Registering corporate devices is optional and the main benefit of this option is to restrict enrollment in Workspace ONE UEM to registered devices only.
In addition to restricting enrollment to registered devices, another benefit is tracking enrollment statuses, which let you know which of your users have enrolled and which have yet to enroll. You can then notify those users who have not yet enrolled.
Workspace ONE UEM can successfully register devices even when device identifiers are missing during the data entry phase, by users or administrators.
A third advantage to registering devices before enrollment is security. A registered device expects the user logging in for the first time to be the same individual it was registered to. If a different user attempts to log in to a registered device, the device is locked out and unable to enroll.
If you want to proceed with registering devices before enrollment, consider the following.
An important consideration when registering devices is deciding who performs the actual device registration.
You can direct end users to register their own devices before enrolling into Workspace ONE UEM if you are supporting BYOD. You can also require users with corporate owned devices to register if you want to track enrollment or use registration tokens. In either case, you must notify your end users of the process they need to follow.
The following instructions assume that the end user has Workspace ONE UEM credentials, either from their existing directory service credentials or from a previously activated User Account. If you opted for enrolling with directory services without manually adding users, you will not have any user accounts already created.
In this case, if you want end users to register devices, you must send an email or intranet notification to each user group outside of Workspace ONE UEM with the registration instructions. Ensure that enrollment authentication is enabled for Active Directory or Authentication Proxy by navigating to Devices > Device Settings > Devices & Users > General > Enrollment > Authentication.
Verify that the setting Deny Unknown Users is deselected by navigating to Devices > Device Settings > Devices & Users > General > Enrollment > Restrictions.
Include these five steps in the registration message you send to end-users, and they are given what they require to register their own devices.
Log in by entering the Group ID and credentials (either an email address or user name and password).
These credentials can match the directory service credentials for directory users.
Select Add Device to open the Register Device form.
At this point, regardless of whether administrators or end users have registered devices, you can restrict enrollment to only registered devices. To do this, navigate to Devices > Device Settings > Devices & Users > General > Enrollment and select Registered Devices Only.
Occasionally, you might need to troubleshoot device registration, or track the stage of the overall enrollment process. End users might accidentally delete the message containing registration instructions, or they might not redeem an authentication within the allotted expiration time.
Once devices are registered, you can track enrollment statuses by navigating to the Device Dashboard page and selecting the Enrollment chart, which lets you filter based on enrollment status. You can also access the Monitor, which lists devices recently enrolled.
Manage enrollment status by accessing the Enrollment Status page at Devices > Lifecycle > Enrollment Status. Track the enrollment status of devices by sorting the Enrollment Status column in the listing or by filtering the list view by Enrollment Status.
Using the Enrollment Status page, you can produce a custom list of registered (but unenrolled) devices, select all devices in this custom list, and resend the enrollment instructions. If enough time elapses and a device fails to enroll, you can opt to reset (or even revoke) their registration token.
For more information, see Enrollment Status.
If you intend to organize your application assignments, device profile assignments, compliance policy assignments, or user mappings around user groups, then consider keeping the User Group Sync setting enabled which is its default setting. This setting causes Workspace ONE to make a real-time call to the authentication server each time a device record is created.
For more information, see the User Group Sync section in Configure Enrollment Options on Grouping Tab.
When you have a small number of devices to register, you can register devices individually.
Select the Add button, which can be found in the top-right quadrant of almost any screen in the Workspace ONE UEM console. When selected, the button displays a drop-down menu with multiple options.
The Add Device page displays.
Complete the options according to your needs, starting with the User tab.
|Search Text||Search for the user by entering a search parameter and select the Search User button. On a successful search, select the user account for whom you are registering the device. Several pre-populated text boxes display including Security Type, User Name, Password, and Email Address. You can edit these text boxes by displaying advanced user details.|
|Expected Friendly Name||Enter the Friendly Name of the device. This text box accepts Lookup Values which you can insert by selecting the plus sign. For details, see Lookup Values.|
|Organization Group||Select the Organization Group to which the device belongs.|
|Ownership||Select the ownership level of the device.|
|Platform||Select the platform of the device.|
|Show advanced device information options||Display advanced device information settings.|
|Model||Select the device model. This drop-down menu option depends upon the Platform selection.|
|OS||Select the device operating system. This drop-down menu option depends upon the Platform selection.|
|UDID**||Enter the device unique device identifier.|
|Serial Number** ‡||Enter the serial number of the device.|
|IMEI**||Enter the device international mobile station equipment identity number.|
|SIM**||Enter the subscriber identity module for the device.|
|Asset Number**||Enter the device asset number.|
|Message Type||The type of notification sent to the user once the device is added. Select from None, Email, or SMS*. The Email option requires a valid email address. You must also select an Email Message Template. The SMS option requires a phone number including country code and area code. SMS charges may apply. You must also select an SMS Message Template.|
|Email Address||Required for the Email Message Type.|
|Email Message Template||Required for the Email Message Type. Select a template from the drop-down menu. View the Email message with the Message Preview button.|
|Phone Number||Required for the SMS* Message Type.|
|SMS Message Template||Required for the SMS* Message Type. Select a template from the drop-down listing. View the SMS message with the Message Preview button.|
* In order for SMS notifications to work with your device fleet, you must have an account with a 3rd party Gateway provider and configure the Gateway settings. Navigate to Groups & Settings > All Settings > System > Enterprise Integration > SMS and complete the options described in SMS Settings.
** Among these denoted settings, at least one is required to register a device.
‡ To register a Windows Desktop device, you must enter the serial number of the device.
(Optional) Complete the Custom Attributes tab.
|Add||Add a custom Attribute and its corresponding Application and Value by selecting this button. In order to use the custom attribute feature while adding a device, you must have a custom attribute already created. Accomplish this by visiting Custom Attributes Overview.|
|Application||Select the application that gathers the attribute.|
|Attributes||Select the custom attribute from the drop-down menu.|
|Value||Select the value of the custom attribute from the drop-down menu.|
(Optional) Complete the Tags tab.
|Add||Add a Tag to the device.|
|Tag||Select the Tag from the drop-down menu of existing Tags.|
Select Save to complete the device registration process.
Results: The device is now registered to the selected Workspace ONE UEM user account specified in step 3.
What to do next: Deliver this device to this user so they can log in and complete the enrollment process. If another user attempts to log into this device before the registered user, the device is locked out and unable to enroll.
If you have hundreds or even dozens of devices to register, the Batch Import process is the way to go.
Complete each of the required options: Batch Name, Batch Description, and Batch Type.
Within the Batch File (.csv) option is a list of task-based templates you can use to load users and their devices in bulk.
Select the appropriate download template and save the comma-separated values (CSV) file to somewhere accessible.
Locate the saved CSV file, open it with Excel, and enter all the relevant information for each of the devices that you want to import.
Each template is pre-populated with sample entries demonstrating the type of information (and its format) intended to be placed in each column. Fields in the CSV file denoted with an asterisk (*) are required.
Save the completed template as a CSV file. In the UEM console, select the Choose File button from the Batch Import screen, navigate to the path where you saved the completed CSV file and select it.
If you restrict an enrollment to registered devices only, you also have the option of requiring a registration token. This option increases security by confirming that a particular user is authorized to enroll.
You can send an email or SMS message with the enrollment token attached to users with Workspace ONE UEM accounts.
Note: In order for SMS notifications to work with your device fleet, you must have an account with a 3rd party Gateway provider and configure the Gateway settings. Navigate to Groups & Settings > All Settings > System > Enterprise Integration > SMS and complete the options described in SMS Settings.
Scroll down past the Getting Started section and select Registered Devices Only as the Devices Enrollment Mode.
A toggle labeled Require Registration Token appears. Enabling this option restricts enrollment to only token-registered devices.
Select a Registration Token Type. Chroose from the following.
Set the Registration Token Length.
This required setting denotes how complex the Registration Token is and must contain a value between 6–20 alphanumeric characters in length.
Set the Token Expiration Time (in hours).
This required setting is the amount of time an end user must select a link and enroll. Once it expires, you must send another link.
You must generate and send a registration token, which is a highly secure method of enrolling a mobile device. There are two ways to generate a token: through the UEM Console or through the Self-Service Portal. Select and follow one path only.
|UEM Console||Self-Service Portal|
|1. Navigate to Accounts > Users > List View and select Edit User for a user. The Add / Edit User page displays.||1. Log in to the Self-Service Portal. If you are using single sign-on or smartcards for authentication, you can log in from a device or a computer. Directory users can log in using their directory service credentials.|
|2. Scroll down and select a Message Type. Choose from the following.
* Email for directory users
* SMS for basic user accounts
|2. Select Add Device.|
|3. Select a Message Template. Next, select Save and Add Device. The Add Device screen displays. You can use the default template or create a template by selecting the link underneath that opens the Message Template page in a new tab.||3. Enter the device information (friendly name and platform) and any other details by completing the settings in the Register Device form. Ensure that the email address and phone number are present and accurate as they might not automatically populate.|
|4. Review General information about the device and confirming information about the Message itself. Once finished, select Save to send the token to the user using the selected message type.||4. Select Save to send the enrollment token to the user using the selected message type.|
|Note: The token is not accessible through the UEM console for security.||Note: The token is not shown on this page and only appears in the message that is sent.
As a security feature, the following changes have been made for accounts that have enrolled with a token.
* Email Address and Phone Number on both the Add Device screen and Account screen are read-only.
* The View Enrollment Message action has been removed.
Your end users can use a registration token to enroll a device which is a highly secure authentication method.
Result: Once complete, the device is associated with the user for which the token was created.
What to do next: Once the MDM profile is installed on the device, the token is considered "used" and cannot be used to enroll other devices. If the enrollment was not completed, the token can still be used on another device. If the token expires based on the time limit you entered, you must generate another enrollment token.
If no device identifier is specified during registration (such as UDID, IMEI, and Serial Number), Workspace ONE UEM uses these attributes to match an enrolled device to its registration record automatically.
When inadequate registration information is provided, the following ranking allows Workspace ONE UEM to register devices successfully.
Parent topic: Device Enrollment