A major challenge in managing users' personal devices in Workspace ONE UEM is recognizing and distinguishing between employee-owned and corporate-owned devices and then limiting enrollment to only approved devices.

Workspace ONE UEM enables you to configure many options that customize the end-user experience of enrolling a personal device. Before you begin, you must consider how you plan to identify employee-owned devices in your deployment and whether to enforce enrollment restrictions for employee-owned devices.

Enrollment Considerations

Assuming you are allowing employees to enroll their personal devices in your Workspace ONE UEM environment, there are many considerations you must make before you proceed.

Consideration #1: Will BYOD Users Enroll with VMware Workspace ONE or the Workspace ONE Intelligent Hub?

VMware Workspace ONE is a secure enterprise platform that delivers and manages any app on any device. It begins with self-service, single-sign on access to cloud, mobile, and Windows apps and includes powerfully integrated email, calendar, file, and collaboration tools.

With Workspace ONE, users do not need to enroll their personal devices to get access to services. The Workspace ONE app itself can be downloaded from the Apple App Store, Google Play, or Microsoft Store and installed. A user then logs in and gains access to applications based on the established policies. The Workspace ONE app configures an MDM management profile during its installation that enrolls the device automatically.

Consideration #2: Will You Apply Additional Enrollment Restrictions for Employee-Owned Devices?

When answering this question, consider the following.

  • Does your MDM deployment only support certain device platforms? If so, you can specify these platforms and only allow devices running on them to enroll.
  • Are you limiting the number of personal devices an employee is allowed to enroll? If so, you can specify the maximum number of devices a user is allowed to enroll.

You can set up additional enrollment restrictions to further control who can enroll and which device types are allowed. For example, you can opt to support only those Android devices that feature built-in enterprise management functionality. After your organization evaluates and determines which kinds of employee-owned devices they want to use in your work environment, you can configure these settings.

Identify Corporate Devices and Specify Default Device Ownership

Preparing a list of devices can be useful if you have a mix of corporate-owned devices and employee-owned devices which employees enroll themselves. As enrollment commences, devices you identified as Corporate-Owned have their ownership type configured automatically based on what you selected. Then you can configure all employee-owned devices – which are not in the list – to enroll with an ownership type as Employee-Owned.

The following procedure explains how to import a list of pre-approved corporate devices. You can apply the Corporate-Owned ownership type after enrollment automatically, even if you have a restriction that automatically applies the Employee-Owned ownership type.

Restrictions for an open enrollment, by contrast, explicitly allow or block the enrollment for devices matching parameters you identify including platform, model, and operating system.

  1. Navigate to Devices > Lifecycle > Enrollment Status and select Add, then Batch Import which displays the Batch Import screen.

    Alternatively, you can select Add then Allowlisted Devices to enter up to 30 allowlisted devices at a time by IMEI, UDID, or Serial Number. You can also select either Corporate Owned or Corporate Shared as the Ownership Type.

  2. Enter a Batch Name and Batch Description, then select Add Allowlisted Device as the Batch Type.
  3. Select the link entitled, "Download template with an example for allowlisted devices" and save this comma-separated values (CSV) template to a location you have access to. Edit this CSV file with Excel to add all the devices you want to allowlist, then save the file.
  4. Select Choose File and select your saved CSV file.
  5. Select Import to import this device information to your allowlist.
  6. Set the Default Device Ownership type to Employee Owned for all open enrollment.
    1. Navigate to Devices > Devices Settings > Devices & Users > General > Enrollment and select the Grouping tab.
    2. Select Employee Owned as the Default Device Ownership.
    3. Select the Default Role assigned to the user, which determines the level of access the user has to the Self-Service Portal (SSP).
    4. Select the Default Action for Inactive Users, which determines what to do if the user is marked as inactive.
    5. Select Save.

Prompt Users to Identify Ownership Type

If your deployment has organization groups with multiple ownership types, you can prompt users to identify their ownership type during enrollment. Careful consideration should be used before allowing users to choose their own ownership type.

While simple, this approach assumes that every user correctly selects the appropriate ownership type applicable to their device. If a personal device user selects the Corporate-Owned type in error, their device is now subject to policies and profiles that normally do not apply to personal devices. This erroneous selection can have serious legal implications regarding user privacy.

You can always update the ownership type on individual devices later but it is safer and more secure to make a list of corporate devices. Then enroll the corporate-owned devices separately and later, set the default ownership type to Employee Owned.

  1. Navigate to Devices > Device Settings > Devices & Users > General > Enrollment and select the Optional Prompt tab.
  2. Select Prompt for Device Ownership Type. During enrollment, users are prompted to select their ownership type.
  3. Select Save.