Your organization must evaluate the number and kinds of devices your employees own. They must also determine which devices to use in your work environment. After this work is complete, you can save these enrollment restrictions as a policy.

Procedure

  1. Navigate to Devices > Device Settings > Devices & Users > General > Enrollment.
  2. Select the Restrictions tab and then select Add Policy located in the Policy Settings section.
  3. In the Add/Edit Enrollment Restriction Policy screen, add an enrollment restriction policy.
    Setting Description
    Enrollment Restriction Policy Name Enter a name for your enrollment restriction policy.
    OrganizationGroup Select an organization group from the drop-down menu. This is the OG to which your new enrollment restriction policy applies.
    Policy Type Select the type of enrollment restriction policy, which can be either Organization Group Default to apply to the selected organization group, or User Group Policy for specific User Groups through Group Assignment Settings on the Restrictions tab.
    AllowedOwnership Types

    Select whether to permit or prevent Corporate - Dedicated, Corporate - Shared, and Employee Owned devices.

    Workspace ONE Direct Enrollment only supports the ownership types Corporate Dedicated and Employee Owned.

    AllowedEnrollment Types Select whether to permit or prevent the enrollment of devices using MDM (Workspace ONE Intelligent Hub) and AirWatch Container (for iOS/Android) apps.
    Device Limit per User

    Select Unlimited to allow users to enroll as many devices as they want. Workspace ONE Direct Enrollment supports setting a device limit per user.

    Deselect this box to enter values for the Device Limit Per User section, to define the maximum number of devices per ownership type.

    • Maximum Devices Per User
    • Corporate Max Devices
    • Shared Max Devices
    • Employee Owned Max Devices
    Allowed DeviceTypes

    Select the Limit enrollment to specific platforms, models or operating systems check box to add additional device-specific restrictions.

    This option is supported by Workspace ONE Direct Enrollment.

    Device Level Restrictions Mode

    This option is only available if Limit enrollment to specific platforms, models or operating systems is selected in the Allowed Device Types option.

    Determine the kind of device limitations you should have.

    • Only allow listed device types (Allowlist) – Select this option to explicitly allow only devices matching the parameters you enter and to block everything else.
    • Block listed device types (Denylist) – Select this option to explicitly block devices matching the parameters you enter and to allow everything else.

    For either device-level restrictions mode, select Add Device Restriction to choose a Platform, Model, Manufacturer (specific to Android devices), or Operating System. You may also add a Device Limit per defined device restriction. You may add multiple device restrictions.

    You can also block specific devices based on their IMEI, Serial Number or UDID by navigating to Devices > Lifecycle > Enrollment Status and selecting Add. This is an effective way to block a single device and prevent it from re-enrolling without affecting other users' devices. Preventing re-enrollment is also available as an option when performing an Enterprise Wipe.

    This option is supported by Workspace ONE Direct Enrollment.

  4. Select Save to save your changes and navigate back to the Devices & Users / General / Enrollment screen.