RSS
 

Additional Enrollment Restrictions

You can set up additional enrollment restrictions to control who can enroll in Workspace ONE UEM and which device types are allowed.

Applying additional enrollment restrictions is applicable to any deployment, regardless of directory services integration, BYOD support, device registration, or other configurations.

You can also determine the maximum number of enrolled devices per organization group. Once you configure enrollment restrictions, you can even save those restrictions as a policy.

Consideration #1: Will You Restrict Specific Platforms, OS Versions, or Maximum Number of Allowed Devices?

  • Do you want to support only those devices that feature built-in enterprise management – such as Samsung SAFE/Knox, HTC Sense, LG Enterprise, and Motorola devices? If so, you can require that Android devices have a supported enterprise version as an enrollment restriction.
  • Do you want to limit the maximum devices that a user is allowed to enroll? If so, you can set this amount, including distinguishing between corporate owned and employee owned devices.
  • Are there certain platforms you do not support in your deployment? If so, you can create a list of blocked device platforms that prevent them from enrolling.

Your organization must evaluate the number and kinds of devices your employees own. They must also determine which ones they want to use in your work environment. After this work is complete, you can save these enrollment restrictions as a policy.

Consideration #2: Will You Restrict Enrollment to a Set List of Corporate Devices?

Additional registration options provide control of the devices that end users are allowed to enroll. Useful to accommodate BYOD deployments, you can prevent the enrollment of denylisted devices or restrict the enrollment to only allowlisted devices. You can allowlist devices by type, platform, or specific device IDs and serial numbers.

For example, if you want to block Windows devices enrolling into Workspace ONE UEM through an OOBE (out of box experience), then you must make a denylist including all the IMEI, serial, or UDID numbers for all those Windows devices you want to exclude.

For more information, see Denylist and Allowlist Device Registrations.

Consideration #3: Will You Restrict the Number of Enrolled Devices Per Organization Group?

You can apply a limit on the number of enrolled devices to an organization group (OG). Imposing such a limit helps you manage your deployment by preventing you from exceeding the number of valid enrollments. For more information, see the section on this page entitled Limit the Number of Enrolled Devices Per Organization Group.

Configure Enrollment Restriction Settings

When integrating Workspace ONE UEM with directory services, you can determine which users can enroll devices into your corporate deployment.

You can restrict enrollment to only known users or to configured groups. Known users are users that exist in the console. Configured groups are users associated to directory service groups if you opt to integrate with user groups. You can also limit the number of devices enrolled per organization group and save restrictions as a reusable policy.

These options are available by navigating to Groups & Settings > All Settings > Devices & Users > General > Enrollment and selecting the Restrictions tab. The Restrictions tab allows you to customize enrollment restriction policies by organization group and user group roles.

  • Create and assign existing enrollment Restrictions policies using the Policy Settings.
  • Assign the policy to a user group under the Group Assignment Settings area.
  • Denylist or allowlist devices by platform, operating system, UDID, IMEI, and so on.
Setting Description
User Access Control Workspace ONE Direct Enrollment supports all user access control options.
Restrict Enrollment to Known Users – Enable to restrict enrollment only to users that exist in the UEM console. This restriction applies to directory users you manually added to the UEM console one by one or through batch import. It can also be used to lock down enrollment after an initial deployment that allowed anyone to enroll. This option enables you to be selective about who can enroll.
You can allow all directory users who do not have accounts in the UEM console to enroll into Workspace ONE UEM by disabling this option. User accounts are automatically created during enrollment.
Restrict Enrollment to Configured Groups – Enable to restrict enrollment and only allow users belonging to All Groups or Selected Groups (if you have integrated with user groups) to enroll devices. Do not select this option if you have not integrated with your directory services user groups.
Note: Restricting Enrollment to Configured Groups is only supported with Just-In-Time (JIT) user enrollment when each of the following are true:
* Workspace ONE UEM is configured as the source of authentication for Workspace ONE Intelligent Hub, which you configure by navigating to Groups & Settings > All Settings > Devices & Users > General > Enrollment and select the Authentication tab.
* SAML for authentication is deactivated for enrollment users. Configure this by navigating to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services and reference the Directory Services System Settings Documentation.
You can create Workspace ONE UEM user accounts during enrollment by disabling the option to allow all directory users to enroll. Select Enterprise Wipe devices of users that are removed from configured groups to automatically enterprise wipe devices. If All Groups is selected, devices not belonging to any user group are removed. If Selected Groups is selected, then devices not belonging to a particular user group are removed.
One option for integrating with user groups is to create an “MDM Approved” directory service group and import it to Workspace ONE UEM. After this import step, you can add existing directory service user groups to the “MDM Approved” group as they become eligible for Workspace ONE UEM.
Set limit for maximum enrolled devices at this OG and below Enable and Enter Device Limit to limit the number of devices allowed to enroll in the current organization group (OG). Workspace ONE Direct Enrollment supports this option.

Note: Restrictions do not apply for iOS devices enrolled through Apple Device Enrollment Program (DEP), because the required device information is only received after the device enrolls.

Limit the Number of Enrolled Devices Per Organization Group

You can apply a limit on the number of enrolled devices to any type of organization group (global, customer, partner). Imposing such a limit helps you manage your deployment by preventing you from exceeding the number of valid enrollments in a per-device licensing environment.

Once a limit is set at one OG, you are unable to set another limit anywhere in the same OG branch. You can set another enrolled device limit but only if you are setting it in a separate OG branch.

The diagram shows an organization group hierarchy tree featuring a successful limitation on enrolled devices due to the way the limit was applied to separate branches.The diagram shows an organization group hierarchy tree featuring a failed limitation on enrolled devices due to the way the limit was applied to the same branch.

If this option is unavailable, check the parent OG (higher than the current OG) or a child OG (lower than the current OG). It is likely that an existing limit already exists above or below your current OG.

  1. Navigate to Groups & Settings > All Settings > Devices & Users > General > Enrollment and select the Restrictions tab.
  2. Enable the limit under Set a limit for maximum enrolled devices at this Organization Group and below.

Create an Enrollment Restriction Policy

Your organization must evaluate the number and kinds of devices your employees own. They must also determine which devices to use in your work environment. After this work is complete, you can save these enrollment restrictions as a policy.

This screenshot shows the Restrictions tab in the Devices & Users General Enrollment System Setting.

  1. Navigate to Devices > Device Settings > Devices & Users > General > Enrollment.
  2. Select the Restrictions tab and then select Add Policy located in the Policy Settings section.

  3. In the Add/Edit Enrollment Restriction Policy screen, configure the options for your enrollment restriction policy based on the following descriptions.

    This screenshot shows the Add/Edit Enrollment Restriction Policy page, which you can use to create a new restriction policy.

    Setting Description
    Enrollment Restriction Policy Name Enter a name for your enrollment restriction policy.
    Organization Group Select an organization group from the drop-down menu. This is the OG to which your new enrollment restriction policy applies.
    Policy Type Select the type of enrollment restriction policy, which can be either Organization Group Default to apply to the selected organization group, or User Group Policy for specific User Groups through Group Assignment Settings on the Restrictions tab.
    Allowed Ownership Types Select whether to permit or prevent Corporate - Dedicated, Corporate - Shared, and Employee Owned devices. Workspace ONE Direct Enrollment only supports the ownership types Corporate Dedicated and Employee Owned.
    Allowed Enrollment Types Select whether to permit or prevent the enrollment of devices using MDM (Workspace ONE Intelligent Hub) and Container (for iOS/Android) apps.
    Device Limit per User Select Unlimited to allow users to enroll as many devices as they want. Workspace ONE Direct Enrollment supports setting a device limit per user. Deselect this box to enter values for the Device Limit Per User section, to define the maximum number of devices per ownership type.
    * Maximum Devices Per User
    * Corporate Max Devices
    * Shared Max Devices
    * Employee Owned Max Devices
    Allowed Device Types Select the Limit enrollment to specific platforms, models or operating systems check box to add additional device-specific restrictions. This option is supported by Workspace ONE Direct Enrollment.
    Device Level Restrictions Mode This option is only available if Limit enrollment to specific platforms, models or operating systems is selected in the Allowed Device Types option.
    Determine the kind of device limitations you should have.
    * Only allow listed device types (Allowlist) – Select this option to explicitly allow only devices matching the parameters you enter and to block everything else.
    * Block listed device types (Denylist) – Select this option to explicitly block devices matching the parameters you enter and to allow everything else.
    For either device-level restrictions mode, select Add Device Restriction to choose a Platform, Model, Manufacturer (specific to Android devices), or Operating System. You may also add a Device Limit per defined device restriction. You may add multiple device restrictions.
    You can also block specific devices based on their IMEI, Serial Number or UDID by navigating to Devices > Lifecycle > Enrollment Status and selecting Add. This is an effective way to block a single device and prevent it from re-enrolling without affecting other users’ devices. Preventing re-enrollment is also available as an option when performing an Enterprise Wipe.
    This option is supported by Workspace ONE Direct Enrollment.

  4. Select Save to save your changes and navigate back to the Devices & Users / General / Enrollment screen.

Parent topic: Device Enrollment

check-circle-line exclamation-circle-line close-line
Scroll to top icon