Configure Enrollment Options
You can customize your enrollment workflow by incorporating advanced options available in Workspace ONE UEM.
Access more enrollment options by navigating to Devices > Devices Settings > Devices & Users > General > Enrollment.
Configure Enrollment Options on Authentication Tab
| Setting | Description |
|---|---|
| Add Email Domain | This button is used for setting up the Auto-Discovery Service to register email domains to your environment. |
| Authentication Mode(s) | Select the allowed authentication types, which include: * Basic – Basic user accounts (ones you create manually in the UEM console) can enroll. * Directory – Directory user accounts (ones that you have imported or allowed using directory service integration) can enroll. Workspace ONE Direct Enrollment supports Directory users with or without SAML. * Authentication Proxy – Allows users to enroll using Authentication Proxy user accounts. Users authenticate to a web endpoint. ** Enter Authentication Proxy URL, Authentication Proxy URL Backup, and Authentication Method Type (choose between HTTP Basic and Exchange ActiveSync). |
| Source of Authentication for Intelligent Hub | Select the system the Intelligent Hub service uses as its source for users and authentication policies. * Workspace ONE UEM – Select this setting if you want Hub Services to use Workspace ONE UEM as the source of users and auth policies. When you configure the Hub Configuration page for Hub Services, enter the Hub Services tenant URL. * Workspace ONE Access – Select this setting if you want Hub Services to use Workspace ONE Access as the source of users and auth policies. When you configure the Hub Configuration page for Hub Services, enter the Workspace ONE Access tenant URL. For details about Workspace ONE Intelligent Hub, see the VMware Workspace ONE Hub Services Documentation. For details about Workspace ONE Access, see the VMware Workspace ONE Access Documentation. |
| Devices Enrollment Mode | Select the preferred device enrollment mode, which includes: * Open Enrollment – Essentially allows anyone meeting the other enrollment criteria (authentication mode, restrictions, and so on) to enroll. Workspace ONE Direct Enrollment supports open enrollment. * Registered Devices Only – Only allowed users to enroll using devices you or they have registered. Device registration is the process of adding corporate devices to the UEM console before they are enrolled. Workspace ONE Direct Enrollment supports allowing only registered devices to enroll but only if registration tokens are not required. |
| Require Registration Token | Visible only when Registered Devices Only is selected as Devices Enrollment Mode. If you restrict enrollment to registered devices only, you also have the option of requiring a registration token to be used for enrollment. This increases security by confirming that a particular user is authorized to enroll. You can send an email or SMS message with the enrollment token attached to users with Workspace ONE UEM accounts. |
| User Enrollment for iOS 13+ and macOS 10.15+ devices | Enabling this option allows any supported iOS or macOS devices enrolling at this organization group to enroll using Apple’s User Enrollment with the user’s Managed Apple ID. |
| Require Intelligent Hub Enrollment for iOS | Select this check box to require iOS device users to download and install the Workspace ONE Intelligent Hub before they can enroll. If deactivated, Web Enrollment is available. |
| Require Intelligent Hub Enrollment for macOS | Select this check box to require macOS device users to download and install the Workspace ONE Intelligent Hub before they can enroll. If deactivated, Web Enrollment is available. |
Configure Enrollment Options on Management Mode Tab
Devices enrolled with Workspace ONE Intelligent Hub are MDM managed by default. The Management Mode tab lets you target enrolled devices by platform for alternate management modes such as container or app level management. Enrollment can be enabled based on the following criteria when utilizing smart groups: OS Version, Ownership Type, and User Group. Use Adaptive Management app policies to control device management levels for iOS devices enrolled without management.
| Setting | Description |
|---|---|
| iOS | Enable to bypass MDM Management for iOS devices that enroll. |
| All iOS devices in this Organization Group | This option displays only when iOS is enabled above. Enable this option to configure alternate management mode for all iOS devices that enroll in the OG you are currently in. Otherwise, you must select an iOS-specific smart group. |
| iOS Smart Groups | tbd |
| Android | Enable to bypass MDM Management for Android devices that enroll. |
| All Android devices in this Organization Group | This option displays only when Android is enabled above. Enable this option to configure alternate management mode for all Android devices that enroll in the OG you are currently in. Otherwise, you must select an Android-specific smart group. |
| Android Smart Groups | tbd |
| Windows | Enable to bypass MDM Management for Windows devices that enroll. |
| All Windows devices in this Organization Group | This option displays only when Windows is enabled above. Enable this option to configure alternate management mode for all Windows devices that enroll in the OG you are currently in. Otherwise, you must select a Windows-specific smart group. |
| Windows Smart Groups | tbd |
Configure Enrollment Options on Hub Integration Tab
Hub Integration allows customers to enable or deactivate the Hub Services experience at any child OG level in the OG tree.
For more information, see Workspace ONE Hub Services Documentation.
| Setting | Description |
|---|---|
| Use Hub Services Features in Intelligent Hub | Enable to allow devices in this OG to connect to Workspace ONE Hub Services for features such as the Unified App Catalog, Support, end user Notifications, People, and Home tab. Deactivate to make devices behave in Management Mode (Agent Only Mode). For example, use Intelligent Hub and Workspace ONE Access for authentication but without Hub Services features, for use in rugged devices that are line of business. |
Configure Enrollment Options on Terms of Use Tab
The Terms of Use tab allows you to add and review terms of use as it pertains to enrollment. The Terms of Use tab can be found by navigating to Devices > Device Settings > Devices & Users > General > Enrollment.
| Setting | Description |
|---|---|
| Require Enrollment Terms of Use Acceptance | Enable this setting to require the acceptance of a term of use agreement at enrollment time. |
| Add New Enrollment Terms of Use | Select to initiate the addition of a term of use agreement for enrollment purposes. |
Important: If you enable Require Enrollment Terms of Use Acceptance, you must create a Terms of Use or Windows Desktop devices might fail to enroll.
Configure Enrollment Options on Grouping Tab
The Grouping tab allows you to view and specify basic information regarding organization groups and Group IDs for end users. Enable Group ID Assignment Mode to select how the Workspace ONE UEM environment assigns Group IDs to users.
The Grouping tab can be found by navigating to Devices > Device Settings > Devices & Users > General > Enrollment.
Group ID Assignment Mode
Workspace ONE Direct Enrollment supports all assignment modes.
- Default - Select this option if users are provided with Group IDs for enrollment. The Group ID used determines what organization group the user is assigned to.
- Prompt User to Select Group ID - Enable this option to allow directory service users to select a Group ID from a list upon enrollment. The Group ID Assignment section lists available organization groups and their associated Group IDs. This listing does not require you to perform group assignment mapping, but does mean users have the potential to select an incorrect Group ID.
-
Automatically Select Based on User Group - This option only applies if you are integrating with user groups. Enable this option to ensure that users are automatically assigned to organization groups based on their directory service group assignments.
The Group Assignment Settings section lists all the organization groups for the environment and their associated directory service user groups.
Select the Edit Group Assignment button to modify the organization group/user group associations and set the rank of precedence each group has.
For example, you have three groups, Executive, Sales, and Global, which are ranked in order of job role. Everyone is a member of Global, so if you were to rank that user group first, it puts all your users into a single organization group.
Instead, if you rank Executives first, you ensure the small number of people belonging to that group are placed in their own organization group. Then rank Sales second, and you ensure that all Sales employees are placed in an organization group specific to sales. Rank Global last and anyone not already assigned to a group is placed in a separate organization group.
Default
| Setting | Description |
|---|---|
| Default Device Ownership | Select the default device ownership of devices enrollment into the current organization group. Workspace ONE Direct Enrollment supports setting a default device ownership. |
| Default Role | Select the default roles assigned to users at the current organization group, which can affect access to the Self-Service Portal. 1. Full Access - Grants users with access to higher SSP functions such as install/remove profiles and apps, reset passcodes, send device messages, and write-access to content. 2. Basic Access - Grants users with a low impact access. They can register their own device, view-only (but not install) profiles and apps, view their own account, and query and find their own device. 3. External Access - Users with External Access have all the abilities as basic access users but they also have read-only access to content on the SSP that is explicitly shared with them. Workspace ONE Direct Enrollment supports setting a default role. |
| Default Action for Inactive Users | Select the default action that impacts Active Directory users if their devices become inactive. Processing of accounts is always user-centric over device-centric. This fact means the processing behavior applied to devices is based upon settings for the OG where the user is managed, not the device. Workspace ONE Direct Enrollment supports setting a default action for inactive users. |
Use Group Sync
| Setting | Description |
|---|---|
| Sync User Groups in Real Time for Workspace ONE | Workspace ONE can sync user groups for a given user as they register with the UEM console. Enabled by default, this feature is most effective when user groups are being used with great frequency for app assignment, profile assignment, policy assignment, or user mapping. This feature is CPU-intensive so unless your use case is similar to the above, deactivate this setting for improved performance and to prevent latency issues while launching the Workspace ONE application. |
Use Role Mapping
| Setting | Description |
|---|---|
| Enable Directory Group-Based Mapping | Select this box to enable ranked assignments that link a directory user group to a specific Workspace ONE UEM role. Users belonging to a particular group are assigned the associated roles. If they belong to more than one group, they take the highest ranked pairing. You can edit the order in which role-infused user groups are ranked by selecting the Edit assignment button. Workspace ONE Direct Enrollment supports directory group-based mapping. |
Configure Enrollment Options on Optional Prompt Tab
On the Optional Prompt tab, you can decide to request extra device information, or present optional messages regarding enrollment and MDM information to the user.
Navigate to Devices > Device Settings > Devices & Users > General > Enrollment and select the Optional Prompt tab.
Specific instructions for configuring messages, templates, and notifications follow after the table below.
| Setting | Description |
|---|---|
| Prompt for Device Ownership Type | You can prompt the end user to select their device ownership type. Otherwise, configure a default device ownership type for the current organization group. Workspace ONE Direct Enrollment supports prompting for device ownership type. |
| Display Welcome Message | You can display a welcome message for your users early in the device enrollment process. You can configure both the header and the body of this welcome message by navigating to System > Localization > Localization Editor. Next, select the labels ‘EnrollmentWelcomeMessageHeader’ and ‘EnrollmentWelcomeMessageBody’ respectively. |
| Display MDM Installation Message | You can display a message for your users during the device enrollment process. You can configure both the header and the body of this MDM installation message by navigating to System > Localization > Localization Editor. Next, select the labels ‘EnrollmentMdmInstallationMessageHeader’ and ‘EnrollmentMdmInstallationMessageBody’ respectively. If you opt to customize your own header and body messages using the Localization Editor, you must opt to ‘Override’ in the Current Setting option. Doing so ensures that your customizations are used instead of the default messages. In addition to making one-off localization changes, you can also make localization changes in bulk by uploading an edited comma-separated values (CSV) file. Download this localization template CSV file by navigating to System > Localization > Localization Editor and select the Modify button. Edit the file per your preferences to affect bulk localization changes and upload it using the same screen. |
| Enable Enrollment Email Prompt | You can prompt the user to enter their email credentials during enrollment. The Enrollment Email Prompt requests the email address from the end user to populate that option in the user record automatically. This data is beneficial to organizations deploying email to devices using the {EmailAddress} lookup value. |
| Enable Device Asset Number Prompt | You can prompt the user to enter the device asset number during enrollment. Workspace ONE Direct Enrollment supports enrollment email prompts but only when Prompt for Device Ownership Type is enabled and only for Corporate Owned devices. |
| Display Enrollment Transition Messages (Android Only) | You can display or hide enrollment messages on Android devices. |
| Enable the Status Tracking Page for OOBE | Enable this setting to display the status tracking page during the Out of Box Enrollment (OOBE) which displays the provisioning status of the device and informs the user which apps, resources, and policies have been installed. |
| Enable TLS Mutual Auth for Windows | You can force Windows Devices to use endpoints secured by TLS Mutual Authentication which requires an extra setup and configuration. Contact Support for assistance. |
| Display Authentication Screen Message (Windows Only) | You can provide your device end users with a customized log in hint about what they must use to enroll into the Workspace ONE UEM console. For example, if their enrollment authentication for UEM is the same as their Active Directory credentials, then you can include that as a hint. You can also include a link they can click to get help. This feature is currently supported by Windows devices only. You must provide your own localization by including translations of the hint in the same text box. |
Create a Custom Enrollment Message
You can customize messages related to enrollment of a device and any future Mobile Device Management (MDM) prompts sent to a device.
- Navigate to Devices > Device Settings > General > Enrollment and select the Customization tab.
- Select Use specific Message Template for each Platform and select a device activation message template from the drop-down for each platform. Make a new message template by following the steps in the Create Message Templates section under this section.
- For iOS devices, optionally configure the following.
- Enter a post-enrollment landing URL for iOS devices.
- Enter an MDM Profile message for iOS devices, which is the message displayed in the install prompt for the MDM profile upon enrollment.
- Select Save.
Create Message Templates
You can create your own library of message templates customized by platform to cover the variety of scenarios you might encounter including enrollment.
- Navigate to Devices > Device Settings > General > Message Templates and select Add.
- Set the Category drop-down menu to match the category of your template. Options include Administrator, Application, Compliance, Content, Device Lifecycle, Enrollment, and Terms of Use.
- Set the Type that best corresponds to the subcategory. The Type drop-down menu options depend upon the Category setting.
- Set the Select Language drop-down menu. Only languages based on the currently active locale are displayed. Select the Add button to add languages.
- Select the Default check box if you want the template to be the default template for the selected Category.
- Select the Message Type for the template. The options are Email, SMS, and Push notification.
- In order for SMS notifications to work with your device fleet, you must have an account with a 3rd party Gateway provider and configure the Gateway settings. Navigate to Groups & Settings > All Settings > System > Enterprise Integration > SMS and complete the options described in SMS Settings.
- Compose your Email message by entering text to the Message Body text box.
- The Plain Text option features only a monospaced serif font (Courier) with no formatting options.
- The HTML option enables a Rich Text editing environment including fonts, formatting, heading levels, bullets, indentation, paragraph justification, subscript, superscript, image, and hyperlink capability. The HTML environment supports basic HTML coding using the Show Source button which you can use to toggle between the Rich Text and source views.
- Save your template by selecting the Save button.
Configure Lifecycle Notifications
Lifecycle Notifications enable you to deliver customized messages after specific events during the lifecycle of a device, including enrollment and unenrollment.
This optional setting can be configured by navigating to Devices > Lifecycle > Settings > Notifications and entering the following options for the following sections.
- Device Unenrolled - Send an email notification when a device unenrolls.
- Device Enrolled Successfully - Send an email notification when a device enrolls successfully.
- Device Blocked by Enrollment Restriction - Send an email notification if an enrollment restriction blocks a device. You can configure this behavior by navigating to Groups & Settings > All Settings > Devices & Users > General > Enrollment and selecting the Restrictions tab.
Send Email To
- None – Send no confirmation email upon a successful device block, enrollment, or unenrollment.
- User – Send a confirmation email to the device user informing them of the successful device block, enrollment, or unenrollment.
- CC - Send the same confirmation email to a single email address or multiple, comma-separated email addresses.
- Message Template – Select the desired message template from the drop-down listing. You can add a new message template or edit an existing template by selecting the “Click here…” hyperlink that takes you to the Devices & Users > General > Message Templates settings page.
- Administrator – Send a confirmation email to the Workspace ONE UEM administrator informing them of the successful device block, enrollment, or unenrollment.
- To – Send the same confirmation email to a single email address or multiple, comma-separated email addresses.
Configure Enrollment Options on Customization Tab
You can provide an extra level of end-user support, including email and phone number, by configuring the Customization tab. Such a support level is valuable when users are unable to enroll their device for any reason.
The Customization tab can be found by navigating to Devices > Device Settings > Devices & Users > General > Enrollment.
| Setting | Description |
|---|---|
| Use specific Message Template for each Platform | If enabled, you can select a unique message template for each platform. The provided link displays the Message Template page, allowing you to begin creating templates immediately. Workspace ONE ™ Direct Enrollment supports platform-specific message templates. |
| Enrollment Support Email | Enter the support email address. |
| Enrollment Support Phone | Enter the support phone number. |
| Post-Enrollment Landing URL (iOS only) | You can provide a post-enrollment landing URL that the end user is brought to upon a successful enrollment. This URL can be a company resource, such as a company website or login screen leading to more resources. Workspace ONE Direct Enrollment supports post-enrollment landing URLs. |
| MDM Profile Message (iOS only) | For iOS devices only, this text box is for a message that appears during enrollment. You can specify a message with a maximum of 255 characters. Workspace ONE Direct Enrollment supports iOS-only MDM profile messages. |
| Use Custom MDM Applications | Displays a link which opens the App Groups Listing page. This link is labeled Application Groups. Workspace ONE Direct Enrollment supports custom MDM apps. |
Parent topic: Device Enrollment
