After Workspace ONE UEM is integrated with a selected user security type and before enrollment, enable each authentication mode you plan to allow.

Procedure

  1. Navigate to Devices > Device Settings > Devices & Users > General > Enrollment in the Authentication tab.
  2. Select the appropriate check boxes for the Authentication Mode setting.
    Setting Description
    Add Email Domain This button is used for setting up the Auto-Discovery Service to register email domains to your environment.
    Authentication Mode(s)

    Select the allowed authentication types, which include:

    • Basic – Basic user accounts (ones you create manually in the UEM console) can enroll.
    • Directory – Directory user accounts (ones that you have imported or allowed using directory service integration) can enroll. Workspace ONE Direct Enrollment supports Directory users with or without SAML.
    • Authentication Proxy – Allows users to enroll using Authentication Proxy user accounts. Users authenticate to a web endpoint.
      • Enter Authentication Proxy URL, Authentication Proxy URL Backup, and Authentication Method Type (choose between HTTP Basic and Exchange ActiveSync).
    Source of Authentication for Intelligent Hub

    Select the system the Intelligent Hub service uses as its source for users and authentication policies.

    • Workspace ONE UEM – Select this setting if you want Hub Services to use Workspace ONE UEM as the source of users and auth policies.

      When you configure the Hub Configuration page for Hub Services, enter the Hub Services tenant URL.

    • Workspace ONE Access – Select this setting if you want Hub Services to use Workspace ONE Access as the source of users and auth policies.

      When you configure the Hub Configuration page for Hub Services, enter the Workspace ONE Access tenant URL.

    For details about Workspace ONE Intelligent Hub, see the VMware Workspace ONE Hub Services Documentation.

    For details about Workspace ONE Access, see the VMware Workspace ONE Access Documentation.

    Devices Enrollment Mode

    Select the preferred device enrollment mode, which includes:

    • Open Enrollment – Essentially allows anyone meeting the other enrollment criteria (authentication mode, restrictions, and so on) to enroll. Workspace ONE Direct Enrollment supports open enrollment.
    • Registered Devices Only – Only allowed users to enroll using devices you or they have registered. Device registration is the process of adding corporate devices to the UEM console before they are enrolled. Workspace ONE Direct Enrollment supports allowing only registered devices to enroll but only if registration tokens are not required.
    Require Registration Token

    Visible only when Registered Devices Only is selected.

    If you restrict enrollment to registered devices only, you also have the option of requiring a registration token to be used for enrollment. This increases security by confirming that a particular user is authorized to enroll. You can send an email or SMS message with the enrollment token attached to users with Workspace ONE UEM accounts.

    Require Intelligent Hub Enrollment for iOS Select this check box to require iOS device users to download and install the Workspace ONE Intelligent Hub before they can enroll. If disabled, Web Enrollment is available.
    Require Intelligent Hub Enrollment for macOS Select this check box to require macOS device users to download and install the Workspace ONE Intelligent Hub before they can enroll. If disabled, Web Enrollment is available.
  3. Select Save.