If you restrict an enrollment to registered devices only, you also have the option of requiring a registration token. This option increases security by confirming that a particular user is authorized to enroll.

You can also send an email or SMS message with the enrollment token attached to users with Workspace ONE ™ UEM accounts.


  1. Enable a token-based enrollment by selecting the appropriate organization group. Navigate to Devices > Device Settings > Devices & Users > General > Enrollment and ensure that the Authentication tab is selected.
  2. Scroll down past the Getting Started section and select Registered Devices Only as the Devices Enrollment Mode.
    A toggle labeled Require Registration Token appears. Enabling this option restricts enrollment to only token-registered devices.

    This screenshot shows the Authentication tab in the General > Enrollment settings, with all the Registration Token options enabled.

  3. Select a Registration Token Type.
    • Single-Factor – The token is all that is required to enroll.
    • Two-Factor – A token and login with user credentials are required to enroll.
  4. Set the Registration Token Length.
    This required setting denotes how complex the Registration Token is and must contain a value between 6–20 alphanumeric characters in length.
  5. Set the Token Expiration Time (in hours).
    This required setting is the amount of time an end user must select a link and enroll. Once it expires, you must send another link.