV) file. Download this localization template CSV file by navigating to System > Localization > Localization Editor and select the Modify button. Edit the file per your preferences to affect bulk localization changes and upload it using the same screen.

Enable Enrollment Email Prompt

You can prompt the user to enter their email credentials during enrollment.

The Enrollment Email Prompt requests the email address from the end user to populate that option in the user record automatically. This data is beneficial to organizations deploying email to devices using the {EmailAddress} lookup value.

Enable Device Asset Number Prompt

You can prompt the user to enter the device asset number during enrollment.

Workspace ONE Direct Enrollment supports enrollment email prompts but only when Prompt for Device Ownership Type is enabled and only for Corporate Owned devices.

Display Enrollment Transition Messages (Android Only)

You can display or hide enrollment messages on Android devices.

Enable the Status Tracking Page for OOBE Enable this setting to display the status tracking page during the Out of Box Enrollment (OOBE) which displays the provisioning status of the device and informs the user which apps, resources, and policies have been installed.
Enable TLS Mutual Auth for Windows You can force Windows Devices to use endpoints secured by TLS Mutual Authentication which requires an extra setup and configuration. Contact Support for assistance.
Display Authentication Screen Message (Windows Only)

You can provide your device end users with a customized log in hint about what they must use to enroll into the Workspace ONE UEM console. For example, if their enrollment authentication for UEM is the same as their Active Directory credentials, then you can include that as a hint. You can also include a link they can click to get help. This feature is currently supported by Windows devices only.

You must provide your own localization by including translations of the hint in the same text box.

Customization Tab

Setting Description
Use specific Message Template for each Platform

Select this check box to use different enrollment message templates for the different platforms.

This option is supported by Workspace ONE Direct Enrollment.

Enrollment Support Email Enter the contact email for MDM support which will be displayed to users during enrollment.
Enrollment Support Phone Enter the contact phone number for MDM support which will be displayed to users during enrollment.
Post-Enrollment Landing URL (iOS Only)

Enter the URL of the webpage you want end users redirected to after they enroll their devices. This field can be blank.

This option is supported by Workspace ONE Direct Enrollment.

MDM Profile Message (iOS Only)

Enter the message you would like your users to see during the install MDM prompt. This field is optional and can be left blank.

This option is supported by Workspace ONE Direct Enrollment.

Use Custom MDM Applications

Configure MDM Apps by adding them as managed applications and assigning them to MDM application groups.

This option is supported by Workspace ONE Direct Enrollment.