Enroll your Linux devices to establish a secure connection between the devices and Workspace ONE UEM. This topic describes web-based enrollment and command line enrollment for Linux devices.

Unlike other platforms, the Workspace ONE Intelligent Hub for Linux does not have a graphical user interface and requires the command line to install, enroll, and interact with it on the device itself. For hub-based enrollment, you need a working knowledge of the Linux command line.

Enrollment Methods

There are two ways to initiate enrollment for Linux devices:
  • Hub-based Enrollment - Enroll a Linux device using the command line in ws1HubUtil, that is included as part of the Hub installation.
    Note: Command line enrollment does not support SAML authentication, or directory lookup. The enrollment user must exist in the Workspace ONE UEM console (basic or pre-synced Directory user accounts).
  • Web-based Enrollment - Enroll a Linux device with a user-initiated, web-based enrollment wizard.
    Note: Web enrollment is the only enrollment method that supports integrated user authentication, such as Workspace ONE Access or SAML authentication.

    Neither enrollment method supports advanced and single-user staging enrollments. Single-user staging enrollment is where an admin enrolls on behalf of a user or enrolls and waits for a user to enter credentials.

Prerequisites

Before enrolling a Linux endpoint, you need the Workspace ONE UEM Device Services URL, organization Group ID, and the enrollment user's user name and password.

Ensure that you are using the correct installer for your device and distribution. Installers are created for specific distributions and architectures.

For more information before enrollment, see Command-line Utilities for Workspace ONE Intelligent Hub on Linux.

Enroll Linux Devices Using Web Enrollment

Web enrollment makes enrolling devices easier by not requiring manual Workspace ONE Intelligent Hub downloads. Because credentials are entered in the browser, web enrollment supports integrated and modern user authentication (such as Workspace ONE Access, SAML, and others). To use web enrollment, send users a URL.

Currently, Chrome and Firefox are the only supported browsers for web enrollment. Web enrollment does not support the Tarball installer.

Procedure

  1. In Chrome or Firefox, go to the enrollment URL. This URL is built into your environment and is accessible by adding "/enroll/welcome" to your active environment.

    For example, a Web Enrollment URL looks like https://cn135.awmdm.com/enroll/welcome.

  2. Enter the Group ID, Username, and Password.
  3. To download the Workspace ONE Intelligent Hub, accept the Terms of Use.

    Configure the Terms of Use in Workspace ONE UEM under Settings > System > Terms of Use.

  4. Select the appropriate installer for your device.
  5. To download the installer and the enrollment package, select Next.
    • Use the Deb Installer for all Debian based distributions including Ubuntu, Debian, Raspbian, and others.
    • Use the RPM Installer for any Red Hat based distributions including RHEL, CentOS, Fedora, SUSE, and others.
  6. After downloading the package to your device, close your browser.

    Important: When the browser is closed, a cookie is written with the enrollment credentials for the device. The Hub fails to complete enrollment if the browser is not closed.

  7. Run the command for installing the package using the command line.
    For the Deb package on Ubuntu: 
    $ sudo apt install "./Downloads/com.airwatch.linux.agent.amd64.deb"

    Note: Do not use the dpkg to install the Hub. Prerequisites are not installed and Workspace ONE UEM does not work properly if dpkg is used.

    For RPM package on Fedora: 
    $ sudo dnf install ./com.airwatch.linux.agent.amd64.rpm
    For RPM package on OpenSUSE: 
    $ sudo zypper install ./com.airwatch.linux.agent.amd64.rpm

    This installed package takes care of prerequisites such as Ruby and Puppet, installing the Workspace ONE Intelligent Hub and ws1HubUtil, and enrolling the device into Workspace ONE UEM using the credentials entered in the wizard.

Enroll Linux Devices Using the Command Line

Command line enrollment is a two-step process. First, you install the Intelligent Hub. Then, you enroll devices with the ws1HubUtil command. You can fully script the enrollment in a single command or prompt the user to enter enrollment information.

You can also enroll with a token using the --token argument and use it in the --group argument. Enter the username and the password. You can leave those text boxes blank when enrolling with a token. For more details on the enrollment arguments and options available, or run the command ./ws1HubUtil enroll -h, see the ws1HubUtil Enroll Command section of Command-line Utilities for Workspace ONE Intelligent Hub on Linux.

ws1HubUtil enroll command options.

To run as a system service, the device must be running SystemD or System V init for Hub. Custom configurations require a Puppet agent. The agent automatically installs with the Workspace ONE Intelligent Hub if you are running a Debian-based (deb) or Red Hat-based (rpm) system. For other systems, manually install Ruby and the Puppet agent prior to Workspace ONE enrollment.

Procedure

  1. Download the Workspace ONE Intelligent Hub for Linux to your intended device from the My Workspace ONE portal. The downloaded file must correspond to the targeted processor architecture and distribution.

    The agent is available as a deb installer (for Debian based distros like Ubuntu), an rpm installer (for RedHat based distros), or a tgz package (for any distro that does not support either a deb or rpm installer). Download the agent directly or transfer it to your Linux device using USB or SSH.

  2. Run the Workspace ONE Intelligent Hub client installer with root privileges.

    Example:

    Deb package on Ubuntu: 
    $ sudo apt install "/tmp/workspaceone-intelligent-hub-amd64-21.10.0.1.deb"

    Note: Do not use the dpkg to install the Hub. Prerequisites are not installed and Workspace ONE UEM does not work properly if dpkg is used.

    RPM package on Fedora: 
    $ sudo dnf install workspaceone-intelligent-hub-amd64-22.6.0.7.rpm
    RPM package on openSUSE: 
    $ sudo zypper install workspaceone-intelligent-hub-amd64-22.06.0.7.rpm
    Tarball (any other Linux distribution): 
    Extract the Package using: $ tar xvf workspaceone-intelligent-hub-<arch>.22.06.0.7.tgz
    Install the Package using: $ sudo ./install.sh

    Before installing the Intelligent Hub when using Tarball, install Ruby and the Puppet agent manually.

  3. Enroll your device in Workspace ONE UEM after the installation by using the ws1HubUtil.
  4. Change the directory to the Hub binary directory under the installation directory by using $ cd /opt/vmware/ws1-hub/bin.
  5. Send a user's enrollment details using a single command or follow enrollment prompts.
    • Single command (include enrollment arguments in order): 
      $ sudo ./ws1HubUtil enroll --server https://host.com --user <username> --password <password> --group <organization group id>
    • Enrollment Prompts (without more arguments):
      $ sudo ./ws1HubUtil enroll
  6. After a successful enrollment, the Linux device is listed in the Workspace ONE UEM console.