When integrating Workspace ONE UEM with directory services, you can determine which users can enroll devices into your corporate deployment.

You can restrict enrollment to only known users or to configured groups. Known users are users that exist in the UEM console. Configured groups are users associated to directory service groups if you opt to integrate with user groups. You can also limit the number of devices enrolled per organization group and save restrictions as a reusable policy.

These options are available by navigating to Groups & Settings > All Settings > Devices & Users > General > Enrollment and selecting the Restrictions tab. The Restrictions tab allows you to customize enrollment restriction policies by organization group and user group roles.

  • Create and assign existing enrollment Restrictions policies using the Policy Settings.
  • Assign the policy to a user group under the Group Assignment Settings area.
  • Blacklist or whitelist devices by platform, operating system, UDID, IMEI, and so on.

For information about integrating your directory services groups with Workspace ONE UEM, see Map Directory Services Group Information.

Setting Description
User Access Control

All user access control options are supported by Workspace ONE Direct Enrollment.

Restrict Enrollment to Known Users – Enable to restrict enrollment only to users that already exist in the UEM console. This applies to directory users you manually added to the UEM console one by one or through batch import. It can also be used to lock down enrollment after an initial deployment that allowed anyone to enroll. This enables you to selectively allow users to enroll.

Disable this option to allow all directory users who do not already exist in the UEM console to enroll into Workspace ONE UEM. User accounts are automatically created during enrollment.

Restrict Enrollment to Configured Groups – Enable to restrict enrollment and only allow users belonging to All Groups or Selected Groups (if you have integrated with user groups) to enroll devices. You should not select this option if you have not integrated with your directory services user groups.

Disable this option to allow all directory users to create new Workspace ONE UEM user accounts during enrollment. In addition, you can select the Enterprise Wipe devices of users that are removed from configured groups option to automatically enterprise wipe any devices not belonging to any user group (if All Groups is selected) or a particular user group (if Selected Groups is selected).

One option for integrating with user groups is to create an "MDM Approved" directory service group, import it to Workspace ONE UEM, then add existing directory service user groups to the "MDM Approved" group as they become eligible for Workspace ONE UEM.

Set limit for maximum enrolled devices at this OG and below

Enable and Enter Device Limit to limit the number of devices allowed to enroll in the current organization group (OG).

Setting a maximum enrolled devices is supported by Workspace ONE Direct Enrollment.


Restrictions do not apply for iOS devices enrolled through Apple's Device Enrollment Program (DEP), because the required device information is only received after the device has been enrolled.