The Enrollment settings page lets you configure several options related to device and user enrollment. It is divided into several tabs, which are detailed below. For additional information on the various enrollment methods and strategies, see Device Enrollment Overview.

Authentication Tab

  • Current Setting – Select whether to Inherit or Override the displayed settings. Inherit means use the settings of the current organization group's parent OG, while Override enables the settings for editing so you can modify the current OG's settings directly.
Setting Description
Add Email Domain .

This button is used for setting up the Auto-Discovery Service to register email domains to your environment.

For more information about the AutoDiscovery Service, see Autodiscovery Enrollment.

Authentication Mode(s)

Select the allowed authentication types, which include:

  • Basic – Basic user accounts (ones you create manually in the UEM console) can enroll.
  • Directory – Directory user accounts (ones that you have imported or allowed using directory service integration) can enroll. Workspace ONE Direct Enrollment supports Directory users with or without SAML.
  • Authentication Proxy – Allows users to enroll using Authentication Proxy user accounts. Users authenticate to a web endpoint.
Devices Enrollment Mode

Select the preferred device enrollment mode, which includes:

  • Open Enrollment – Essentially allows anyone meeting the other enrollment criteria (authentication mode, restrictions, and so on) to enroll. Workspace ONE Direct Enrollment supports open enrollment.
  • Registered Devices Only – Only allowed users to enroll using devices you or they have registered. Device registration is the process of adding corporate devices to the UEM console before they are enrolled. For more information on registering devices, refer to the Enrollment section of the VMware Workspace ONE UEM Mobile Device Management Guide. Workspace ONE Direct Enrollment supports allowing only registered devices to enroll but only if registration tokens are not required.
Require Registration Token

Visible only when Registered Devices Only is selected.

If you restrict enrollment to registered devices only, you also have the option of requiring a registration token to be used for enrollment. This increases security by confirming that a particular user is authorized to enroll. You can send an email or SMS message with the enrollment token attached to users with Workspace ONE UEM accounts.

Require Agent Enrollment for iOS Select this check box to require iOS device users to download and install the AirWatch Agent before they can enroll.
Require Agent Enrollment for macOS Select this check box to require macOS device users to download and install the AirWatch Agent before they can enroll.
  • Child Permission – Select the available behavior of child organization groups that exist below the currently selected organization group. Inherit only means child OGs are only allowed to inherit these settings. Override only means they override the settings, and Inherit or Override means you can choose to inherit or override settings in child OGs that exist below the currently selected OG.

Terms of Use Tab

  • Current Setting – Select whether to Inherit or Override the displayed settings. Inherit means use the settings of the current organization group's parent OG, while Override enables the settings for editing so you can modify the current OG's settings directly.
Setting Description
Require Enrollment Terms of Use Acceptance

Require that end users accept an end user license agreement (terms of service) at some point during the enrollment process.

Terms of use is fully supported by Workspace ONE Direct Enrollment.

Add New Enrollment Terms of Use

Click this button to open the Terms of Use dialog, where you can quickly create a custom enrollment terms of use message.

For more information on creating an enrollment terms of use, see the Terms of Use section of the VMware AirWatch Mobile Device Management Guide, available on docs.vmware.com.

  • Child Permission – Select the available behavior of child organization groups that exist below the currently selected organization group. Inherit only means child OGs are only allowed to inherit these settings. Override only means they override the settings, and Inherit or Override means you can choose to inherit or override settings in child OGs that exist below the currently selected OG.

Grouping Tab

  • Current Setting – Select whether to Inherit or Override the displayed settings. Inherit means use the settings of the current organization group's parent OG, while Override enables the settings for editing so you can modify the current OG's settings directly.
Setting Description
Group ID Assignment Mode

Workspace ONE Direct Enrollment supports all assignment modes.

  • Default – Select this option if users are provided with Group IDs for enrollment. The Group ID used determines what organization group the user is assigned to.
  • Prompt User to Select Group ID – Enable this option to allow directory service users to select a Group ID from a list upon enrollment. The Group ID Assignment section lists available organization groups and their associated Group IDs. This listing does not require you to perform group assignment mapping, but does mean users have the potential to select an incorrect Group ID.
  • Automatically Select Based on User Group – This option only applies if you are integrating with user groups. Enable this option to ensure that users are automatically assigned to organization groups based on their directory service group assignments.

    The Group Assignment Settings section lists all the organization groups for the environment and their associated directory service user groups.

    Select the Edit Group Assignment button to modify the organization group/user group associations and set the rank of precedence each group has.

    For example, you have three groups, Executive, Sales, and Global, which are ranked in order of job role. Everyone is a member of Global, so if you were to rank that user group first, it puts all your users into a single organization group.

    Instead, if you rank Executives first, you ensure the small number of people belonging to that group are placed in their own organization group. Then rank Sales second, and you ensure that all Sales employees are placed in an organization group specific to sales. Rank Global last and anyone not already assigned to a group is placed in a separate organization group.

Default

Setting Description
Default Device Ownership

Select the default Device Ownership of devices enrollment into the current organization group.

Workspace ONE Direct Enrollment supports setting a default device ownership.

Default Role

Select the default roles assigned to users at the current organization group, which can affect access to the Self-Service Portal.

Workspace ONE Direct Enrollment supports setting a default role.

Default Action for Inactive Users

Select the default action that impacts Active Directory users if their devices become inactive.

Workspace ONE Direct Enrollment supports setting a default action for inactive users.

User Group Sync

Setting Description
Sync User Groups in Real Time for Workspace ONE

Workspace ONE can sync user groups for a given user as they register with the UEM console.

Enabled by default, this feature is most effective when user groups are being used with great frequency for app assignment, profile assignment, policy assignment, or user mapping.

This feature is CPU-intensive so unless your use case is similar to the above, disable this setting for improved performance and to prevent latency issues while launching the Workspace ONE application.

User Role Mapping

Setting Description
Enable Directory Group-Based Mapping

Select this box to enable ranked assignments that link a directory user group to a specific Workspace ONE UEM role. Users belonging to a particular group are assigned the associated roles. If they belong to more than one group, they take the highest ranked pairing.

You can edit the order in which role-infused user groups are ranked by selecting the Edit assignment button.

Workspace ONE Direct Enrollment supports directory group-based mapping.

  • Child Permission – Select the available behavior of child organization groups that exist below the currently selected organization group. Inherit only means child OGs are only allowed to inherit these settings. Override only means they override the settings, and Inherit or Override means you can choose to inherit or override settings in child OGs that exist below the currently selected OG.

Restrictions Tab

  • Current Setting – Select whether to Inherit or Override the displayed settings. Inherit means use the settings of the current organization group's parent OG, while Override enables the settings for editing so you can modify the current OG's settings directly.

Enrollment Restrictions

Setting Description
User Access Control

All user access control options are supported by Workspace ONE Direct Enrollment.

Restrict Enrollment to Known Users – Enable to restrict enrollment only to users that already exist in the UEM console. This applies to directory users you manually added to the UEM console one by one or through batch import. It can also be used to lock down enrollment after an initial deployment that allowed anyone to enroll. This enables you to selectively allow users to enroll.

Disable this option to allow all directory users who do not already exist in the UEM console to enroll into Workspace ONE UEM. User accounts are automatically created during enrollment.

Restrict Enrollment to Configured Groups – Enable to restrict enrollment and only allow users belonging to All Groups or Selected Groups (if you have integrated with user groups) to enroll devices. You should not select this option if you have not integrated with your directory services user groups.

Disable this option to allow all directory users to create new Workspace ONE UEM user accounts during enrollment. In addition, you can select the Enterprise Wipe devices of users that are removed from configured groups option to automatically enterprise wipe any devices not belonging to any user group (if All Groups is selected) or a particular user group (if Selected Groups is selected).

One option for integrating with user groups is to create an "MDM Approved" directory service group, import it to Workspace ONE UEM, then add existing directory service user groups to the "MDM Approved" group as they become eligible for Workspace ONE UEM.

Set limit for maximum enrolled devices at this OG and below

Enable and Enter Device Limit to limit the number of devices allowed to enroll in the current organization group (OG).

Setting a maximum enrolled devices is supported by Workspace ONE Direct Enrollment.

Policy Settings

  • Add Policy – Click this button to add an enrollment restriction policy, which lets you define allowed ownership types, enrollment types, device limits, and more.

    Setting Description
    Enrollment Restriction Policy Name Enter a name for your enrollment restriction policy.
    Organization

    Group
    Choose an organization group from the drop-down field. This is the OG to which your new enrollment restriction policy applies.
    Policy Type Select the type of enrollment restriction policy, which can be either Organization Group Default to apply to the selected organization group, or User Group Policy for specific User Groups through Group Assignment Settings on the Restrictions tab.
    Allowed

    Ownership Types

    Choose whether to permit or prevent Corporate - Dedicated, Corporate - Shared, and Employee Owned devices.

    Workspace ONE Direct Enrollment only supports the ownership types Corporate Dedicated and Employee Owned.

    Allowed

    Enrollment Types
    Choose whether to permit or prevent the enrollment of devices using MDM ( AirWatch Agent) and AirWatch Container (for iOS/Android) apps.
    Device Limit per User

    Select Unlimited to allow users to enroll as many devices as they want. Setting a device limit per user is supported by Workspace ONE Direct Enrollment.

    Uncheck this box to enter values for the Device Limit Per User section, to define the maximum number of devices per ownership type.

    • Maximum Devices Per User
    • Corporate Max Devices
    • Shared Max Devices
    • Employee Owned Max Devices
    Allowed Device

    Types

    Select the Limit enrollment to specific platforms, models or operating systems checkbox to add additional device-specific restrictions.

    This option is supported by Workspace ONE Direct Enrollment.

    Note:

    Current Microsoft functionality dictates that you cannot blacklist Windows Phone devices by IMEI or UDID.

    Device Level Restrictions Mode

    This field is only available if Limit enrollment to specific platforms, models or operating systems is selected in the Allowed Device Types field.

    Determine the kind of device limitations you should have.

    • Only allow listed device types (Whitelist) – Select this option to explicitly allow only devices matching the parameters you enter and to block everything else.
    • Block listed device types (Blacklist) – Select this option to explicitly block devices matching the parameters you enter and to allow everything else.

    For either device-level restrictions mode, select Add Device Restriction to choose a Platform, Model, Manufacturer (specific to Android devices), or Operating System. You may also add a Device Limit per defined device restriction. You may add multiple device restrictions.

    You can also block specific devices based on their IMEI, Serial Number or UDID by navigating to Devices > Lifecycle > Enrollment Status and selecting Add. This is an effective way to block a single device and prevent it from re-enrolling without affecting other users' devices. Preventing re-enrollment is also available as an option when performing an Enterprise Wipe.

    This option is supported by Workspace ONE Direct Enrollment.

Management Requirements for Workspace ONE

Require MDM for Workspace ONE - Enable this feature and set the applicable devices to receive an MDM profile and to get managed when they enroll through Workspace ONE. For detailed information about this feature, see Enable Direct Enrollment for Workspace ONE.

Group Assignment Settings

  • Edit Group Policies – This button enables you to configure ranked assignments that link a directory user group to a specific Workspace ONE UEM enrollment restriction policy. Users belonging to a particular group must adhere to the associated restriction policy. If they belong to more than one group they will take the highest ranked pairing.
  • Child Permission – Select the available behavior of child organization groups that exist below the currently selected organization group. Inherit only means child OGs are only allowed to inherit these settings. Override only means they override the settings, and Inherit or Override means you can choose to inherit or override settings in child OGs that exist below the currently selected OG.

Optional Prompt Tab

The optional prompt settings let you configure various prompts that you set to display or not display during device enrollment. These optional prompts are web-based and are therefore cross-platform unless otherwise specified.

  • Current Setting – Select whether to Inherit or Override the displayed settings. Inherit means use the settings of the current organization group's parent OG, while Override enables the settings for editing so you can modify the current OG's settings directly.
Setting Description
Prompt for Device Ownership Type

You can prompt the end user to select their device ownership type. Otherwise, configure a default device ownership type for the current organization group.

Workspace ONE Direct Enrollment supports prompting for device ownership type.

Display Welcome Message

You can display a welcome message for your users early in the device enrollment process. You can configure both the header and the body of this welcome message by navigating to System > Localization > Localization Editor. Next, select the labels 'EnrollmentWelcomeMessageHeader' and 'EnrollmentWelcomeMessageBody' respectively.

Display MDM Installation Message

You can display a message for your users during the device enrollment process. You can configure both the header and the body of this MDM installation message by navigating to System > Localization > Localization Editor. Next, select the labels 'EnrollmentMdmInstallationMessageHeader' and 'EnrollmentMdmInstallationMessageBody' respectively.

If you opt to customize your own header and body messages using the Localization Editor, you must opt to 'Override' in the Current Setting option. Doing so ensures that your customizations are used instead of the default messages.

In addition to making one-off localization changes, you can also make localization changes in bulk by uploading an edited comma-separated values (CSV) file. Download this localization template CSV file by navigating to System > Localization > Localization Editor and select the Modify button. Edit the file per your preferences to affect bulk localization changes and upload it using the same screen.

Enable Enrollment Email Prompt

You can prompt the user to enter their email credentials during enrollment.

The Enrollment Email Prompt requests the email address from the end user to populate that option in the user record automatically. This data is beneficial to organizations deploying email to devices using the {EmailAddress} lookup value. For details, see Lookup Values.

Enable Device Asset Number Prompt

You can prompt the user to enter the device asset number during enrollment.

Workspace ONE Direct Enrollment supports enrollment email prompts but only when Prompt for Device Ownership Type is enabled and only for Corporate Owned devices.

Display Enrollment Transition Messages (Android Only)

You can display or hide enrollment messages on Android devices.

Enable TLS Mutual Auth for Windows You can force Windows Phone and Windows Devices to use endpoints secured by TLS Mutual Authentication which requires an extra setup and configuration. Contact Support for assistance.
  • Child Permission – Select the available behavior of child organization groups that exist below the currently selected organization group. Inherit only means child OGs are only allowed to inherit these settings. Override only means they override the settings, and Inherit or Override means you can choose to inherit or override settings in child OGs that exist below the currently selected OG.

Customization Tab

  • Current Setting – Select whether to Inherit or Override the displayed settings. Inherit means use the settings of the current organization group's parent OG, while Override enables the settings for editing so you can modify the current OG's settings directly.
Setting Description
Use specific Message Template for each Platform

Select this check box to use different enrollment message templates for the different platforms.

This option is supported by Workspace ONE Direct Enrollment.

Enrollment Support Email Enter the contact email for MDM support which will be displayed to users during enrollment.
Enrollment Support Phone Enter the contact phone number for MDM support which will be displayed to users during enrollment.
Post-Enrollment Landing URL (iOS Only)

Enter the URL of the webpage you want end users redirected to after they enroll their devices. This field can be blank.

This option is supported by Workspace ONE Direct Enrollment.

MDM Profile Message (iOS Only)

Enter the message you would like your users to see during the install MDM prompt. This field is optional and can be left blank.

This option is supported by Workspace ONE Direct Enrollment.

Use Custom MDM Applications

Configure MDM Apps by adding them as managed applications and assigning them to MDM application groups.

This option is supported by Workspace ONE Direct Enrollment.

  • Child Permission – Select the available behavior of child organization groups that exist below the currently selected organization group. Inherit only means child OGs are only allowed to inherit these settings. Override only means they override the settings, and Inherit or Override means you can choose to inherit or override settings in child OGs that exist below the currently selected OG.