Meeting application server prerequisites is essential to a successful Workspace ONE UEM installation. Learn more about all requirements for your hardware, network, software, Server Manager roles, RDP, and VM Access to Application Servers, and Service account permissions.

Meet the application server prerequisites before installing the application server. The prerequisites listed here apply to any application server you plan to install.

Hardware Requirements

A Workspace ONE UEM installation can involve many servers, and the exact specifications depend on the size and needs of your deployment. Gather this information before proceeding so you size your servers correctly. Read through the Workspace ONE UEM Recommended Architecture Guide, available at, for hardware sizing information and other technical details that ensure the smooth operation of your Workspace ONE UEM solution.

Network Requirements

Review all the network requirements as outlined in the Workspace ONE UEM Recommended Architecture Guide. These requirements include the firewall ports that must be opened for Workspace ONE UEM to function properly.

Software Requirements

Ensure that you meet the following software requirements for the application servers:

  • Internet Explorer 9+ installed on all application servers
  • Branch Cache enabled on all application servers
  • Windows Server 2016, Windows Server 2019 Desktop Experience, or Windows Server 2022
  • .NET Framework 4.8. The .NET Framework 4.8 web installer is packaged with the Workspace ONE UEM installer and installs automatically if it is not already present.
  • NET Core 3.1.1. The minimum supported .NET Core version is 3.1.1.
  • PowerShell version 5.0+ if you are deploying the PowerShell MEM-direct model for email. To verify your version, open PowerShell and run the command $PSVersionTable. More details on PowerShell and other email models are available in the Workspace ONE UEM Mobile Email Management Guide, available at
  • If you plan to use an Active Directory service account for SQL authentication to the Workspace ONE UEM database, then the Workspace ONE UEM application server must be joined to the domain. This AD service account must have administrator-level permissions for each application server.
  • URL Rewrite 2.0. The correct URL Rewrite version will download and install as part of the installation process if it is not present.
  • Enable the following cipher suites based on the server version of the application servers to communicate with Apple for the new HTTP/2 change that went into effect in 2021:
    • “TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384” (Windows Server 2016 and later) - Handled by a crypto library in the product for operating systems that do not support it.

Proxy Requirements

The Workspace ONE UEM servers can be configured with a proxy/PAC file for outbound Internet access.

Apple APNs traffic is not HTTP traffic, and is not authorized through traditional HTTP proxies. This traffic must go straight out to the Internet or through an application/SOCKS proxy. If you are performing outbound proxying of APNs messages, then your proxy application must support SOCKS V5, SOCKS V4, and SOCKS V4a are not supported.

To verify the integrity of Android devices and ensure that they are not compromised, the Workspace ONE UEM Device Services application uses Google's SafetyNet Attestation API. To do so, it makes outbound API calls to Google servers. In on-premises environments, organizations might choose to only allow the Device Services application to make outbound connections through a proxy. In these cases, customers must configure the proxy settings at the application level in the Workspace ONE UEM Console and the outbound proxy at the system level for the Windows server that hosts the Device Services application. If the Windows server is unable to make outbound connections to the required Google endpoints, then the SafetyNet Health Attestation fails.

Install Role from Server Manager

Ensure that you meet the following IIS requirements, depending on your Windows Server version:

  • IIS 10.0 (Server 2016)
  • IIS 10.0 (Windows Server 2019 Desktop Experience)

Configure the BranchCache only on Device Services servers.

See additional information on the required roles and features under Configure your Application Servers.

RDP and VM Access to Application Servers

You must have remote access to the servers that Workspace ONE UEM is installed on. Verify this access before attempting to install Workspace ONE UEM servers.

Permissions of Workspace ONE UEM Service Accounts

The service account you create for Workspace ONE UEM needs the appropriate permissions to integrate with your back end systems. The account can be one service account that has all required access. Verify the connectivity between your Workspace ONE UEM service account and your backend systems.