Workspace ONE UEM supports several different methods to enroll your Windows 10 devices. Learn which enrollment workflow best services your needs based on your Workspace ONE UEM deployment, enterprise integrations, and device operating system.

Enrollment Basics

Simplify your end-user enrollments by setting up the Windows Auto-Discovery Services (WADS) in your Workspace ONE UEM environment. WADS supports an on-premises solution and cloud-based WADS.

The enrollment methods use either the native MDM functionality of the Windows operating system, Workspace ONE Intelligent Hub for Windows, or Azure AD integration.

If you want to use Workspace ONE UEM to manage Windows devices managed by SCCM, you must download the VMware AirWatch SCCM Integration Client. Use this client to enroll SCCM-managed devices into Workspace ONE UEM.

  • Workspace ONE Intelligent Hub for Windows Enrollment

    The simplest enrollment workflow uses Workspace ONE Intelligent Hub for Windows to enroll devices. End users simply download Workspace ONE Intelligent Hub from awagent.com and follow the prompts to enroll.

    Consider using Workspace ONE Intelligent Hub for the Windows Enrollment workflow. Workspace ONE UEM supports additional enrollment flows that meet specific use cases.

  • Azure AD Integration Enrollment

    Through integration with Microsoft Azure Active Directory, Windows devices automatically enroll into Workspace ONE UEM with minimal end-user interaction. Azure AD integration enrollment simplifies enrollment for both end users and admins. Azure AD integration enrollment supports three different enrollment flows: Join Azure AD, Out of Box Experience enrollment, and Office 365 enrollment. All methods require configuring Azure AD integration with Workspace ONE UEM.

    Before you can enroll your devices using Azure AD integration, you must configure Workspace ONE UEM and Azure AD.

  • Native MDM Enrollment

    Workspace ONE UEM supports enrolling Windows Desktop devices using the native MDM enrollment workflow. The name of the native MDM solution varies based on the version of Windows. This enrollment flow changes based on the version of Windows and if you use WADS.

    Only users with local admin permissions on the device can enroll a device into Workspace ONE UEM and enable MDM.

  • Device Staging

    If you want to configure device management on a Windows 10 device before shipping it to your end user, consider using Windows Desktop device staging. This enrollment workflow allows you to enroll a device through Workspace ONE Intelligent Hub, install device-level profiles, and then ship the device to end users. The two methods of device staging are manual installation and command-line installation. Manual installation requires devices to be domain-joined to an Azure AD integration. Command-line installation works for all Windows 10 devices.

  • Windows Desktop Auto-Enrollment

    Workspace ONE UEM supports the auto-enrollment of specific Windows Desktop devices purchased from Dell. Auto-enrollment simplifies the enrollment process by automatically enrolling registered devices following the Out-of-Box-Experience.

    Windows 10 Provisioning Service by VMware only applies to select Dell Enterprise devices with the correct Windows 10 image. The auto-enrollment functionality must be purchased as part of the purchase order from Dell.

  • Bulk Provisioning and Enrollment

    Bulk provisioning creates a pre-configured package that stages Windows 10 devices and enrolls them intoWorkspace ONE UEM. Bulk provisioning requires downloading the Microsoft Assessment and Development Kit and installing the Imaging and Configuration Designer tool. This tool creates the provisioning packages used to image devices.

    With the bulk provisioning workflow, you can include Workspace ONE UEM settings in the provisioning package so that provisioned devices automatically enroll during the initial Out of Box Experience.

  • Registered Mode - Enroll Without Device Management

    To allow some Windows devices to enroll into Workspace ONE UEM without device management services, you can enable Registered Mode. Assign this mode to an entire organization group or with smart groups.

Workspace ONE Intelligent Hub for Windows 10 Enrollment

Workspace ONE Intelligent Hub provides a single resource for enrollment and facilitates communication between the device and the Workspace ONE UEM console. Use Workspace ONE Intelligent Hub to enroll your Windows 10 devices. Workspace ONE Intelligent Hub provides a simplified enrollment flow for end users that is quick and easy enrollment.

Consider using Workspace ONE Intelligent Hub for Windows to enroll your Windows Desktop devices as it provides the simplest enrollment flow for users. If you have Workspace ONE configured, downloading Workspace ONE Intelligent Hub from https://getwsone.com/ also downloads the Workspace ONE app. When you finish enrolling with Workspace ONE Intelligent Hub, the Workspace ONE app auto-launches and configures based on your Workspace ONE UEM deployment.

The Workspace ONE Intelligent Hub provides extra functionality to your Windows Desktop devices including location services.

You can simplify enrollment for your end users by using Windows Auto-Discovery. Windows Auto-Discovery enables end users to enter their email address to fill in the text boxes automatically with their enrollment credentials.

AirWatch Cloud Messaging (AWCM) enables real-time policy and command delivery to Workspace ONE Intelligent Hub. Without AWCM, Workspace ONE Intelligent Hub only receives policy and command delivery during its normal check-in intervals set in the Workspace ONE UEM console. Consider using AWCM for real-time policy and command delivery to Windows Desktop devices.

Procedure to Enroll with the VMware Workspace ONE Intelligent Hub

  1. On the Windows Desktop device, navigate to https://getwsone.com.
  2. Install Workspace ONE Intelligent Hub. When the installation is finished, start Workspace ONE Intelligent Hub.
  3. Enter the email address and select Next.
  4. If you are not using Windows Auto-Discovery, complete the following settings.
    1. Enter the Server URL and select Next.
    2. Enter the Group ID and select Next.
    3. Enter the Username and Password.
  5. Accept the terms of use.
  6. Select Done.
  7. Open Workspace ONE Intelligent Hub and complete the enrollment.

Native MDM Enrollment for Windows Desktop

Windows Desktop enrollment methods all use the Work Access native MDM Client. Use the native MDM enrollment to enroll both corporate owned and BYOD devices through the same enrollment flow. You can enroll with or without Windows Auto Discovery.

Work Access first processes an Azure AD work flow for domains connected to Office 365 or Azure AD when you select Connect and does not automatically complete the enrollment workflow. If you use Office 365 or Azure AD without a premium license, consider using the Workspace ONE Intelligent Hub to enroll Windows 10 devices instead of native MDM enrollment. To complete the enrollment workflow using native MDM enrollment, select Connect twice. If you have an Azure AD premium license, you can enabled Require Management in your Azure instance to have native MDM enrollment complete the enrollment flow after the Azure work flow. You can use native MDM enrollment without issue if you do not use Office 365 or Azure AD.

Only users who have local admin permissions on the device can enroll a device into Workspace ONE UEM and enable MDM. Domain Admin permissions do not work for enrolling a device. To enroll a device with a standard user, you must use Bulk Provisioning for Windows 10 devices.

By using the Windows Auto-Discovery Service, you simplify enrollment for your end user by reducing the necessary interaction during enrollment.

Devices joined to a domain can enroll using the native Workplace enrollment. The email address entered in the settings is auto-populated with the Active Directory UPN attribute. If the end user wants to use a different email address, they must download the optional update.

Enroll Through Work Access With Windows Auto Discovery

Work Access is the native MDM enrollment method for Windows 10 devices. Enrolling through Work Access and using Windows Auto Discovery provides a quick and easy enrollment flow for end users.

Prequisites

Registering your domain in Workspace ONE UEM removes the need to enter the Group ID during enrollment.

Note: Consider using the Workspace ONE Intelligent Hub for Windows to enroll your Windows 10 devices instead of using native MDM enrollment. The native MDM enrollment flow does not enroll devices into MDM if you use Office 365 or Azure AD on the same domain.

Procedure

  1. Navigate on the device to Settings > Accounts > Work Access and select Enroll in to device management. Work access
  2. Enter the user name you provided to your end user into the Email text box, followed by the domain for the environment in the format Username@domain.com (such as jdoe1@acme.com). Select Continue.
  3. Enter the Group ID and select Next.
  4. Enter your username and password and select Next. These credentials may be your directory services credentials or dedicated credentials specific to your Workspace ONE UEM environment.
  5. Optional: Review the End User License Agreement and select Accept to agree to the terms of use.
  6. Optional: Select Yes to save sign-in info.

Results

The device then attempts to connect to Workspace ONE UEM. If it connects successfully, a briefcase icon displays with Workspace ONE UEM written next to it. This icon shows your successful connection to Workspace ONE UEM.

Successful connection with briefcase icon

Enroll Through Work Access Without Windows Auto Discovery

Work Access is the native MDM enrollment method for Windows 10 devices. Enrolling through Work Access without WADS requires manually entering end-user credentials.

Consider using the Workspace ONE Intelligent Hub for Windows to enroll your Windows 10 devices instead of using native MDM enrollment. The native MDM enrollment flow does not enroll devices into MDM if you use Office 365 or Azure AD on the same domain.

Procedure

  1. Navigate on the device to Settings > Accounts > Work Access and select Enroll in to device management. Work access
  2. Enter the user name you provided to your end user into the Email text box, followed by the domain for the environment in the format Username@domain.com (such as jdoe1@acme.com).
  3. Enter server address as follows: <DeviceServicesURL>/DeviceServices/Discovery.aws. Do not include 'https://' in the URL. Example: ds156.awmdm.com/deviceservices/discovery.aws.
  4. Select Continue.
  5. Enter the Group ID and select Next.
  6. Enter your username and password and select Next. These credentials may be your directory services credentials, or dedicated credentials specific to your Workspace ONE UEM environment.
  7. Optional: Review the End-User License Agreement and select Accept to agree to the terms of use. This step is optional and only displays if you choose to enable it.
  8. Optional: Select Yes to save sign-in info.

Results

The device then attempts to connect to Workspace ONE UEM. If it connects successfully, a briefcase icon displays with Workspace ONE UEM written next to it. This icon shows your successful connection to Workspace ONE UEM.

Successful connection with briefcase icon

Windows 10 Device Staging Enrollment

With device staging, you can configure your Windows 10 devices for device management by Workspace ONE UEM before you send the devices to your end users. Learn how to enroll and configure your devices with Workspace ONE Intelligent Hub on behalf of your end users.

Device staging enrollment enables you to enroll your Windows 10 device into Workspace ONE UEM. This enrollment requires the Workspace ONE Intelligent Hub to start. After the device enrolls, any assigned device-level profiles download to the device. Once the device is fully enrolled and configured, you can ship the device to your end users. When the end user signs in to the device, the Workspace ONE Intelligent Hub updates the device record in the Workspace ONE UEM console. Workspace ONE UEM reassigns the device to the end user and pushes any user-level profiles to the device.

The two staging methods are:

  • Manual Installation – Download and install the Workspace ONE Intelligent Hub and enter enrollment credentials. This method requires devices to be domain-joined before enrollment.
  • Command Line Installation – Download the Workspace ONE Intelligent Hub and then install and enroll the device using the command line.

The enrollment completes by either updating the UEM console device registry when a user enrolls into a domain-joined device or by comparing the enrolled user name against a list of previously registers serial numbers.

Bulk Import Device Serial Numbers

Import device serial numbers for use with device staging to quickly add devices to the Workspace ONE UEM Console. The bulk import requires a CSV file with all the serial numbers to import.

Procedure

  1. Navigate to Accounts > Users > List View or Devices > Lifecycle > Enrollment Status.
  2. Select Add and then Batch Import to display the Batch Import screen.
  3. Complete each of the required options. Batch Name, Batch Description, and Batch Type.
  4. Within the Batch File (.csv) option is a list of task-based templates you can use to load users and their devices in bulk.
  5. Select the appropriate download template and save the comma-separated values (CSV) file to somewhere accessible.
  6. Locate the saved CSV file, open it with Excel, and enter all the relevant information for each of the devices that you want to import. Each template is pre-populated with sample entries demonstrating the type of information (and its format) intended to be placed in each column. Fields in the CSV file denoted with an asterisk (*) are required.
  7. Save the completed template as a CSV file. In the UEM console, select the Choose File button from the Batch Import screen, navigate to the path where you saved the completed CSV file and select it.
  8. Select Save to complete registration for all listed users and corresponding devices.

Carbon Black and Workspace ONE Intelligent Hub for Windows

Do you use Carbon Black for endpoint protection on your Windows 10 devices? You can install Carbon Black on your Windows 10 devices when you install the Workspace ONE Intelligent Hub for Windows.

Enroll your Windows 10 devices with this command-line staging process. Enter Carbon Black specific silent enrollment parameters and their respective URL values that you generated in Carbon Black. Entering the generated URLs instructs the Workspace ONE Intelligent Hub to retrieve the URLs for the Carbon Black sensor kit and the Carbon Black sensor configuration file for installation.

After you install Carbon Black and the Workspace ONE Intelligent Hub, upload the Carbon Black public app to the Workspace ONE UEM console and publish the app to your Windows 10 devices.

For details on how to generate the required URLs for the Carbon Black sensor kit and the Carbon Black sensor configuration file, access the content in the Carbon Black Cloud User Guide. You can sign in to VMware Carbon Black Cloud and select Help > User Guide. Type workspace one in the search bar and press Enter.

Enroll Through Command-Line Staging

Simplify enrollment for end users by staging your Windows Desktop devices using the Windows Command Line. This enrollment method for Workspace ONE UEM enrolls the device and downloads device-level profiles base on the user credentials entered.

Important: Do not change the name of the AirWatchAgent.msi file as this breaks the staging command. Also, Do not use bulk serial number import if you want to use command-line staging.

Note: Do not use this product to install Workspace ONE Intelligent Hub for Windows silently on BYOD devices. If you silently install onto BYOD devices, you are solely responsible for providing any necessary notices to your device end users regarding your use of silent installation and the data collected from the silently installed apps. You are responsible for obtaining any legally required consents from your device end users, and otherwise complying with all applicable laws.

Procedure

  1. Navigate to https://getwsone.com/ to download Workspace ONE Intelligent Hub for Windows.

    Only download Workspace ONE Intelligent Hub. Do not start the executable or select Run as that initiates a standard enrollment process and defeats the purpose of silent enrollment. If necessary, move Workspace ONE Intelligent Hub from the download folder to a local or network drive folder.

  2. Open a command line or create a BAT file and enter all the necessary paths, parameters, and values.

  3. Run the command.

Results

After the command runs, the device enrolls into Workspace ONE UEM. If the device is domain-joined, Workspace ONE Intelligent Hub updates the Workspace ONE UEM console device registry with the correct user.

Enroll Through Manual Device Staging

Simplify enrollment for end users by staging your Windows 10 devices using the Workspace ONE Intelligent Hub. This enrollment method enrolls the device and downloads device-level profiles so the end user must only log in to the device to begin using it.

Prequisites

These devices must be joined to a domain.

  1. Navigate to www.awagent.com to download the Workspace ONE Intelligent Hub Installer.
  2. Start the installer once the download completes.
  3. Select Run to begin the installation.
  4. Select Email if you have Auto-Discovery enabled, otherwise select Server Detail.
  5. Complete the settings required based on the authentication type selected.
    1. Enter the email address to auto-fill the server details screen. Select Next and the details are entered.
    2. Enter the Server Name and Group ID if you are not using Auto-Discovery to complete the settings. Select Next.
  6. Enter the staging Username and Password and select Next.
  7. Complete any optional screens.
  8. Select Finish to complete the enrollment.

Results

Once the Workspace ONE Intelligent Hub detects a staging user, the Workspace ONE Intelligent Hub listener runs and listens for the next Windows login. When the end user logs into the device, the Workspace ONE Intelligent Hublistener reads the user UPN and email from the device registry. This information is sent to the Workspace ONE UEM console and the device registry is updated to register the device to the user.

Silent Enrollment Parameters and Values

Silent enrollment requires command-line entries or a BAT file to control how the Workspace ONE Intelligent Hub downloads and installs onto Windows 10 devices.

Note: Do not use this product to install Workspace ONE Intelligent Hub for Windows silently on BYOD devices. If you silently install to BYOD devices, you are solely responsible for providing any necessary notices to your device end users regarding your use of silent installation and the data collected from the silently installed apps. You are responsible for obtaining any legally required consents from your device end users, and otherwise complying with all applicable laws.

The following tables list the enrollment parameters you can enter into a command line or into a BAT file, and the respective values for each parameter. If you are Enrolling on Behalf of Others (EOBO), ensure you use the EOBO parameters.

General Parameters

Enrollment Parameters Values to Add to Parameter
All MSI parameters These parameters control the app installation behavior.

/quiet - C ompletely silent
/q - Controls the UI levels for installation
passive - Minimal controls for the user to guide the application
/L - Log levels and log paths. For more information, see https://docs.microsoft.com/en-us/windows/win32/msi/command-line-options.
ASSIGNTOLOGGEDINUSER Select Y to assign the device to the domain user that is logged in. Enter this parameter as the last argument in the command line.
DEVICEOWNERSHIPTYPE^ Select CD for Corporate Dedicated.
Select CS for Corporate Shared.
Select EO for Employee Owned.
Select N for None.
DOWNLOADSBUNDLE This parameter controls the download of the Workspace ONE application during enrollment. Select TRUE, to download the Workspace ONE app installer during the installation of Workspace ONE Intelligent Hub. If you enroll a device using Workspace ONE Intelligent Hub, installing Workspace ONE is not optional.

If you do not set DOWNLOADSBUNDLE to TRUE, the Workspace ONE app installer does not download regardless of the UI-level used.
ENROLL Select Y to enroll.
Select N for image only.

The agent tries to enroll in silent mode only if this parameter is set to Y.
IMAGE This flag takes priority over everything, if this flag is set to Y, the agent is put into image mode.

Select Y for image.
Select N for enrollment.
INSTALLDIR^ Enter the directory path if you want to change the installation path.

Note: If this parameter is not present, the Workspace ONE Intelligent Hub uses the default path: C:\Program Files (x86)\AirWatch.
LGName Enter the organization group name.
PASSWORD Enter the password for the user you are enrolling or the staging user password if staging the device on the behalf of a user.
SERVER Enter the enrollment URL.
USERNAME Enter the user name for the user you are enrolling or the staging user name if staging the device on the behalf of a user.

Items denoted with a caret (^) are optional.

EOBO Parameters

Enrollment Parameters Values to Add to Parameter
SECURITYTYPE EOBO Workflow Only: Use this parameter if a user account is added to the Workspace ONE UEM console during the enrollment process.

Select D for Directory.

Select B for Basic User.
STAGEEMAIL^ EOBO Workflow Only: Enter the email address for the user you are enrolling.
STAGEEMAILUSRNAME^ EOBO Workflow Only: Enter the email user name for the user you are enrolling.
STAGEPASSWORD EOBO Workflow Only: Enter the password for the user you are enrolling.
STAGEUSERNAME EOBO Workflow Only: Enter user name for the enrolling user.

Items denoted with a caret (^) are optional.

Carbon Black Parameters

Enrollment Parameters Values to Add to Parameter
CBSENSORCONFIGURL^ Use this parameter to instruct the Workspace ONE Intelligent Hub for Windows to retrieve the Carbon Black configuration file URL.

Enter the URL for the sensor configuration file that you generated in Carbon Black.
CBSENSORURL^ Use this parameter to instruct the Workspace ONE Intelligent Hub for Windows to retrieve the applicable Carbon Black sensor kit URL.

Enter the URL for the sensor kit that you generated in Carbon Black.

Items denoted with a caret (^) are optional.

Examples of Silent Enrollment

View examples of various use cases using enrollment parameters and the values that you can enter into a command line or use to create a BAT file. Initiating any one of these examples silently enrolls the Windows 10 device without prompting the user to select any of the acknowledgment buttons.

  • Agent Install for Image Only Without Enrollment

    The following is an example of installing the Workspace ONE Intelligent Hub for image only without enrollment using minimum parameters required for image only.

    AirwatchAgent.msi /quiet ENROLL=N IMAGE=Y
    
  • Basic User Enrollment

    The following is an example of using minimum parameters required for basic enrollment only:

    AirwatchAgent.msi /quiet ENROLL=YIMAGE=n SERVER=companyURL.com LGName=locationgroupid USERNAME=TestUsr PASSWORD=test
    
  • Workspace ONE Intelligent Hub Installed Elsewhere

    The following is an example of the AirwatchAgent.msi located in a different location:

    C:AirwatchAgent.msi /quiet ENROLL=Y IMAGE=n SERVER=companyURL.com LGName=locationgroupid USERNAME=TestUsr PASSWORD=test
    
  • Installation Directory and Workspace ONE Intelligent Hub on Network Drive

    The following is an example of the installation directory parameter with the Workspace ONE Intelligent Hub on a network drive.

    Important: Add extra quotes for the INSTALLDIR parameter when there is space within the parameter.

    Q:AirwatchAgent.msi /quiet INSTALLDIR="E:Install Win32" ENROLL=Y IMAGE=n SERVER=companyURL.com LGName=locationgroupid USERNAME=TestUsr PASSWORD=test
    
  • Available Parameters and Values

    The following snippet is an example of the syntax using most of the available parameters and values.

    msiexec.exe /I “<Path>AirwatchAgent.msi” /quiet ENROLL=<Y/N>IMAGE=<Y/N>SERVER=<CompanyURL>LGNAME=<Location Group ID>USERNAME=<Staging Username>PASSWORD=<Staging Username Password>STAGEUSERNAME=<Enrolling Username>SECURITYTYPE=<D/B>STAGEEMAILUSRNAME=<User Enrolling>STAGEPASSWORD=<Password for User Enrolling>STAGEEMAIL=<Email Address for User Enrolling>DEVICEOWNERSHIPTYPE<CD/CS/EO/N>ASSIGNTOLOGGEDINUSER=<Y/N>
    

Windows 10 Provisioning Service by VMware for Dell Windows 10 Devices

You can auto-enroll your Windows 10 devices you buy from Dell intoWorkspace ONE UEM before they leave the factory. Learn how to simplify the enrollment process by automatically enrolling registered devices following the Out-of-Box-Experience.

How Does the Process Work?

Windows 10 Provisioning Service by VMware only applies to select Dell devices with the correct Windows 10 image. The auto-enrollment functionality must be purchased as part of the purchase order from Dell. Windows 10 Provisioning Service by VMware only supports Windows 10 Pro, Enterprise, and Education SKUs for Cloud Provisioning.

Windows 10 Provisioning Service by VMware matches registered devices with users and automatically enrolls the device following the Out-of-Box-Experience. When the end user signs in to the device, the provisioning agent on the device receives the profiles and apps assigned to the device and user. This functionality works similar to the Apple Device Enrollment Program.

When you purchase your Dell devices, Dell supplies Workspace ONE UEM with the device details of the purchased devices. To use auto-enrollment, you must register the serial numbers for all the devices purchased from Dell. Workspace ONE UEM matches the serial number to the ones provides by dell for use with Auto-Discovery.

You must register the devices with a user account before sending the devices to end users.

Consider configuring the External Access Token authentication method for Workspace ONE Access. The External Access Token authentication enables Workspace ONE UEM to open automatically and deliver apps to the device. When the feature is enabled, Workspace ONE UEM automatically authenticates and provides the user with the first-launch experience that shows the application and policy installation progress.

Important: Devices enrolled through Windows 10 Provisioning Service by VMware do not automatically re-enroll during a factory reset. The Windows 10 Provisioning Service by VMware only works for the first time enrollment.

Configure Windows 10 Provisioning

Configure Windows 10 Provisioning Service by VMware to enroll Dell Windows Desktop devices automatically. Auto-enrollment compares registered device serial numbers against a list provided by Dell to enroll devices as part of the Out-of-Box-Experience.

Prerequisites

Purchase Windows 10 Provisioning Service by VMware as part of your purchase order from Dell.

  1. Navigate to Groups & Settings > All Settings > Devices & Users > Windows > Windows Desktop > Auto Enrollment.
  2. Configure the Auto Enrollment settings:

    Settings Description
    Auto Enrollment Select Enable to use Windows 10 Provisioning Service by VMware.
    Sync Interval Select the amount of time between sync attempts between the Workspace ONE Intelligent Hub and the Workspace ONE UEM console.
    Enforce Policies Before Log In Select Enable to enforce the device policies before the user logs in to the device.
    Maximum Time Before Log In Select the maximum number of minutes that may pass before a user logs in after completing the Out-of-Box-Experience.
  3. Select Save.

  4. Register the device serial numbers with Workspace ONE UEM. This step is required for on-premises customers. This step is done for SaaS customers. Validate that device registration records exist, if not complete the following steps. There are three workflows for registering devices:
    1. Navigate to Accounts > Users > Add > Add User and add the user account. When you are done adding the user, select Save and Add Device. Then complete the Add Device settings. You must set the Platform to Windows Desktop.
    2. Navigate to Accounts > Users > Add > Batch Import. Download and complete the CSV template for User or Device. Upload the CSV and select Import. You must enter Windows Desktop as the Device Platform when completing the template. You must set the Platform to Windows Desktop.
    3. Navigate to Devices > Lifecycle > Enrollment Status > Add > Register Device. You must set the Platform to Windows Desktop.

Workspace ONE UEM and Azure AD Integration

Through integration with Microsoft Azure Active Directory, you can automatically enroll your Windows 10 devices into Workspace ONE UEM with minimal end-user interaction. Learn how Azure AD integration simplifies enrolling your Windows 10 devices.

Before you can enroll your devices using Azure AD Integration, you must configure Workspace ONE UEM and Azure AD. The configuration requires entering information into your Azure AD and Workspace ONE UEM deployments to facilitate communication.

Azure AD integration enrollment supports three different enrollment flows: Join Azure AD, Out of Box Experience enrollment, and Office 365 enrollment. All methods require configuring Azure AD integration with Workspace ONE UEM.

Important: Enrollment through Azure AD integration requires Windows 10 and Azure Active Directory Premium License.

Configure Workspace ONE UEM to Use Azure AD as an Identity Service

Before you can use Azure AD to enroll your Windows devices, you must configure Workspace ONE UEM to use Azure AD as an Identity Service. Enabling Azure AD is a two-step process which requires the MDM-enrollment details to be added to Azure.

Prerequisites

You must have a Premium Azure AD P1 or P2 subscription to integrate Azure AD with Workspace ONE UEM. Azure AD integration with Workspace ONE UEM must be configured at the tenant where Active Directory (such as LDAP) is configured.

Important: If you are setting the Current Setting to Override on the Directory Services system settings page, the LDAP settings must be configured and saved before enabling Azure AD for Identity Services.

Procedure

  1. Navigate to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services.
  2. Enable Use Azure AD for Identity Services under Advanced settings. Copy the MDM Enrollment URL and the MDM Terms of Use URL because you must enter them in to Azure.
  3. Log in to the Azure Management Portal with your Microsoft account or organizational account.
  4. Select your directory and navigate to the Mobility (MDM and MAM) tab.
  5. Select Add Application, select the AirWatch by VMware application, and select Add.
  6. Select the AirWatch by VMware app that you added to change the MDM user scope to All.
  7. Paste your MDM Terms of Use URL from the Workspace ONE UEM console into the MDM terms of use URL text box in Azure. Paste your MDM Enrollment URL from the Workspace ONE UEM console into the MDM discovery URL text box in Azure.
  8. Add an on-premises app by selecting Add Application > On Premises MDM application, and then selecting Add.
  9. Select the On Premises MDM application again and configure the on-premises MDM application. Set theMDM user scope to All or Some and select a group of users.
  10. Enter the Workspace ONE UEM console URLs to the On Premises MDM application and save the settings.
    1. Paste your MDM Terms of Use URL from the Workspace ONE UEM console into the MDM terms of use URL text box in Azure.
    2. Paste your MDM Enrollment URL from the Workspace ONE UEM console into the MDM discovery URL text box in Azure.
  11. Select On-premises MDM application settings > Expose an API.
  12. Select Edit for Application ID URI and enter your Device Services URL in the Application ID URI text box. Save the settings.
  13. You can select and assign premium licenses in Azure.
    1. In the Microsoft Azure console, select Azure Active Directory > Licenses and select All Products. Select the proper license in the list.
    2. Select Assign, select the users or groups for the license, and select Assign.
  14. Copy the Directory ID and the primary domain to enter into the Workspace ONE UEM console.
    1. Navigate to the Properties tab and find the Azure Directory ID and copy it.
    2. Select Custom domain names and copy the Name that is listed as the primary domain.
  15. Return to the Workspace ONE UEM console and select Use Azure AD for Identity Services to configure Azure AD Integration.
  16. Enter the directory ID you copied to the Directory ID text box.
  17. Enter the primary domain you copied in Tenant Name text box.
  18. To finish the process, select Save.

Enroll a Device with Azure AD

Enroll devices with Azure AD integration to enroll a device into the correct organization group in Workspace ONE UEM automatically. Devices enrolled through Azure AD join completely, meaning all users on the device join the domain.

This enrollment flow is for devices not already joined to Azure AD.

Procedure

  1. Navigate on the Windows 10 device to Settings > Accounts > Access Work or School. Select Continue.
  2. Enter your Email Address. Select Next.
  3. Ensure that the Workspace ONE UEM welcome page displays. Select Continue.
  4. Select Accept if terms of use are enabled.
  5. Select Join to confirm that you want to enroll in Workspace ONE UEM.
  6. Select Finish to complete joining your device to Workspace ONE UEM. Your device now downloads the applicable policies and profiles.

Enroll an Azure AD Managed Device into Workspace ONE UEM

Devices that are joined to Azure AD use a different enrollment flow than devices enrolling through Azure AD integration. Use this enrollment flow to enroll a device that is already joined to Azure AD into Workspace ONE UEM.

Prerequisites

  • Windows 10 OS build 14393.82 and above.
  • KB update KB3176934 installed.
  • No MDM applications installed under your Azure AD management portal.
  • Azure AD account configured on the device.

Procedure

  1. On the device, navigate to Settings > Accounts > Access work or school and select Enroll only in device management. You may also enroll through the Workspace ONE Intelligent Hub for Windows.
  2. Complete the enrollment process. You must enter an email address with a different domain than your Azure AD account.
    1. If you are using Windows Auto-Discovery, see Enroll Through Work Access With Windows Auto-Discovery.
    2. If you are not using Windows Auto-Discovery, see Enroll Through Work Access Without Windows Auto-Discovery.
  3. Navigate to Settings > Accounts > Access work or school and ensure that there is an Azure AD account and a Workspace ONE UEM MDM account added.

    Azure AD and Workspace ONE UEM accounts

Enroll Through Out of Box Experience

Out of Box Experience (OOBE) enrollment automatically enrolls a device into the correct organization group as part of the initial setup and configuration of a Windows 10 device.

Important: The OOBE enrollment flow does not support Enterprise Wipe. If you perform an enterprise wipe, users cannot log into the device as connection to Azure AD has been broken. You must create a local admin account before sending an Enterprise Wipe or you get locked out of the device and forced to reset the device.

Prequisites

The OOBE process can take some time to complete on end-user devices. Consider enabling the progress display for the install status. This display allows end users to know where they are in the process. To enable the display, navigate to Groups & Settings > All Settings > General > Enrollment > Optional Prompt. To display the status of profiles during enrollment, you must enabled the Track Profile Status during OOBE Provisioning option in the General profile settings.

An animated GIF displaying the Out of Box Experience Progress Display in action

Procedure

  1. Power on the device and follow the steps to configure Windows until you reach the Choose how you'll connect screen.

    Choose how you'll connect

  2. Select Join Azure AD. Select Continue.

  3. Enter your Azure AD/Workspace ONE UEM email address as the Work or school account.

    Enter your email

  4. Enter your Password. Select Sign In.

  5. Ensure that the Welcome to AirWatch screen displays. Select Continue.

    Ensure you get the welcome screen

  6. Select the Device Ownership type and enter the Asset Number if applicable. Select Next.

  7. Select Accept if terms of use are enabled.
  8. Select Join to confirm that you want to enroll in Workspace ONE UEM.
  9. Select Finish to complete joining your device to Workspace ONE UEM. Your device now downloads the applicable policies and profiles.

Enroll Through Office 365 Apps

If your organization uses Office 365 and Azure AD integration, end users can enroll their devices the first time they open an Office 365 app.

Procedure

  1. Select Add a Work Account the first time you open an Office 365 application.
  2. Enter your Email Address and Password. Select Sign In.
  3. Ensure that the Workspace ONE UEM welcome page displays. Select Continue.
  4. Select Accept if terms of use are enabled.
  5. Select Join to confirm that you want to enroll in Workspace ONE UEM.
  6. Select Finish to complete joining your device to Workspace ONE UEM. Your device now downloads the applicable policies and profiles.

Bulk Provisioning and Enrollment for Windows 10 Devices

Bulk provisioning lets you create a pre-configured package that stages Windows 10 devices and enrolls them into Workspace ONE UEM. Learn how to use bulk provisioning to enroll and configure multiple devices with a standard user account.

This enrollment flow is the only way to enroll a device with a standard user account. Admin permissions are still required run the pre-configured package. Bulk provisioning only supports single user standard staging.

To use bulk provisioning, download the Microsoft Assessment and Development Kit and installing the Imaging and Configuration Designer (ICD) tool. The ICD creates provisioning packages used to image devices. As part of these provisioning packages, you can include Workspace ONE UEM configuration settings so that provisioned devices are automatically enrolled into Workspace ONE UEM during the initial Out of Box Experience (OOBE).

To map the devices to the correct end user automatically, register the devices per user or using a bulk import before creating the provisioning package.

Enroll with Bulk Provisioning

The Microsoft Imaging and Configuration Designer tool allows you to create a provisioning package to enroll multiple Windows 10 devices into Workspace ONE UEM quickly and easily. Once the package is installed, the device automatically enrolls into Workspace ONE UEM.

Procedure

  1. Download the Microsoft Assessment and Deployment Kit for Windows 10 and install the Windows Imaging and Configuration Designer tool (ICD).
  2. Start the Windows ICD and select New Provisioning Package.
  3. Enter a Project Name and select the settings to view and configure. The typical choice is the Common to all Windows desktop editions option.
  4. (Optional) Import a provisioning package if you want to create a provisioning package based on the settings of a previous package.
  5. Navigate to Runtime Settings > Workplace > Enrollments.
  6. In the Workspace ONE UEM console, navigate to Groups & Settings > All Settings > Devices & Users > Windows > Windows Desktop > Staging and Provisioning.When you navigate to this settings page, a staging user is created and URLs pertaining to the created staging user display. You can create your own staging user for use with bulk provisioning but the settings displayed on this settings page do not apply to any created users.
  7. Copy the UPN and paste it into the UPN text box of the ICD.
  8. Select the down arrow next to Enrollments in the Available Customizations window.

    Enrollments in the Available Customizations

  9. Configure the following settings.

    1. Select AuthPolicy and select the value displayed in the Workspace ONE UEM console.
    2. Select DiscoveryServiceFullURL and copy the URL displayed in the Workspace ONE UEM console.
    3. Select EnrollmentServiceFullURL and copy the URL displayed in the Workspace ONE UEM console.
    4. Select PolicyServiceFullURL and copy the URL displayed in the Workspace ONE UEM console.
    5. Select Secret and copy the value displayed in the Workspace ONE UEM console.
  10. Select File > Save to save the project.
  11. Select Export > Provisioning Package to create a package for use with bulk provisioning then select Next.
  12. Save the Encryption password for later use if you choose to encrypt the package and then select Next.
  13. Save the package to a USB drive for transfer to each device you want to provision. You can also email the package to the device.
  14. Select Build to create the package.

Install Bulk Provisioning Packages

After you create the provisioning packages using the Microsoft Imaging and Configuration Designer, you must install the provisioning package onto the end-user devices.

  1. On the device you want to provision, navigate to Settings > Accounts > Work Access and select Add or remove a package for work or school. If the package was emailed, start the package from your mail client.
  2. Select Add a package and select the Removable Media choice as the method to add the package.
  3. Select the correct package from the list provided.

    If you added the device to the user account in the Workspace ONE UEM console before provisioning, the device is assigned upon enrollment.

Enroll with Registered Mode

Windows 10 devices enrolled through the Workspace ONE Intelligent Hub or OOBE are MDM managed by default. To allow Windows devices to enroll without MDM management, you can enable registered mode (unmanaged) for an entire organization group or with smart groups and specific criteria.

Registered mode supports the listed enrollment methods.

  • Staging Users
    • Command line staging
    • Manual device staging
    • Silent enrollment parameters and values
  • Workspace ONE Intelligent Hub for Windows with SAML authentication

Enable registered mode by organization groups or by smart groups. When you use smart groups, group devices for registered mode by OS version, platform, ownership type, or users.

With registered mode enrollment, users can use a subset of Workspace ONE services without MDM management including Workspace ONE Assist, VMware Workspace ONE Tunnel, Digital Experience Employee Management (DEEM), and Workspace ONE Hub Services.

Procedure

  1. In the Workspace ONE UEM console, select the organization group to be enabled with registered mode enrollment and navigate to Devices > Devices Settings > Device & Users > General > Enrollment > Management Mode.
  2. For Current Setting, select Override.
  3. For Windows, select Enabled.
  4. Select Enabled for All Windows devices in this Organization Group.
  5. Optionally, you can add smart groups that are enabled for registered moded enrollments in Windows Smart Groups.
  6. Save your settings.

Results

Users with Windows devices from the configured smart group or the specified organization group can use product capabilities without MDM management. Device information and management capabilities from with the console are limited. Only the relevant profiles are installed on these devices.

Windows 10 Enrollment Statuses

If you look at enrollment settings on the Devices > Devices Settings > Devices & Users > General > Enrollment page, you see three general enrollment scenarios for Windows 10 devices.

  • Open Enrollment

    Allows anyone meeting other enrollment criteria (authentication mode, restrictions, and so on) to enroll.

  • Registered Devices Only

    Allows users to enroll using devices you or they have registered. Device registration is the process of adding corporate devices to the Workspace ONE UEM console before they are enrolled. This matrix applies to devices that register without a token.

  • Require Registration Token

    If you restrict enrollment to registered devices only, you also have the option of requiring a registration token to be used for enrollment. This increases security by confirming that a particular user is authorized to enroll.

Device Type

The type of device guides how the Workspace ONE UEM system tracks and displays the device's enrollment status.

  • Allowlisted devices - The Workspace ONE UEM admin adds a list of devices that are pre-approved to enroll.
  • Denylisted devices - The Workspace ONE UEM admin adds a list of devices that are not allowed to enroll.
  • Registered devices (without attributes) - The Workspace ONE UEM admin registers devices by adding device information to the console. If the admin does not enter device attributes, the system uses device information, which includes user, platform, model, and ownership type.
  • Registered devices (with attributes) - The Workspace ONE UEM admin registers devices by adding device attributes to the console. Device attributes include UDID, IMEI, and serial number.

Enrollment Lifecycle for Devices

Device enrollment with Workspace ONE UEM has three general stages.

  1. (Optional) Admins register devices or users self-register their devices in Workspace ONE UEM.

    Registration helps restrict enrollment.

  2. Device users or admins enroll devices with Workspace ONE UEM.

  3. Device users or admins unenroll devices with Workspace ONE UEM.

Console Displays Set Statuses

The enrollment type, device type, and stage of enrollment dictate the Enrollment Status and Token Status displayed for Windows 10 devices on the Devices > Lifecycle > Enrollment Status page.

Open Enrollment

Type Registered devices - Enrollment Status Registered devices - Token Status Enrolled devices - Enrollment Status Enrolled devices - Token Status Unenrolled devices - Enrollment Status Unenrolled devices - Token Status
Allowlisted device Registered Compliant Enrolled Compliant Unenrolled Compliant
Denylisted device Denylisted Non-Compliant Not Applicable Not Applicable Not Applicable Not Applicable
Registered device without attributes Attributes are Serial Number, IMEI, and UDID. Registered Registration Active Enrolled Registration Active Registered Registration Active
Registered device with attributes Attributes are Serial Number, IMEI, and UDID. Registered Registration Active Enrolled Registration Active Registered Registration Active

Registered Devices Only (No Token)

Type Registered devices - Enrollment Status Registered devices - Token Status Enrolled devices - Enrollment Status Enrolled devices - Token Status Unenrolled devices - Enrollment Status Unenrolled devices - Token Status
Allowlisted device Registered Compliant Enrolled Compliant Unenrolled Compliant
Denylisted device Denylisted Non-Compliant Not Applicable Not Applicable Not Applicable Not Applicable
Registered device without attributes Attributes are Serial Number, IMEI, and UDID. Registered Registration Active Enrolled Registration Active Registered Registration Active
Registered device with attributes Attributes are Serial Number, IMEI, and UDID. Registered Registration Active Enrolled Expired Registered Registration Active

Require Registration Token

Type Registered devices - Enrollment Status Registered devices - Token Status Enrolled devices - Enrollment Status Enrolled devices - Token Status Unenrolled devices - Enrollment Status Unenrolled devices - Token Status
Registered device without attributes Attributes are Serial Number, IMEI, and UDID. Registered Registration Active Enrolled Not Applicable Unenrolled Registration Expired
Registered device with attributes Attributes are Serial Number, IMEI, and UDID. Registered Registration Active Enrolled Not Applicable Unenrolled Registration Expired
check-circle-line exclamation-circle-line close-line
Scroll to top icon