Workspace ONE Access with Hub Services provides a pre-hire onboarding experience through Workspace ONE Intelligent Hub on a web browser to give users that are hired, but have not started to work, access to resources before their start date.

Workspace ONE Access generates a one-time-use access token, called a magic link, that you send in an email to pre-hires. They click the link to access a New Hire Welcome page in the Workspace ONE Intelligent Hub portal.

The welcome page guides the pre-hire through the steps to set up their account in your organization. You configure the welcome page content including adding a welcome message and up to four account setup tasks that the pre-hire can do from the welcome page.

You customize the Hub onboarding template to guide pre-hires to resources in Workspace ONE Intelligent Hub that can help them be prepared to start working on day one.

External Systems Required to Be in Place in Your Organization

Your organization must be running these types of external tools to help build the pre-hire onboarding processes in Workspace ONE Intelligent Hub.

  • Human Resource Information System (HRIS) such as Workday or SuccessFactors.
  • Orchestration and provisioning system, such as Dell Boomi or Saviynt to prepare the Workspace ONE Access API.
  • Email delivery system, such as SendGrid, Eloqua, Workday.

Workspace ONE Access Prerequisites Required in Your Organization Before Configuring Day Zero Onboarding

  • An Active Directory group created that is dedicated to pre-hire users. All pre-hires are added to this group when they sign the offer letter. The user remains in the pre-hire group until their start date.
  • The Active Directory pre-hire group must be synced to the Workspace ONE Access directory.
  • User authentication must be set to Workspace ONE Access in the Workspace ONE UEM console.
Note: If you change the Active Directory group that is designated for pre-hire users, you must re-save the Hub Services Onboarding template to set up the new directory group in the onboarding template. Go to the Hub Services console > Template > Onboarding and click Save.

Workspace ONE Access Tasks to Implement Day Zero Onboarding

You configure the pre-hire user group in the Workspace ONE Access service and set up an authentication method associated to the pre-hire user group. The following is a list of the tasks performed in the Workspace ONE Access service.

  • Configure the Token Auth Adapter as the authentication method and enable Token Auth in the built-in identity provider that is associated with the director that is syncing the pre-hire user group from Active Directory.
  • Edit the default access policy to create a rule for pre-hires to access the magic link.
  • Create a one-time access link to the magic link, which the administrator sends in an email to the pre-hire.
  • Entitle apps to the pre-hire group that they can access from the Hub catalog, and exclude the pre-hire group from other apps.
Tip: Pre-hire users should be added only to the pre-hire group. Do not add them to other Active Directory groups. If pre-hire users are part of other groups in Workspace ONE Access, the apps entitled to those groups are also visible to the pre-hire user.

Limit the number and type of apps that are enabled for the pre-hire group or for individual pre-hire users. Only enable the apps that are required to complete the pre-hire steps configured in the New Hire Welcome page and to prepare for their day one start.

Hub Services Tasks to Prepare Workspace ONE Intelligent Hub for Pre-Hires

In the Hub Services console, you configure the following pre-hire experiences.

  • In the New Hire Welcome page, set up the steps to enroll the pre-hire into a multi-factor authentication app such as RSA SecurID Token or RADIUS. After the authentication steps, you can set up additional steps to other pre-hire tasks.
  • In the Templates page, configure the Onboarding Template to customize the Workspace ONE Intelligent Hub web interface specific to pre-hire user's access requirements.