When integrating Workspace ONE UEM with directory services, you can determine which users can enroll devices into your corporate deployment.

You can restrict enrollment to only known users or to configured groups. Known users are users that exist in the UEM console. Configured groups are users associated to directory service groups if you opt to integrate with user groups. You can also limit the number of devices enrolled per organization group and save restrictions as a reusable policy.

These options are available by navigating to Groups & Settings > All Settings > Devices & Users > General > Enrollment and selecting the Restrictions tab. The Restrictions tab allows you to customize enrollment restriction policies by organization group and user group roles.

  • Create and assign existing enrollment Restrictions policies using the Policy Settings.
  • Assign the policy to a user group under the Group Assignment Settings area.
  • Blacklist or whitelist devices by platform, operating system, UDID, IMEI, and so on.
Setting Description
User Access Control

Workspace ONE Direct Enrollment supports all user access control options.

Restrict Enrollment to Known Users – Enable to restrict enrollment only to users that exist in the UEM console. This restriction applies to directory users you manually added to the UEM console one by one or through batch import. It can also be used to lock down enrollment after an initial deployment that allowed anyone to enroll. This option enables you to be selective about who can enroll.

You can allow all directory users who do not have accounts in the UEM console to enroll into Workspace ONE UEM by disabling this option. User accounts are automatically created during enrollment.

Restrict Enrollment to Configured Groups – Enable to restrict enrollment and only allow users belonging to All Groups or Selected Groups (if you have integrated with user groups) to enroll devices. Do not select this option if you have not integrated with your directory services user groups.

You can create Workspace ONE UEM user accounts during enrollment by disabling the option to allow all directory users to enroll. Select Enterprise Wipe devices of users that are removed from configured groups to automatically enterprise wipe devices. If All Groups is selected, devices not belonging to any user group are removed. If Selected Groups is selected, then devices not belonging to a particular user group are removed.

One option for integrating with user groups is to create an "MDM Approved" directory service group and import it to Workspace ONE UEM. After this import step, you can add existing directory service user groups to the "MDM Approved" group as they become eligible for Workspace ONE UEM.

Set limit for maximum enrolled devices at this OG and below

Enable and Enter Device Limit to limit the number of devices allowed to enroll in the current organization group (OG).

Workspace ONE Direct Enrollment supports this option.

Note: Restrictions do not apply for iOS devices enrolled through Apple's Device Enrollment Program (DEP), because the required device information is only received after the device has been enrolled.