Self-Enrollment Versus Device Staging

Workspace ONE UEM supports two methods for enrolling corporate devices. You can let users enroll their own devices or administrators can enroll devices on users’ behalf in a process called device staging.

In device staging, an administrator enrolls devices before assigning them and distributing them to end users. This method is useful for administrators who must configure devices for end users across an organization.

Device staging can be performed for Android, iOS, and macOS devices.

Consideration #1: Device Ownership

• Do your end users already have assigned corporate devices? In this case, it might not be practical to collect each device and have it staged and instead have users enroll themselves.

• Are your end users sharing devices or do they have their own dedicated devices? If end users are not sharing devices, then you can make it the responsibility of the owner to enroll themselves.

  Also, device staging works well for newly provisioned devices, since it happens before an employee receives the device. If your end users already have corporate devices, then allowing them to self-enroll makes the most sense. Letting users enroll their own devices is also beneficial when the total number of devices makes it impractical for administrators to perform device staging.

Consideration #2: Auto Discovery

Are you associating your email domain with your Workspace ONE UEM environment? This process, known as an auto discovery, means that end users need only enter email address and credentials. The enrollment URL and Group ID are automatically entered.

See also Autodiscovery Enrollment.

Consideration #3: Workspace ONE Direct Enrollment

Device staging through Workspace ONE Direct Enrollment is not supported. If you must stage a device, whether for single or multiple users, you must enroll the device using Workspace ONE Intelligent Hub instead of Workspace ONE Direct Enrollment.

Workspace ONE Direct Enrollment is a feature that fits well with self-enrollment. Once enabled, all qualified devices that log into the enrollment organization group are enrolled immediately. And once fully installed, the end user can agree to install apps selected by the company or to opt out of installing apps.

For more information, see Workspace ONE Direct Enrollment.

Consideration #4: Are You Participating in Apple’s Device Enrollment Program?

To maximize the benefits of Apple devices enrolled in Mobile Device Management (MDM), Apple has introduced the Device Enrollment Program (DEP). With DEP, you can perform the following.

• Install a non-removable MDM profile on a device, preventing end users from deleting it.
• Provision devices in Supervised mode (iOS only). Devices in Supervised mode can access additional security and configuration settings.
• Enforce an enrollment for all end users.
• Meet your needs by customizing and streamline the enrollment process.
• Prevent iCloud back up by preventing users from signing in with their Apple ID when generating a DEP profile.
• Force OS updates for all end users.

Consideration #5: Use of Apple Configurator

Apple Configurator enables IT administrators to deploy and manage Apple iOS devices effectively. Organizations such as retail stores, classrooms, and hospitals find it especially useful to pre-enroll devices for multiple end users to share.

Using Configurator to enroll pre-registered devices meant for a single user is supported by adding serial number/IMEI information to a user’s registered device in the Console. A major benefit of Apple Configurator is that you can use a USB hub or iOS device cart to provision multiple devices in minutes.

Consideration #6: Single User Staging or Registration?

If you are considering staging devices for a single user, registration might be preferred. The difference between staging for a single user and registering a device is subtle but important.

Registration – When you register a device, you do so for an individual, named user. This procedure means that the device expects the first user who logs in to be the same user to whom it was registered. If another user attempts to log in to a registered device, security purposes dictate that the device is locked out and cannot be enrolled.

Single User Staging – When you stage a device, you do so for any user qualified to enroll in Workspace ONE UEM. In theory, you might hand a staged device to any qualified user, and that user might successfully log in to the device and enroll in Workspace ONE UEM.

The staging workflow allows you to prepare the device and then start the Workspace ONE Intelligent Hub, where any qualified enrollment user can log in. Workspace ONE UEM then performs a one-time reassignment to associate the device to that user.

Consideration #7: Use of Device Staging

Unless you are using Apple Configurator, administrators must stage devices one-by-one. For large deployments, consider the time and staffing this effort requires.

Whereas administrators can stage new devices easily, employees already using corporate-owned devices must ship devices in or collect them on-site to have devices staged.

If you have thousands of devices to pre-enroll, device staging can take time. Therefore it works best when you have a new batch of devices being provisioned, since you can gain access to the devices before employees receive them.

Device staging can be performed for Android and iOS devices in following ways.

• Single User (Standard) – Used when you are staging a device which any user can enroll.

  Note: As indicated, this enrollment flow is intended for unattended devices. If you are using this flow for zero touch user enrollment, you are responsible for ensuring that staged devices are delivered to the intended user.

• Single User (Advanced) (not available in iOS) – Used when you are staging and enrolling a device for a particular user.

  Note: The staging user/administrator must ensure that the device is checked out to the registered user.

• Multi User – Used when you are staging a device to be shared among multiple users.

  For detailed instructions, see Create a Multi-User Staging Account for Enrollment.

Stage a Single-User Device

Single-User Device Staging on the Workspace ONE UEM console allows a single administrator to outfit devices for other users on their behalf, which can be useful for IT administrators provisioning a fleet of devices.

Device staging through Workspace ONE Direct Enrollment is not supported. If you must stage a device, whether for single or multiple users, you must enroll the device using Workspace ONE Intelligent Hub instead of Workspace ONE Direct Enrollment.

Important:

The ability to create staging users is an elevated admin privilege. Permission to create a staging user is limited only to specific, trusted administrators. Also, treat staging user credentials as you would any other admin privilege and do not disclose the user credentials.

Currently, any administrator with the permission to create a user can also create a staging user. Limit this ability by editing the roles assigned to your administrators. Navigate to Accounts > Administrators > Roles. Identify only those roles you want to limit and then Edit () each of these roles in the category path All > Accounts > Users > Accounts by clearing the Edit check box from the “Add/Edit” permission.

Note: LDAP binding is required when staging devices. To create this payload, see Binding a Device to the Directory Service in this guide.

1. Navigate to Accounts > Users > List View and select Edit for the user account for which you want to enable device staging.

   

2. In the Add / Edit User page, select the Advanced tab.

   1. Scroll down to the Staging section.
   2. For Enable Device Staging, select the Enabled slider. The staging options display.
   3. For Single User Devices, select the Enabled slider.

   4. Toggle the type of single user device staging mode to either Standard or Advanced.

      Standard staging requires an end user to log in after staging, while Advanced means that the staging user can enroll the device on behalf of another user.

   5. Ensure that Multi User Devices is set to Deactivated.

   6. For Android Shared Device Mode, select Native or Launcher for the check in and check out mode. Native Android supports simpler use cases that do not require customization. Launcher supports UI customization for complex use cases.
   7. For System Apps, you can enable end user access to system applications.

   8. For Admin Mode Passcode, specify an alphanumeric passcode to troubleshoot a device in admin mode. Tap the Hub icon on the login screen 5 times to access admin mode.

      Result: Single User Devices stages devices for a single user.

3. Enroll the device.

   • Enroll using the Workspace ONE Intelligent Hub by entering a server URL and Group ID.
   • Open the device Internet browser, navigate to the enrollment URL, and enter the proper Group ID.

4. Enter your staging user’s credentials during enrollment.

   1. If necessary, specify that you are staging for Single User Devices.

      You must do this only if multi-user device staging is also enabled for the staging user.

5. Complete enrollment for either Advanced or Standard staging.

   1. If you are performing Advanced staging, you are prompted to enter the user name of the end-user device owner who is going to use the device. Proceed with enrollment by installing the Mobile Device Management (MDM) profile and accepting all prompts and messages.
   2. If you are performing Standard staging, then when the end user completes the enrollment, they are prompted to log in.

Results: The device is now staged and ready for use by the new user. If an enrollment terms of use agreement is in place, the staging single-user does not see this TOU agreement prompt until they log into their SSP account.

Stage a Multi-User Device

Multi-user device/shared device staging allows an IT administrator to provision devices intended to be used by more than one user. Multi-User staging allows the device to change its assigned user dynamically as the different network users log into that device.

Device staging through Workspace ONE Direct Enrollment is not supported. If you must stage a device, whether for single or multiple users, you must enroll the device using Workspace ONE Intelligent Hub instead of Workspace ONE Direct Enrollment.

1. Navigate to Accounts > Users > List View and select Edit for the user account for which you want to enable device staging.

   

2. In the Add / Edit User page, select the Advanced tab.

   1. Scroll down to the Staging section.
   2. For Enable Device Staging, select the Enabled slider. The staging options display.
   3. Ensure that Multi User Devices is set to Enabled.
   4. For Android Shared Device Mode, select Native or Launcher for the check in and check out mode. Native Android supports simpler use cases that do not require customization. Launcher supports UI customization for complex use cases.
   5. For System Apps, you can enable end user access to system applications.
   6. For Admin Mode Passcode, specify an alphanumeric passcode to troubleshoot a device in admin mode. Tap the Hub icon on the login screen 5 times to access admin mode.
3. Enroll the device using one of the two following methods.
   • Enroll using the Workspace ONE Intelligent Hub by entering a server URL and Group ID.
   • Open the device’s Internet browser, navigate to the enrollment URL, and enter the proper Group ID.

4. Enter your staging user’s credentials during enrollment. If necessary, specify that you are staging for Single User Devices.

   You must do this only if multi-user device staging is also enabled for the staging user.

Result: The device is now staged and ready for use by the new users.

Self-Enrollment Process

Self-enrollment can require that end users know their appropriate Group ID and login credentials. If you have integrated with directory services, these credentials are the same as the user’s directory service credentials.

You can also associate your email domain with your Workspace ONE UEM environment in a process known as auto discovery. With auto discovery enabled, devices of supported platforms prompt end users to enter their email address. These devices automatically complete enrollment if their email domain (the text after @) matches – without entering a Group ID or enrollment URL. For more information, see Autodiscovery Enrollment.

1. End users navigate to getwsone.com, which automatically detects whether the Workspace ONE Intelligent Hub is installed.

   If Workspace ONE Intelligent Hub is not installed, the Website redirects to the appropriate mobile app store.

2. After launching the Workspace ONE Intelligent Hub, users enter their credentials – in addition to either an email address or URL/Group ID – and proceed with enrollment.

Supervised Mode

Administrators have the option of enabling Supervised Mode for devices enrolled through Apple Configurator, which enables additional enhanced security features. However, this mode does introduce several limitations on the device.

Enabling Supervised Mode

For more information about enabling devices to operate in Supervised Mode, see the Integrate with Apple Configurator 2 Guide.

Benefits

Once a device is supervised and enrolled in Workspace ONE UEM, the administrator has the following enhanced features available for configuration when compared to normal devices.

• Elevated Restrictions over MDM
  • Prevent User from Removing Applications. Removing applications can also be restricted locally on the device using restrictions under System Configuration.
  • Prevent AirDrop.
  • Prevent users from modifying iCloud and Mail account settings which prevents account modification.
  • Deactivate iMessage.
  • Set iBookstore Content rating restrictions.
  • Deactivate Game Center and iBookstore.
• Enhanced Security
  • Prevent end users from visiting websites with adult content in Safari.
  • Restrict which devices can connect to specified AirPlay destinations, such as Apple TVs.
  • Prevent the installation of certificates or unmanaged configuration profiles.
  • Force all device network traffic through a global HTTP proxy.
• Kiosk Mode
  • Lock down devices to one app with single app mode and deactivate the home button.
• Customize Wallpaper and Text on Device
• Enable or Clear Activation Lock

Limitations

• USB Access to supervised devices is restricted to the supervising Mac.
• Cannot copy data to and from the device using iTunes unless the Apple Configurator identity certificate is installed on the device.
  • Media such as photos and videos cannot be copied from the device to a PC or Mac. To transfer this type of data, use the VMware Content Locker to sync the content with the user’s Personal Documents section. Alternatively, a file sharing application can be used to transfer the data over WLAN/WWAN to a server.
• Supervised mode prevents access to device-side logs using the iPhone Configuration Utility (IPCU).
  • This mode makes it harder to troubleshoot any application or device issues. The reason for this difficulty is the logs from the device can only be obtained if the device is connected to the supervising Mac. To remediate some of the challenges, use the Workspace ONE SDK to send logs and logistics from the applications to the UEM console.
• Devices cannot be reset with factory settings easily.
  • Once a device is factory reset, it must be brought back to the supervising Mac to restore it back to supervised mode. This procedure might be problematic if the Mac is not near the device.

In deciding whether to enable Supervised Mode, consider the following. While it enables additional features that enhance security on the device, the USB limitations must be considered.

The proximity of the device to the supervising Mac plays an important role in the decisions. Since the USB limitation prevents access to device-side logs, a device experiencing issues must be shipped back to a depot and restaged to restore functionality.

Deciding on supervision in advance is important because the process to supervise or “unsupervise” requires the shipping of the device to an IT location or depot.

Parent topic: Device Enrollment