If you restrict an enrollment to registered devices only, you also have the option of requiring a registration token. This option increases security by confirming that a particular user is authorized to enroll. You can send an email or SMS message with the enrollment token attached to users with Workspace ONE ™ UEM accounts.

  1. Enable a token-based enrollment by selecting the appropriate organization group. Navigate to Devices > Device Settings > Devices & Users > General > Enrollment and ensure that the Authentication tab is selected.

    Scroll down past the Getting Started section and select Registered Devices Only as the Devices Enrollment Mode. A toggle labeled Require Registration Token appears. Enabling this option restricts enrollment to only token-registered devices.

    Require Registration Token

  2. Select a Registration Token Type.

    • Single-Factor – The token is all that is required to enroll.
    • Two-Factor – A token and login with user credentials are required to enroll.
  3. Set the Registration Token Length. This required setting denotes how complex the Registration Token is and must contain a value between 6–20 alphanumeric characters in length.
  4. Set the Token Expiration Time (in hours). This required setting is the amount of time an end user has to select a link and enroll. Once it expires, you must send another link.

Generate a Token With the UEM Console

  1. Navigate to Accounts > Users > List View and select Edit User for a user. (This process also works with creating users.) The Add / Edit User page displays.
  2. Scroll down and select a Message Type: Email for directory users and SMS for basic user accounts.
  3. Select a Message Template. You can use the default template or create a template by selecting the link underneath that opens the Message Template page in a new tab. Next, select Save and Add Device. The Add Device screen displays.
  4. Review General information about the device and confirming information about the Message itself. Once finished, select Save to send the token to the user using the selected message type.

The token is not accessible through the UEM console for security.

Generate a Token With the Self-Service Portal (SSP)

  1. Log in to the Self-Service Portal. If you are using single sign-on or smartcards for authentication, you can log in from a device or a computer. Directory users can log in using their directory service credentials.
  2. Select Add Device.
  3. Enter the device information (friendly name and platform) and any other details by completing the settings in the Register Device form. Ensure that the email address and phone number are present and accurate as they might not automatically populate.
  4. Select Save to send the enrollment token to the user using the selected message type.


The token is not shown on this page and only appears in the message that is sent.

As a security feature, the following changes have been made for accounts that have enrolled with a token.

  • Email Address and Phone Number on both the Add Device screen and Account screen have been made read-only.
  • The View Enrollment Message action has been removed.

Perform Enrollment With a Registration Token

  1. Open the SMS or email message on the device and select the link that contains the enrollment token.

    If an enrollment page prompts for a Group ID or token, enter the token directly.

  2. Enter a user name or password if two-factor authentication is used.
  3. Continue with your enrollment as usual. Once complete, the device is associated with the user for which the token was created.

Once the MDM profile is installed on the device, the token is considered "used" and cannot be used to enroll other devices. If the enrollment was not completed, the token can still be used on another device. If the token expires based on the time limit you entered, you must generate another enrollment token.