The Token-based authentication offers the easiest way for a user to enroll their device. With this enrollment setting, Workspace ONE UEM generates a token, which is placed within the enrollment URL.

For single-token authentication, the user accesses the link from the device to complete an enrollment and the Workspace ONE UEM server references the token provided to the user.

For added security, set an expiration time (in hours) for each token. Setting an expiration minimizes the potential for another user to gain access to any information and features available to that device.

You can also decide to implement two factor authentication to take end-user identity verification a step further. With this authentication setting, the user must enter their user name and password upon accessing the enrollment link with the provided token.


  • Minimal work for an end user to enroll and authenticate their device.
  • Secure token use by setting expiration.
  • User does not need credentials for single-token authentication.


  • Requires either Simple Mail Transfer Protocol (SMTP) or Short Message Service (SMS) integration to send tokens to device.

This diagram shows the admin user providing a single-use token to an enrollment user.

  1. Administrator authorizes user device registration.
  2. Single use token generated and sent to user from Workspace ONE UEM.
  3. User receives a token and navigates to enrollment URL. User is prompted for token and optionally two-factor authentication.
  4. Device enrollment process.
  5. Workspace ONE UEM marks token as expired.
Note: SMTP is included with SaaS deployments.