Direct Enrollment in Workspace ONE UEM allows you to enroll your devices in the quickest manner possible.

Direct Enrollment represents the smoothest way to enroll devices that are corporate-owned and personally enabled (COPE). The COPE model offers businesses a way to strike a balance between the consumerization of devices and the security and control that IT needs.

As an administrator, you can configure Direct Enrollment with the options you want. These options include an optional prompt, restrict by device type, limit by user group, and defer the installation of apps to the user.

Enable Direct Enrollment for Workspace ONE

You can enable Workspace ONE ™ Direct Enrollment on the organization group (OG) of your preference. Once enabled, all qualified devices logging in for the first time to Workspace ONE UEM are directly enrolled. Unqualified devices that fall outside the criteria you define are enrolled in an unmanaged or container state.

Direct Enrollment is disabled by default. To enable Workspace ONE Direct Enrollment, take the following steps.

  1. Switch to the organization group for which you want to enable Direct Enrollment for Workspace ONE.
  2. Navigate to Groups & Settings > All Settings > Devices & Users > General > Enrollment and select the Restrictions tab.
  3. If necessary, select to Override the parent OG's settings.
  4. Scroll down to the Management Requirements for Workspace ONE and select your configuration options.

    Setting Description
    Require MDM for Workspace ONE Prompt qualified devices and users to be enrolled immediately upon login to Workspace ONE.
    Devices outside the defined criteria are allowed to enroll in an unmanaged state and can come under management later (Adaptive Management).
    Assigned User Group This setting specifies the user group you want to include in the direct enrollment process. You can also select All Users which are the default selection when you enable Require MDM for Workspace ONE.
    iOS Enable this setting to include iOS devices. Disabled makes iOS devices not eligible for direct enrollment, though they can still enroll into Workspace ONE UEM in an unmanaged state.
    Android Legacy Enable this option to include legacy Android devices. Disabled makes legacy Android devices not eligible for direct enrollment, though they can still enroll into Workspace ONE UEM in an unmanaged state.
    Android Enterprise Enable this setting to include Android Enterprise devices. Disabled makes Android Enterprise devices not eligible for direct enrollment, though they can still enroll into Workspace ONE UEM in an unmanaged state.

Results: Only supported options configured on the other enrollment tabs apply to your saved direct enrollment configuration.

What to do next: Once Workspace ONE Direct Enrollment has been enabled, the next step is to Enroll Your Device with Workspace ONE Direct Enrollment. For more information about Direct Enrollment for Workspace ONE Options and Enrollment Options in general, see the other sections on this page.

Enroll Your Device with Workspace ONE Direct Enrollment

With Workspace ONE ™ Direct Enrollment enabled, logging into the enrollment organization group using a qualifying device and user with the Workspace ONE app means that you are immediately enrolled.

Your users are also given the chance to install apps immediately which your company finds useful. Alternately, they can skip this step in favor of installing the app later. To enroll a device with Workspace ONE Direct Enrollment, the end user takes the following steps.

  1. Download, install, and run the Workspace ONE app from the platform-specific app store or repository.
  2. Enter the server URL or email address.
  3. Enter your directory services user name and password.
  4. Install or enable Workspace Services by selecting affirmative steps specific to your platform.
    1. iOS – allow the server to open Settings, enter your device passcode, install an unsigned device profile, and open a screen in Workspace.
    2. Android Legacy – Install Workspace ONE Intelligent Hub, allow it to make and manage phone calls, select ownership for your device with an option to enter the device asset number, activate the device admin application, then sign into Workspace ONE.
    3. Android Enterprise – Accept (or decline) the terms of use agreement, set up the work profile, and create the Workspace ONE passcode.
  5. When Workspace ONE finishes the install routine, you can Continue to install apps.
  6. You can install individual apps selected from a list, Install all, or Skip this step entirely.

Workspace ONE Direct Enrollment Supported Options

The Workspace ONE Direct Enrollment feature works with many of the existing enrollment options and platforms available before the feature's development.

Direct enrollment with Workspace ONE ™ supports the following platforms and enrollment options.

Supported Platforms

  • iOS.
  • Android Legacy.
  • Android Enterprise.

Navigate to Groups & Settings > All Settings > Devices & Users > General > Enrollment, select each applicable tab, and make your selections based on compatibility with Workspace ONE Direct Enrollment.

Authentication

The following authentication options are compatible with Workspace ONE Direct Enrollment.

  • Directory Users.
  • SAML plus Active Directory Users are supported "on-the-fly". SAML without LDAP users is supported so long as the user record pre-exists in Workspace ONE UEM at the time of initial login.

    Basic Users, Staging Users, SAML without Directory Users, and Authentication Proxy users are not currently supported.

  • Open Enrollment.

  • Workspace ONE does not audit the Require Workspace ONE Intelligent Hub for iOS or macOS settings, which are used to block web enrollment on their respective platforms.

Terms of Use

All terms of use options are compatible with Workspace ONE Direct Enrollment.

Grouping

All grouping options are compatible with Workspace ONE Direct Enrollment.

Restrictions

The following restrictions options are compatible with Workspace ONE Direct Enrollment.

  • Known Users and Configured Groups.
  • Maximum Enrolled Device Limit.
  • Policy settings are partially supported.
    • Allowed Ownership Types – Workspace ONE only prompts for employee-owned and Corporate Dedicated. If you do not want either, disable optional prompt and use the default ownership type.
    • Allowed Enrollment Types are not supported.
  • Device Platform, Device Model, and OS Restrictions are supported.
  • User Group Restrictions.

Optional Prompts

The following optional prompts options are compatible with Workspace ONE Direct Enrollment.

  • Prompt for Device Ownership.
  • Prompt for Asset Number (supported only when Prompt for Device Ownership is enabled).
  • All other optional prompts are not supported.

Customization

The following customization options are compatible with Workspace ONE Direct Enrollment.

  • Use specific Message Template for each Platform.
  • Post-Enrollment Landing URL (iOS only).
  • MDM Profile Message (iOS only).
  • Use Custom MDM Applications.
  • Enrollment Support Email and Enrollment Support Phone are not supported.

Staging

Device staging through Workspace ONE Direct Enrollment is not supported. If you must stage a device, whether for single or multiple users, you must enroll the device using Workspace ONE Intelligent Hub instead of Workspace ONE Direct Enrollment.

Parent topic: Device Enrollment

check-circle-line exclamation-circle-line close-line
Scroll to top icon