Direct Enrollment in Workspace ONE UEM allows you to enroll your devices in the quickest manner possible.
Direct Enrollment represents the smoothest way to enroll devices that are corporate-owned and personally enabled (COPE). The COPE model offers businesses a way to strike a balance between the consumerization of devices and the security and control that IT needs.
As an administrator, you can configure Direct Enrollment with the options you want. These options include an optional prompt, restrict by device type, limit by user group, and defer the installation of apps to the user.
You can enable Workspace ONE ™ Direct Enrollment on the organization group (OG) of your preference. Once enabled, all qualified devices logging in for the first time to Workspace ONE UEM are directly enrolled. Unqualified devices that fall outside the criteria you define are enrolled in an unmanaged or container state.
Direct Enrollment is deactivated by default. To enable Workspace ONE Direct Enrollment, take the following steps.
Switch to the organization group for which you want to enable Direct Enrollment for Workspace ONE.
Navigate to Groups & Settings > All Settings > Devices & Users > General > Enrollment and select the Restrictions tab.
If necessary, select to Override the parent OG's settings.
Scroll down to the Management Requirements for Workspace ONE and select your configuration options.
|Require MDM for Workspace ONE||Prompt qualified devices and users to be enrolled immediately upon login to Workspace ONE.
Devices outside the defined criteria are allowed to enroll in an unmanaged state and can come under management later (Adaptive Management).
|Assigned User Group||This setting specifies the user group you want to include in the direct enrollment process. You can also select All Users which are the default selection when you enable Require MDM for Workspace ONE.|
|iOS||Enable this setting to include iOS devices. Deactivated makes iOS devices not eligible for direct enrollment, though they can still enroll into Workspace ONE UEM in an unmanaged state.|
|Android Legacy||Enable this option to include legacy Android devices. Deactivated makes legacy Android devices not eligible for direct enrollment, though they can still enroll into Workspace ONE UEM in an unmanaged state.|
|Android Enterprise||Enable this setting to include Android Enterprise devices. Deactivated makes Android Enterprise devices not eligible for direct enrollment, though they can still enroll into Workspace ONE UEM in an unmanaged state.|
Results: Only supported options configured on the other enrollment tabs apply to your saved direct enrollment configuration.
What to do next: Once Workspace ONE Direct Enrollment has been enabled, the next step is to Enroll Your Device with Workspace ONE Direct Enrollment. For more information about Direct Enrollment for Workspace ONE Options and Enrollment Options in general, see the other sections on this page.
With Workspace ONE ™ Direct Enrollment enabled, logging into the enrollment organization group using a qualifying device and user with the Workspace ONE app means that you are immediately enrolled.
Your users are also given the chance to install apps immediately which your company finds useful. Alternately, they can skip this step in favor of installing the app later. To enroll a device with Workspace ONE Direct Enrollment, the end user takes the following steps.
The Workspace ONE Direct Enrollment feature works with many of the existing enrollment options and platforms available before the feature's development.
Direct enrollment with Workspace ONE ™ supports the following platforms and enrollment options.
Navigate to Groups & Settings > All Settings > Devices & Users > General > Enrollment, select each applicable tab, and make your selections based on compatibility with Workspace ONE Direct Enrollment.
The following authentication options are compatible with Workspace ONE Direct Enrollment.
SAML plus Active Directory Users are supported "on-the-fly". SAML without LDAP users is supported so long as the user record pre-exists in Workspace ONE UEM at the time of initial login.
Basic Users, Staging Users, SAML without Directory Users, and Authentication Proxy users are not currently supported.
Workspace ONE does not audit the Require Workspace ONE Intelligent Hub for iOS or macOS settings, which are used to block web enrollment on their respective platforms.
All grouping options are compatible with Workspace ONE Direct Enrollment.
The following restrictions options are compatible with Workspace ONE Direct Enrollment.
The following optional prompts options are compatible with Workspace ONE Direct Enrollment.
The following customization options are compatible with Workspace ONE Direct Enrollment.
Device staging through Workspace ONE Direct Enrollment is not supported. If you must stage a device, whether for single or multiple users, you must enroll the device using Workspace ONE Intelligent Hub instead of Workspace ONE Direct Enrollment.
Parent topic: Device Enrollment