A major challenge in managing users' personal devices in Workspace ONE UEM is recognizing and distinguishing between employee-owned and corporate-owned devices and then limiting enrollment to only approved devices.
Workspace ONE UEM enables you to configure many options that customize the end-user experience of enrolling a personal device. Before you begin, you must consider how you plan to identify employee-owned devices in your deployment and whether to enforce enrollment restrictions for employee-owned devices.
Assuming you are allowing employees to enroll their personal devices in your Workspace ONE UEM environment, there are many considerations you must make before you proceed.
VMware Workspace ONE is a secure enterprise platform that delivers and manages any app on any device. It begins with self-service, single-sign on access to cloud, mobile, and Windows apps and includes powerfully integrated email, calendar, file, and collaboration tools.
With Workspace ONE, users do not need to enroll their personal devices to get access to services. The Workspace ONE app itself can be downloaded from the Apple App Store, Google Play, or Microsoft Store and installed. A user then logs in and gains access to applications based on the established policies. The Workspace ONE app configures an MDM management profile during its installation that enrolls the device automatically.
When answering this question, consider the following.
You can set up additional enrollment restrictions to further control who can enroll and which device types are allowed. For example, you can opt to support only those Android devices that feature built-in enterprise management functionality. After your organization evaluates and determines which kinds of employee-owned devices they want to use in your work environment, you can configure these settings.
Preparing a list of devices can be useful if you have a mix of corporate-owned devices and employee-owned devices which employees enroll themselves. As enrollment commences, devices you identified as Corporate-Owned have their ownership type configured automatically based on what you selected. Then you can configure all employee-owned devices – which are not in the list – to enroll with an ownership type as Employee-Owned.
The following procedure explains how to import a list of pre-approved corporate devices. You can apply the Corporate-Owned ownership type after enrollment automatically, even if you have a restriction that automatically applies the Employee-Owned ownership type.
Restrictions for an open enrollment, by contrast, explicitly allow or block the enrollment for devices matching parameters you identify including platform, model, and operating system.
Navigate to Devices > Lifecycle > Enrollment Status and select Add, then Batch Import which displays the Batch Import screen.
Alternatively, you can select Add then Allowlisted Devices to enter up to 30 allowlisted devices at a time by IMEI, UDID, or Serial Number. You can also select either Corporate Owned or Corporate Shared as the Ownership Type.
Enter a Batch Name and Batch Description, then select Add Allowlisted Device as the Batch Type.
If your deployment has organization groups with multiple ownership types, you can prompt users to identify their ownership type during enrollment. Careful consideration should be used before allowing users to choose their own ownership type.
While simple, this approach assumes that every user correctly selects the appropriate ownership type applicable to their device. If a personal device user selects the Corporate-Owned type in error, their device is now subject to policies and profiles that normally do not apply to personal devices. This erroneous selection can have serious legal implications regarding user privacy.
You can always update the ownership type on individual devices later but it is safer and more secure to make a list of corporate devices. Then enroll the corporate-owned devices separately and later, set the default ownership type to Employee Owned.
Parent topic: Device Enrollment