Denylist and Allowlist Device Registrations

A denylist is an explicit listing of devices or apps that are not allowed. An allowlist is a listing of devices or apps that are only allowed. Apply this concept to registration and you can control which devices are allowed to enroll in Workspace ONE UEM.

For example, in a deployment of only corporate-owned devices, you can create an allowlist of approved iOS devices. You can base this list of devices by International Mobile Equipment Identity (IMEI), Serial Number, or Unique Device Identifier (UDID). This way, enrollment is restricted to only those devices you have identified and enrollment by employee personal devices is prohibited.

In addition, if a device is lost or stolen, you can add its IMEI, Serial Number, or UDID information to a list of denylisted devices. Denylisting a device unenrolls the device, removes all MDM profiles, and prevents enrollment until you remove the denylist.

A user’s registration record is updated with the device information after enrollment. When the device is unenrolled, any other user trying to enroll the same device is blocked from enrollment until the registration record for the previous user is deleted.

Add a Denylisted or Allowlisted Device

You can add a denylisted (device restricted from enrollment) or allowlisted (device cleared for enrollment) based on various device attributes.

Note: Denylisting devices that are registered in the Device Enrollment Program (DEP) restricts those devices from having a DEP profile assigned to them in the future.

This screenshot shows the Devices, Lifecycle Enrollment Status screen, whihc you can use to identify corporate devices for enrollment.

  1. Navigate to Devices > Lifecycle > Enrollment Status and select Add.
  2. Select Denylist Devices or Allowlist Devices from the Add drop-down menu and complete the settings.

    Setting Description
    Denylisted/Allowlisted Devices Enter the list of allowlisted or denylisted devices (by the Device Attribute selection), up to 30 at a time.
    Device Attribute Select the corresponding device attribute type. Select IMEI, Serial Number, or UDID.
    Organization Group Confirm to which Organization Group the devices are denylisted or allowlisted.
    Ownership You can allow devices only with the selected ownership type.

    This option is only available while Allowlisting devices.
    Additional Information Allows you to select a platform to apply your allowlist or denylist.
    Platform You can denylist or allowlist all devices belonging to an entire platform.

    This option is only available when the Additional Information check box is enabled.
  3. Select Save to confirm the settings.

Parent topic: Device Enrollment

check-circle-line exclamation-circle-line close-line
Scroll to top icon