Device Enrollment

You must enroll a device before you can manage it with Workspace ONE UEM. There are multiple enrollment paths, each path with options. For detailed walk throughs about bulk enrolling BYOD, COPE, and Shared Devices, see How Do You Enroll Devices in Workspace ONE UEM?

Reasons You Should Not Enroll Devices in Global

Before you start the enrollment process, there is something you must understand about the top level organization group (OG), commonly known as Global. There are several reasons enrolling devices directly to Global is not a good idea. These reasons are multitenancy, inheritance, and functionality.


You can make as many child organization groups as you want and you configure each one independently from the others. Settings you apply to a child OG do not impact other siblings.


Changes made to a parent level OG apply to the children. Conversely, changes made to a child level OG do not apply to the parent or siblings.


There are settings and functionality that are only configurable to Customer type organization groups. These settings include wipe protection, Telecom, and personal content. Devices added directly to the top-level Global OG are excluded from these settings and functionality.

The Global organization group (OG) is designed to house Customer and other types of OGs. Given the way inheritance works, if you add devices to Global and configure Global with settings intended to affect those devices, you are also affecting all the Customer OGs underneath. This undermines the benefits of multitenancy and inheritance.

Enroll a Device With Workspace ONE Intelligent Hub

Enrolling a device with the Workspace ONE Intelligent Hub is the main option for Android, iOS, and Windows devices in Workspace ONE Express and Workspace ONE UEM.

  1. Download and install the Workspace ONE Intelligent Hub from the Google Play Store (for Android devices) or from the App Store (for Apple devices).

    Downloading the Workspace ONE Intelligent Hub from public application stores requires either an Apple ID or a Google Account.

    Windows 10 devices must point the default browser on the device to to download the Hub.

  2. Run the Workspace ONE Intelligent Hub upon the completion of the download or return to your browser session.

    Important: To ensure a successful installation and running of the Workspace ONE Intelligent Hub on your Android device, it must have a minimum of 60 MB of space available. You can allocate CPU and Run Time Memory on a per app basis on the Android platform. If an app uses more resources than allocated, Android devices optimize themselves by stopping such an app.

  3. Enter your email address when prompted. The Workspace ONE console checks if your address was added to the environment. In which case, you are already configured as an end user and your organization group is already assigned.

    If the Workspace ONE console cannot identify you as an end user based on your email address, you are prompted to enter your Server, Group ID, and Credentials. Your Administrator can provide the environment URL and group ID.

  4. Finalize the enrollment by following all remaining prompts. You can use your email address in place of user name. If two users have the same email, the enrollment fails.

The device is now enrolled with the Workspace ONE Intelligent Hub app. In the Summary tab of the Device Details View for this device, the security panel displays “Hub Registered” to reflect this enrollment method.

For more information, see Device Details.

Autodiscovery Enrollment

Workspace ONE UEM makes the enrollment process simple, using an email-based autodiscovery system to enroll devices to environments and “customer” type organization groups (OG). Autodiscovery can also be used to allow end users to authenticate into the Self-Service Portal (SSP).

Note: To enable an autodiscovery for on-premises environments, ensure that your environment can communicate with the Workspace ONE UEM Autodiscovery servers.

Registration for Autodiscovery Enrollment

The server checks for an email domain uniqueness, only allowing a domain to be registered at one organization group in one environment. Because of this server check, register your domain at your highest-level “customer” type organization group.

Autodiscovery is configured automatically for new Software as a Service (SaaS) customers.

Configure Autodiscovery Enrollment from a “Customer” Type Organization Group

Autodiscovery Enrollment simplifies the enrollment process enrolling devices to “customer” type organization groups (OG) using end-user email addresses. Configure an autodiscovery enrollment from a “customer” type OG by taking the following steps.

This screenshot shows the Admin Cloud Services System Settings, which is where you go to configure autodiscovery enrollment.

  1. Move to a “customer” type organization group using the OG selector.
  2. Navigate to Groups & Settings > All Settings > Admin > Cloud Services and enable the Auto Discovery setting. Enter your login email address in Auto Discovery AirWatch ID and select Set Identity.
    1. If necessary, navigate to to set the password for Auto Discovery service. Once you have registered and selected Set Identity, the HMAC Token auto-populates. Click Test Connection to ensure that the connection is functional.
  3. Enable the Auto Discovery Certificate Pinning option to upload your own certificate and pin it to the auto discovery function. You can review the validity dates and other information for existing certificates, and also can Replace and Clear these existing certificates.
  4. Select Add a certificate and the settings Name and Certificate display. Enter the name of the certificate you want to upload, select the Upload button, and select the cert on your device.
  5. Select Save to complete an autodiscovery setup.

What to do next: Instruct end users who enroll themselves to select the email address option for authentication, instead of entering an environment URL and Group ID. When users enroll devices with an email address, they enroll into the same group listed in the Enrollment Organization Group of the associated user account.

Additional Enrollment Workflows

In some unique cases, you can adjust the enrollment process into Workspace ONE UEM for specific organizations and deployments. For each of the additional enrollment options, end users need the credentials detailed in the Required Information section of this guide.

  • Multi-Domain Environments – Enrollment login in single and multi-domain environments is supported provided they are made in the following format. domain\username.
  • Kiosk Mode and Kiosk Designer – Windows desktop end users can configure their desktop devices in kiosk mode. Users can also use the kiosk designer in the Workspace ONE UEM console to create a multi-app kiosk.
  • Notification-Prompt Enrollment – The end user receives a notification (email and SMS) with the Enrollment URL, and enters their Group ID and login credentials. When the end user accepts the Terms of Use (TOU), the device automatically enrolls and outfits with all MDM features and content. This acceptance includes selected apps and features from the Workspace ONE UEM server.
  • Single-Click Enrollment – In this workflow, which applies to web-based enrollments, an administrator sends a Workspace ONE UEM-generated token to the user with an enrollment link URL. The user merely selects the provided link to authenticate and enroll the device, making it the easiest and fastest enrollment process for the end user. You can secure this method by setting expiration times.
    • Web Enrollment – There is an optional welcome screen that an administrator can invoke for Web enrollments by appending “/enroll/welcome” to the active environment. For example, by supplying the URL https://your_custom_environment**/enroll/welcome** to users participating in Web Enrollment, they see a Welcome to Workspace ONE UEM screen. This screen includes options to enroll with an Email Address or Group ID. The Web Enrollment option is applicable for Workspace ONE UEM version 8.0 and later.
  • Dual-Factor Authentication – In this workflow, an administrator sends the same enrollment token generated by Workspace ONE UEM, but the user must also enter their login credentials. This method is just as easy to run as the Single-Click Enrollment but adds one additional level of security. The additional security measure is requiring the user to enter their unique credentials.
  • End-User Registration – The user logs in to the Self-Service Portal (SSP) and registers their own device. Once registration is complete, the system sends an email to the end user that includes the enrollment URL and login credentials. This workflow assumes that administrators have not already performed device registration for a corporate device fleet. It also assumes that you require corporate devices to be registered so administrators can track enrollment status. Also, end-user registration means that corporate devices can be used together with user-purchased devices.
  • Single-User Device Staging – The administrator enrolls devices on behalf of an end user. This method is useful for administrators who set up multiple devices for an entire team or single members of a team. Such a method saves the end users the time and effort of enrolling their own devices. The admin can also configure and enroll a device and mail it directly to a user who is off-site.
  • Multi-User Device Staging – The administrator enrolls devices that are used by multiple users. Each device is enrolled and provisioned with a specific set of features that users access only after they log in with unique credentials.
check-circle-line exclamation-circle-line close-line
Scroll to top icon