Mobile Endpoint Enrollment and Management in Workspace ONE

Mobile Endpoint Enrollment and Management in Workspace One allows the admin to centrally and remotely onboard endpoint user devices and to secure and manage them as well.

Table of Contents


In recent times, with remote working conditions and Bring Your Own Device(BYOD) policies, more and more employees are using personal devices to perform corporate tasks. The development in cloud technology and abilities in personal devices have further allowed end-users to use personal devices to access corporate servers. These personal devices are not secured, and local networks are used for access. This represents security challenges and endpoint vulnerabilities for the enterprises. The hackers can gain access through these unsecured networks to sensitive corporate data to hold the enterprise for ransom.

This has given rise to the growth and development of Enterprise Mobility Management(EMM) Solutions. With Unified Endpoint Management(UEM) under EMM, the admin can centrally and remotely enroll, secure, and manage endpoint user devices on a single platform. EMM also offers Mobile Device Management(MDM) and Mobile Application Management capabilities. MDM allows the admin to secure and manage enrolled endpoint devices, whereas MAM allows the admin to deploy, secure and manage applications to devices. Workspace One by Airwatch is one such Enterprise Mobility Management solution.

Unified Endpoint Management

In an enterprise or an organization, Unified endpoint management refers to securely managing all the endpoints using a comprehensive solution. In today’s organizations, asset footprints are growing rapidly. With the ever-increasing numbers of endpoints, managing these assets has become more challenging, such as laptops, desktops, tablets, and smartphones. With devices that are used outside of the organization’s network or with heterogeneous devices, Endpoint management becomes even harder. By employing endpoint management software is the best way to ensure enterprise devices are being managed properly, especially UEM solutions.

Features of UEM:

  • Single Solution Architecture: Avoid complicated integrations among different software on multiple platforms with a single, centralized platform for endpoint management. The admin no longer needs to compile, evaluate reports and compare them from different sources.
  • Ease of Onboarding: In the Unified Endpoint Management (UEM) platform, devices go from out-of-the-box to in-use faster and with better baselining, meaning it allows organizations to easily push out device policies, applications, and environments.
  • Robust IT Security: Security is one of the key concerns for any organization today. Recent ransomware, malware, and file-less malware attacks just prove how dangerous zero-day vulnerabilities can be. To monitor suspicious activities across all endpoints, a unified endpoint management solution makes it easy for IT admins.
  • Improved Visibility: Enterprises can monitor vulnerable systems, inventory, usage, and much more from a central location using UEM software. This visibility provides not only the ability to diagnose, troubleshoot, and resolve issues remotely but also opportunities for cost-saving.
  • Unified Corporate Environment: a unified corporate environment to optimize the experience across the network where all the advantages of a unified endpoint management platform come together to deliver this single greatest advantage to organizations.

Different Unified Endpoint Management (UEM) Solutions

To remotely supervise business data, security, licenses, applications, and usage on a fleet of devices, Unified endpoint management (UEM) software is used. UEM is a unification of other endpoint-focused management solutions, such as mobile device management (MDM) software, mobile application management (MAM) software, endpoint management software, patch management software, and more. A wide range of endpoints, including (but not limited to) desktops, tablets, mobile phones, wearables, and IoT devices, is an area of focus for Modern UEM.

Internal IT and security teams take the best advantage of UEM software. These tools provide a more comprehensive list of all devices, whether BYOD (bring your own device), company-owned, or used for business purposes at a company. To ensure device licenses, accessible data, and applications software are all properly secured are some of the features under UEM for businesses. iI understanding how often and intensively employees use their devices, the usage data UEM software provides is also valuable.

To qualify for inclusion in the Unified Endpoint Management (UEM) category, a product must:

  • Beyond mobile-only, including desktop, IoT, and wearables, manage several endpoint types.
  • Customize devices for integration with WiFi, VPN, business-required applications, etc.
  • Make sure endpoint employee devices are compliant with business requirements and regulations.
  • Protect employee, data, and company from potential vulnerabilities or malware

Some of the UEM solutions available are:

Citrix Workspace

Citrix Workspace is a secure, unified, and intelligent digital workspace designed for improving the employee experience and enable employees to be more productive anytime, anywhere without distractions. Citrix Workspace uniquely automates, organizes, and guides work with personalized workflows and customized interfaces that enable employees to stay engaged in innovative, meaningful.

Work that drives the enterprises forward. At every level of the workspace technology stack, Citrix Workspace securely delivers, including industry-leading solutions for content collaboration, endpoint management, access control, workspace intelligence, virtual apps and desktops, and analytics. All that while giving IT control for simplified management, security, and compliance while maintaining end-to-end visibility.

Microsoft Intune

Microsoft Intune focuses on mobile device management (MDM) and mobile application management (MAM and is a cloud-based service. Including mobile phones, tablets, and laptops, the admin can control how the organization’s devices are used. To control applications, the admin can also configure specific policies. For example, the admin can prevent emails from being shared with people outside the organization. To utilize their personal devices for school or work within an organization, Intune is used. Intune helps make sure the organization’s data stays protected on personal devices and can isolate organization data from personal data.

Intune is part of the Security (EMS) suite and Microsoft’s Enterprise Mobility. To manage who has access and what they can access, Intune integrates with Azure Active Directory (Azure AD). For data protection, it also integrates with Azure Information Protection. Microsoft 365 suite of products can also integrate with this service. For example, the admin can configure and deploy Microsoft Teams, OneNote, and other Microsoft 365 apps to devices. While keeping the organization’s information protected with the policies created by the admin, this feature enables people in the organization to be productive on all of their devices.

  • be co-managed with Configuration Manager and Intune or choose to be 100% cloud with Intune
  • On personal and organization-owned devices, set rules and configure settings to access data and networks.
  • Authenticate and deploy apps on devices — mobile and on-premises.
  • By restricting the way, users access and share information, protect the enterprise data.
  • Make sure apps and devices are compliant with the security policies.


To secure and manage endpoints, Ambitious companies around the world trust Scalefusion, including smartphones, rugged devices, tablets, laptops, Point of Sale (POS), and digital signages. Along with providing world-class customer support, Scalefusion aims to make Device Management simple and effortless. In a diverse fleet across various OS such as Android, iOS, macOS, and Windows 10 devices, Scalefusion simplifies the management. BYOD (Bring Your Own Device) and dedicated-device, COPE (Corporate-owned, Personally Enabled) are supported deployment scenarios. To manage their company-owned and employee-owned (BYOD) devices, over 6000 businesses globally rely on Scalefusion. From various sectors like Retail, Education, Logistics, Healthcare, Financial Services, and many more, Organizations big and small use Scalefusion. Solution Offerings by Business Initiative: Enterprise Mobility Management Mobile Device Management Rugged Device Management Unified Endpoint Management Supported Operating Systems Bring Your Own Device (BYOD): Android Management iOS Management Windows 10 Management macOS Management Remarkable Organizations Across the Globe,

Ivanti Unified Endpoint Manager

Ivanti Management Suite helps the admin establish intelligently, integrated control user and increases IT productivity over the user’s multi-platform desktops and mobile devices. Empower administrators to quickly fix user issues, automate software and operating systems deployments, and discover software assets. Integrate with multiple Ivanti solutions within a unified management Management Suite experience providing foundational data and actions —delivering a quick ROI and reducing operational overhead.

VMWare Workspace One

VMware Workspace ONE is an intelligence-enabled digital workspace platform that allows the admin to securely and simply deliver and control any app on any device, anywhere.

  • Unified Endpoint Management: across mobile devices, desktops, rugged devices, and “things,” consolidate management silos by reducing costs and improving security with real-time, over-the-air management across all use cases.
  • Intelligence Across Digital Workspace: Across the entire digital workspace, aggregate and correlate data to drive analytics, insights, and powerful automation of common IT tasks to strengthen security and reduce costs while improving user experience.
  • Virtual Desktops and Apps: While providing simplicity, speed, flexibility, and scale, transform traditional VDI and published apps. Across the multi-cloud, gain a common control plane.
  • Simplify Zero Trust Security: To simplify the enablement of zero trust access control, combine intrinsic security across devices, users and apps. Zero trust access models are made a reality with industry-leading modern management.

IBM SecurityMaaS 360 with Watson

Transforms the way that organizations support users, content, apps, and data across every type of device with IBM Security MaaS360 with Watson, which is a unified endpoint management (UEM) solution. It is a cloud-based open platform that integrates with preferred productivity and security tools, allowing modern business leaders to get immediate value.

Sophos Mobile

With Sophos Mobile, businesses spend less time and effort to manage and secure traditional mobile endpoints and is a Unified Endpoint Management (UEM) solution. Sophos Mobile manages and secures macOS, Windows 10, Android, and iOS and devices, and in the easy-to-use unified Sophos Central admin interface, the only UEM solution that integrates natively with a leading next-gen endpoint security platform, alongside other security products from Sophos. Sophos Mobile is the leading way to consolidate endpoint management for comprehensive security, consistent policies, and allowing users to be productive on the devices they prefer with industry-leading mobile threat defense (MTD) using Intercept X for Mobile and best-in-class data protection.

Wizzy EMM

Dedicated to B2B SaaS solutions built on Google technologies, a Startup Studio created in 2015, WizyEMM is part of To develop disruptive Cloud SaaS solutions for innovative customers, to disrupt and innovate, Wizzy leverages the power of the Cloud, AI, and Mobile adoption. By leveraging Google Hyperscale Cloud Platform, Android Enterprise, and Artificial Intelligence services, the mission is to deliver innovative digital cloud solutions for mobility. WizyEMM is built around around newest technologies around Android Enterprise, the Android Management API, and managed Google Play. WizyEMM is built to disrupt the market with an Android-focused cloud-native EMM, with a super competitive pricing model, by offering a super easy-to-use EMM on a monthly pay-as-you-go basis.

Codeproof Enterprise Mobility Management

With an emphasis on corporate data leakage prevention, Codeproof offers simple, fast, and integrated security and mobile management solutions through mobile endpoints. The company is particularly well known for simple UX design and best-in-class customer support. Codeproof platform is the flagship product, an MDM solution offering an industry-leading feature set that offers customers easy onboarding and a simple interface. Inside specified spaces like factory and office campus SiteSecure® is a BYOD solution that blocks phone cameras to prevent IP theft, data theft, and other security breaches. To avoid high costs and legal liability, DriveSafe is a distracted driving solution combining software and hardware for transportation, trucking, and taxi companies. A Delaware corporation with its headquarters at Bellevue, WA, and a branch office in Bengaluru, India, for Codeproof Technologies Inc.

Cubed Mobile

Encapsulating an entire business smartphone in a super-app, Cubed Mobile transforms one mobile into two. Combined with a unified communication hub and delivering a complete workspace, the centrally managed, self-contained, fully functional virtual smartphone can be installed on any device. By eliminating the need for employees to have a second SIM and/or the second device, the technology accelerates workforce digital transformation, creating complete separation between personal life and work – different contacts, ringtones, phone numbers, apps, etc. with flexibility, security, and control, The intuitive UI allows for shallow learning-curve and minimal training. Meanwhile, complete corporate control of the super-app eases the management of BYOD environments, strengthens security, and smooths communications coordination companywide. From international helpdesk to conference calls and from sales to support and strengthen team collaboration

Configure Workspace ONE UEM


Set up a cloud-based Workspace ONE environment in the following section. The procedures are built upon one another and sequential, so ensure that each procedure and step is completed in this section before going to the next procedure.


The admin must have the following components installed and configured before they can perform the procedures in this exercise:

  • To add up to the Workspace ONE UEM tenant, on-premises Active Directory with users available.
  • From a web browser, to access Workspace ONE, Windows Server machine,

Free trial

To begin a 30-day trial version, complete the following steps of Workspace ONE, which incorporates a cloud-based deployment of Workspace ONE UEM as well as Workspace ONE Access.

1. Access Free Trial

  • Go to and select 30 Day Free Trial.
  • Provide the required information and select Start Your Free Trial.
  • Wait for 24 hours for the request to process.

2. Record Environment Details

3. Workspace ONE Access Account Information

  • Provide Username
  • Provide Password
  • Provide hostname for Workspace ONE Access server

4. VMware Workspace ONE UEM Information

  • Provide Username
  • Provide Password
  • Provide hostname for VMware Workspace ONE UEM server

Now that the admin has created an account for a cloud-based Workspace ONE trial and made a note of the environment details, they are ready to sign in to the Workspace ONE UEM Console and run the Getting Started wizard.

Launching the Workspace ONE UEM Console

To monitor and manage every feature of the Mobile Device Management (MDM) deployment, the Workspace ONE UEM Console is used. The admin can manage profiles, and configure system settings and quickly and easily add new devices and users with this web-based, single resource.

This activity helps to sign in to the Workspace ONE UEM Console and set up the Getting Started Wizard using the credentials received in the activation email to sign in.

  1. Chrome Browser is launched. On the desktop, double-click the Google Chrome icon.
  2. Navigate to and click on the VMware Workspace ONE UEM Console
    For instance, go to HTTPS://<WorkspaceONEUEMHostname> where the hostname of the Workspace ONE UEM console is WorkspaceONEUEMHostname.
  3. Authenticate Into the Workspace One UEM Console
  4. Provide the Username—for instance, administrator. Click on Next. After the admin selects Next, the Password text box is shown.
  5. Provide the Password. For instance, VMware1!
  6. Click sign in.
  7. The license agreement is accepted. The End User License Agreement is reviewed, and click on Accept.
  8. Configure Security Settings
  9. The settings are configured for the Password Recovery Question:
  • Scroll down to view the Security PIN section and Password Recovery Questions.
  • Keep the default question selected for Password Recovery Question.
  • Provide the Password Recovery Answer. For instance, VMware1!
  • For Confirm Password Recovery Answer, reenter the password, For example, VMware1!
  • Configure the Security Pin within the Workspace ONE UEM Console to protect certain administrative functions.
  • Provide the Security PIN. For example, 1234.
  • Again provide the PIN for Confirm Security PIN. For instance, 1234.
  • Select Save.

10. Close the Welcome Message

11. After completing the Security Settings, the admin is presented with the Workspace ONE UEM Console Highlights pop-up box.

12. Select the Don’t show this message on the sign-in check box.

13. Close the pop-up in the upper-right corner by clicking on the X.

Running the Workspace ONE Getting Started Wizard


This exercise helps the admin to complete initial configurations and navigate through the Getting Started wizard for a cloud-based Workspace ONE environment. The procedures are built upon one another and sequential to ensure that each procedure is completed within this section before moving to the next procedure.


  • The admin must have the following components installed and configured before they can perform the procedures in this exercise:
  • To add up to the Workspace ONE UEM tenant, On-premises Active Directory with users available.
  • To access Workspace ONE using a web browser Windows Server machine.

Navigating the Getting Started Wizard

The Getting Started wizard helps with the initial configuration of Workspace ONE and is Split into four modules. It can be started, paused, and restarted later, and for ease of use, it tracks progress. Also, review and change previous settings.

This activity guides the admin to navigate the Getting Started wizard.

  1. Go to the Workspace ONE Module. Go to Getting Started and click on Workspace ONE to open the Workspace ONE module.
  2. Explore the Getting Started Wizard

The following buttons and icons should be noted:

  • Incomplete – Shows next to steps that have not been customized.
  • Configure – To begin defining settings, click on this button.
  • Complete – Next to a completed step, this message is shown.
  • Edit – A completed step’s settings can be reviewed or changed.
  • Scroll down and open the remaining modules to review their sections and steps.
  • In the upper-right corner, use the percentage counter to track the configuration progress.

Generating the Apple Push Notification Service Certificate

To manage mobile devices, the Apple Push Notification service (APNs) is the messaging protocol made by Apple. Workspace ONE UEM needs a valid APNs certificate to manage iOS devices. To generate the APNs certificate following steps must be followed.

  1. Configure Apple Push Notification Service (APNs): Within Workspace ONE UEM Console, Go to the Workspace ONE Getting Started wizard.
  • Click on Getting Started.
  • Select Workspace ONE.
  • Go to Apple Push Notification Service (APNs).
  • Select Configure.

2. Download Certificate Request

3. Click MDM_APNsRequest.list under Download Certificate Request.

4. Select Continue.

5. Provide Corporate ID to manage all Apple devices for your organization. Provide the Corporate Apple ID email address that will be used.

6. If the admin does not have a Corporate Apple ID, create Apple ID

7. Create a Certificate

  • Use the Corporate Apple ID credentials to authenticate by navigating to the Apple Push Certificates Portal.
  • To create the APNs certificate, Complete the following steps.
  • Provide the corporate Apple ID.
  • Provide the Apple ID password.
  • Select Sign In.
  • Select Create a Certificate.

8. Upload Certificate Signing Request

9. Click on Choose File and choose the MDM_APNsRequest.list file the admin previously downloaded.

10. Click on Upload.

11. Download Certificate: Click on Sign-on

12. Complete Certificate Generation: in the Workspace ONE UEM Console, return to the Getting Started wizard, and click Next.

Downloading the Employee Email Template

1. Download Email Template

  • Navigate to the Workspace ONE Getting Started wizard in Workspace ONE UEM Console.
  • Select Getting Started.
  • Select Workspace ONE.
  • Go to the Employee Email Template.
  • Click on Download.

2. Select Email Template

3. From the drop-down menu, select a category. For instance, Enrollment.

4. A message template is selected. For instance, User Activation.

5. To see the email template, click view.

6. Edit and copy Email Template

7. You can edit the email template or copy the email template and save it for later use

8. Confirm Email Template Download

9. The Employee Email Template section should be marked as Complete when the admin is finished.

Retrieving the Group ID from Workspace ONE UEM Console

Retrieve the Group ID in this activity from the Workspace ONE UEM Console. When enrolling the device, the Group ID is required.

In the Workspace ONE UEM Console:

  • By navigating to the top of the screen to find the Group ID, point the mouse over the Organization Group tab.
  • At the bottom of the Organization Group pop up, the Group ID is displayed by navigating to.

Enrolling Android Devices

Before android devices can communicate with the Workspace ONE UEM console, each Android device in the organization’s deployment must be enrolled and access internal content and features.

The Workspace ONE Intelligent Hub provides device and connection details and provides a single resource to enroll a device. Hub-based enrollment enables the admin to:

  • Authenticate users using basic or directory services, such as SAML, tokens, AD/LDAP/Domino, or proxies.
  • Allow users to self-register or register devices in bulk
  • Define approved OS versions, the maximum number of devices per user, and models.
  • Using Workspace ONE Access, authenticate enrollment during auto-enrollment.

Android EMM Registration/Devices & Users / Android

The various options for enrolling with Android can be configured with Android EMM Registration. This page uses a wizard to help the admin set up the integration for devices. Before beginning enrollment, enable these settings.

Enrollment Settings

  • Work Managed Enrollment Type (Non-G suite only): The admin chooses if devices should be linked with the enrollment user or device. User-Based is preferred when using paid apps for optimal license allocation and most BYOD use cases. Device-Based is preferred for scenarios where a single user will not be linked with the device (such as Kiosks).
  • If the admin cannot communicate with Google Play or operating on a closed network, select AOSP/Closed Network. A Google account is not formed on these devices. Using AOSP/Closed Network Enrollment, public app management through managed Google Play is not available. This setting is only applicable to the devices enrolled with that organization group. The Parent Organization can still have devices on Work Managed enrollment using a Google account.
  • In some instances, the admin might want to, without having to create multiple organization groups for device management, enroll GMS and non-GMS devices in the same organization group. The admin can configure the Enrollment Configuration wizard if using QR code enrollment for these devices regardless of the enrollment type to force AOSP/ Closed Network enrollment set in this field.
  • Only Device-based accounts should be used if Device-Based is selected, which applies to COPE on Android 10, Android 8.0. and Android 11 devices. For scenarios such as kiosk devices, this is useful for staging and single-use.
  • Fully Managed Device Enrollments: Choose whether enrolled devices will use Corporate Owned Personally Enabled mode or Work Managed Device.
  • Work Profile Enterprise Wipe User Message: When the admin has performed an enterprise wipe from the UEM console, customize a toast message to display on user devices. This message is also generated when the admin performs an enterprise wipe from the Device Details page. There is no necessity for the user to take any action on their device after the enterprise wipe is complete, the message displays.

Enrollment Restrictions

  • The enrollment method for this Organization Group is defined: Choose whether to Always Use Android (Legacy) or Always use Android. The assignment group is defined that uses Android.
  • Assignment Groups: A smart group is selected from the drop-down menu.
    Users or devices that do not belong to that group(s), when a smart group(s) is selected, will go through Android legacy enrollment (device administrator). Assuming they support these enrollment modes, devices that belong to the smart group will enroll in Work Profile or Work Managed.
  • Allow Work Profile Enrollment: To block employee-owned devices, use this setting from enrolling in Work Profile mode.

Device Protection for Android Devices

  • A Device Protection feature needs the Google credentials to be entered before and after a device can be reset in Android OS 5.1 and above. The device must be factory reset when a device is ready to be enrolled as a workWork Managed device for Android.
  • The secure lock screen has to be disabled to avoid triggering Device Protection, and any existing Google account has to be deleted from the device so that the Workspace ONE Intelligent Hub can be installed during enrollment. The new user is prevented from being locked out of the device using the device from the factory reset state.
  • The admin must wait three days before factory resetting any of Android 5.1+ devices in the event a prior owner changed the Google account password for enrollment unless the admin has explicitly disabled Android Device Protection on them. Before those three days are up, if the admin factory resets one of your Android devices and then tries to log into that device with the Google account, an error message will be displayed and not allowed to sign in to the device with any account until 72 hours after the password reset happened.

Enable Unmanaged Enrollment for Android Devices

  • Without Google services, to allow some Android devices to enroll into Workspace ONE UEM, the admin must enable Registered Mode.
  • By default, devices onboarded through the Intelligent Hub app are MDM managed. Without MDM management, to allow some Android devices to enroll, the admin must enable the unmanaged mode for a smart group.
  • The selection criteria available are ownership type, OS version, and user group.
  • Users can access applications in the unmanaged enrollment that require a basic level of security. Users are guided through the MDM enrollment process when users try to access an app that requires management. The admin can use the adaptive management app policies for Android devices enrolled without management to control device management levels.
  1. Select the organization group to be enabled with unmanaged enrollment in the Workspace ONE UEM console, and go to the Devices, navigate to Devices Settings, go to Devices & Users, select General, click on Enrollment, and select Management Mode page.
  2. Select Override in Current Settings.
  3. Select Enabled for Android.
  4. Add the smart group in Smart Groups that are enabled for unmanaged enrollments.
  5. Click on Save.
  • Users with Android devices are entitled to unmanaged access to apps from the configured smart group. To access applications, users can use the Workspace ONE Intelligent Hub app without the device being enrolled into Workspace ONE UEM Mobile Device Management, but that requires a basic level of security.

The Apple Device Enrollment Program

Before devices can communicate with Workspace ONE UEM and access features using Mobile Device Management (MDM) and internal content, each device in the organization’s deployment must be enrolled in the organization’s environment. Using MDM functionality which is built into the native OS, iOS devices enroll.

Enrollment Requirements

  • The admin or end-users must gather specific information to enroll an iOS device. Whether the admin linked an email domain to the environment as part of auto-discovery provides the information the users need.
  • To complete enrollment, end-users need to provide an email address and credentials (and sometimes select a Group ID from a list) linking an email domain with the environment. As end-users likely already know this information, this choice simplifies enrollment.
  • Alternatively, users are additionally prompted for the Enrollment URL and Group ID if the admin does not configure an email domain for enrollment, which admins must provide to them.

Single Device Enrollment

Depending on the type of enrollment the admin chooses, the device management capabilities are available for enrolled devices. For Hub-based and agentless enrollment types, Workspace ONE UEM provides a matrix comparing supported features. This matrix can be used to determine what type of enrollment meets the organization’s needs.

Hub-Based Enrollment

A connection between iOS devices and the Workspace ONE UEM environment is secured by the Hub-based enrollment process through the Workspace ONE Intelligent Hub app. The Workspace ONE Intelligent Hub application allows for real-time management and access to device information and facilitates enrollment. Where users have an available Apple ID, Hub-based enrollment is best suited for deployments, which they must download in the Workspace ONE Intelligent Hub from the App Store.

Browser-Based Enrollment

Using a web-based enrollment process, the admin can also enroll devices through the iOS device’s built-in Safari browser. In case users do not have an available Apple ID, this approach is best suited for deployments to download the Workspace ONE Intelligent Hub.

Bulk Device Enrollment

The admin may want to enroll devices in bulk depending on the deployment type and device ownership model. Using the Apple Business Manager’s Device Enrollment Program (DEP) and Apple Configurator 2, Workspace ONE UEM provides bulk enrollment capabilities.

Bulk Enrollment with Apple Configurator 2

Take benefits of the unique setup capabilities offered by Apple Configurator 2 with Workspace ONE UEM, such as complete backup prevention and iOS versioning enforcement. By utilizing Apple Configurator 2 on a macOS computer, the admin can bulk-enroll devices through a USB connection.

Bulk Enrollment with Apple Device Enrollment Program

The admin is allowed to install a non-removable MDM profile on a device by deploying a bulk enrollment using the Apple Device Enrollment Program(DEP), which prevents end-users from being able to remove the profile from their device. To access additional security and configuration settings, the admin can also provision devices in Supervised mode.

iOS Device Enrollment Requirements

Whether the admin links an email domain to their environment as part of auto-discovery to enrol an iOS device, the admin or end-users need to provide information. If an email domain is linked to their environment, users will need:

  • Email address – Email address related to the organization. For instance,
  • QR Code – QR codes generated from the UEM console and received through email can be scanned by users.
  • Apple ID – For each user performing Hub-based enrollment, this Apple ID is needed.
  • If an email domain is not linked to the environment: End users are prompted to provide an email address if a domain is not associated with the environment. End users are also asked for the following information since auto-discovery is not enabled:
  • Enrollment URL – This URL takes the user directly to the enrollment screen and is unique to the organization’s enrollment environment. For instance, HTTPS:// .com/enroll.
  • Group ID – For a given organization group, this Group ID links a user’s device with their corporate role and is configured in the UEM console. To view the current group ID, point to the organization group drop-down menu.

With the Workspace ONE Intelligent Hub, Enroll an iOS Device.

The Hub-based enrollment process provides a secure connection between an iOS device and the Workspace ONE UEM environment. The Workspace ONE Intelligent Hub application allows for access to device information and real-time management and facilitates enrollment.

While also allowing the Web enrollment process, if the admin wants to take full advantage of the Workspace ONE Intelligent Hub capabilities, the admin allows users to enrol through the Workspace ONE Intelligent Hub. If end users have not downloaded the Workspace ONE Intelligent Hub, this setting prevents the end users from enrolling.

Go to Groups & Setting, navigate to All Settings, click on Devices & Users, select General, click on Enrollment, select authentication, and choose the Require Hub Enrollment for iOS.

Perform the following steps to enrol an iOS device with the Workspace ONE Intelligent Hub:

  1. Open from the Safari browser. The end-user is automatically prompted to go to the App Store and download the Workspace ONE Intelligent Hub application by Workspace ONE UEM. The download prompts are followed. To download the Workspace ONE Intelligent Hub, an Apple ID is required from the iTunes store.
  2. The Workspace ONE Intelligent Hub application is selected, and then choose either one of the following authentication methods:
    1. Email Address – If configured in the environment, select auto-discovery. In addition, from a drop-down menu, the admin might be prompted to select a group.
    2. Server Details – To enroll using the server URL, this option is selected. The server URL is the Group ID of the group associated with the device and network location of the organization’s Workspace ONE UEM instance.
    3. QR Code – To scan the QR code, select and use the device received through email or the Support tab.
  3. The credentials are provided, which can include a Token, or either a Username and Password or a combination of both to authorize the device.
    1. A Captcha code appears if the admin enters the credentials incorrectly. To complete the authentication, enter the displayed Captcha code.
    2. As determined by the administrator, complete the following process flow. Click on Next after each page is completed.
      1. If applicable, select the Device Ownership type.
      2. If applicable, Accept the organization’s Terms of Use.
  4. If applicable, provide the device Asset Number.
  5. After reviewing privacy collection information, click on Next. A prompt to download the MDM profile appears once redirected to the Safari web view. The following message is shown:
    1. This website is attempting to download a configuration file. Do you want to allow this?
    2. Click Allow, and when the download is complete, select Close.
      1. Tap Continue and open Hub for iOS devices 12.2 and later, and to install the MDM profile, follow the instructional screens and agree to the MDM warning message by selecting Install.
      2. Install the MDM profile for devices below iOS 12.2 when prompted and agree to the MDM warning message by selecting Install.
    3. To download the MDM profile. Select Allow.
    4. The MDM profile is installed. Any prompts for trust are accepted, if applicable.
    5. Navigate back to Hub once the MDM profile is installed.
    6. To complete enrollment, select Done. A success message is shown. The enrollment to Workspace ONE UEM is now finished.
      1. Set up a passcode if prompted or enter more credentials for shared devices. Log in to the Self-Service Portal to set up a passcode and follow the instructions.
      2. Optionally, select Open to see the Workspace ONE Intelligent Hub details.

With the Safari Browser, Enroll an iOS Device.

Using a web-based enrollment process, the admin can enroll devices through the iOS device’s built-in Safari browser. In case of deployments where users do not have an existing Apple ID, this approach is best suited to downloading the Workspace ONE Intelligent Hub.

Perform the following steps to enroll an iOS device using a web-based enrollment process:

  1. The Safari browser is opened on the iOS device.
  2. Go to https://<Environment_URL>.com/enroll.
  3. To enroll the iOS device, choose Group ID or the Email Address (if auto-discovery is set up for your environment). Click on Next.
  4. Provide the credentials, including either a Token or a Username and Password, or a combination of both to authenticate the device.
    1. A Captcha code appears if the admin enters the credentials incorrectly. To complete the authentication, provide the displayed Captcha code.
      As determined by the administrator, complete the following process flow. Click on Next after each page is completed.
    2. If applicable, choose the Device Ownership type.
    3. If applicable, provide the device Asset Number.
    4. If applicable, accept the Terms of Use of the organization.
  5. Download the MDM profile when prompted. The following message is shown:
    This website is attempting to download a configuration file. Do you want to allow it?
  6. Click on Allow and when the download is done, click on Close.
  7. The admin has successfully installed the profile. The admin can view the profile in Settings and continue with the installation.
  8. Install after downloading the MDM profile. If applicable, agree to any prompts for trust.
  • When prompted, for devices below iOS 12.2, install the MDM profile and agree to the MDM warning message by clicking on Install.
  • Go through the instructional screens to install and configure the MDM profile for iOS 12.2 and later devices, and accept the MDM warning message by selecting Install. Note: Without using the Workspace ONE Intelligent Hub, the admin can also perform an agentless enrollment for web-based enrollment. To continue with an agentless enrollment, go to Groups & Settings, navigate to All Settings, go to Devices & Users, click on General and make sure that the Require Hub Enrollment for iOS check box is not clicked.

Using Apple Configurator Bulk Enrollment of iOS Devices

On a macOS computer, the admin can bulk enroll devices using Apple Configurator to configure and deploy iOS devices. Using Workspace ONE UEM with Apple Configurator, the admin can benefit from maintained management visibility of devices, continued life-cycle management beyond the initial configuration, and complete backup prevention.

With Apple Configurator, the admin can:

  • To consistently mass-configure devices, prepare a single, central backup image.
  • As part of the configuration to enroll, install the Workspace ONE UEM MDM profile and manage devices.
  • By adding registered device details, assign devices to specific users before enrolling with Configurator, such as IMEI to a user’s registered device or serial number in the UEM console.
  • Configure and update over-the-air corporate device settings and apps in Workspace ONE UEM.

With the Apple Business Manager’s Device Enrollment Program Device Enrollment

Device Enrollment Program (DEP) helps make most of the Apple devices enrolled in Mobile Device Management (MDM).

With DEP, the admin can perform the following.

  • Prohibiting end users from being able to delete MDM profiles by installing a non-removable MDM profile on a device.
  • Supervised mode (iOS only) provisioning of devices. Devices can access additional security and configuration settings in supervised mode.
  • For all end users, enforce an enrollment.
  • By customizing and streamlining the enrollment process, meet the organization’s needs.
  • Disabling users from logging in with their Apple ID prevents iCloud backup when generating a DEP profile.
  • For all end users, force iOS updates.

User Enrollment

For iOS 13 and later devices, user Enrollment is a new enrollment method that enables the admin to effectively manage applications, settings, and corporate data while protecting user privacy and personal data. With User Enrollment, the admin can configure profiles, install applications, and issue commands specific to a managed user container that is on the device instead of the entire device.

  • A user context known as a Managed Apple ID in the MDM profile provides User Enrollment which is achieved through MDM, which is installed on the device during enrollment. The user context guides the device to evoke the user for their Managed Apple ID credentials to install the MDM profile. A unique Apple File System (APFS) volume is made, after enrollment, for the managed data. The user data is kept private as data in the personal volume cannot be accessed from the managed volume.
  • There are many existing management capabilities that are not possible for privacy purposes because of the formation of the new managed volume of data. For instance, Thet app is considered personal and cannot be managed by MDM if any app is installed manually by the user from the App Store. To be managed, such user-installed apps must be uninstalled first and then reinstalled by Workspace ONE UEM.
  • For this reason, using the Intelligent Hub app, Workspace ONE does not permit User Enrollment. Uninstall and reinstall the Hub through MDM if the Intelligent Hub is already installed by the user so that the app’s data can be accessed by other Workspace ONE SDK-enabled apps.

User Enrollment Settings

On the Workspace ONE UEM console, by accessing the Enrollment settings page, enable the User Enrollment option for iOS devices (Navigate to Groups & Setting, go to All Settings, click on Devices & Users, select General, and click on Enrollment). Allowing this option allows the supported iOS 13 and later devices to enroll in the Organization Group using Apple’s User Enrollment method. The users’ Managed Apple IDs are used by User Enrollment instead of the enrollment user name as a way to show which user the device is enrolling. The Managed Apple ID should indicate a user’s email address within Workspace ONE UEM.

By utilizing Managed Apple IDs in Apple Business Manager, enroll an iOS Device Using User Enrollment Enroll for an iOS 13 and later device federated to Azure AD. By separating managed data from personal user enrolled devices allows the enhanced privacy focus for users while still furnishing the core management capabilities such as configuring WiFi, installing apps, and requiring a passcode.

Before the User Enrollment, Ensure that the following prerequisites are met:

  • Unsupervised iOS 13 and higher device
  • w/ federation to Azure ADApple Business Manager
  • In Apple Business Manager, precisely one enrollment user with an email address that matches a Managed Apple ID.
  • Azure AD

For enrolling an iOS device:

  1. The Safari browser is opened on the iOS 13 or later device and go to the enterprise environment’s User Enrollment URL. The device services hostname is the URL appended with the /enroll/user path.
  2. For instance:
    Provide the enrollment user’s email address equivalent to a Managed Apple ID.
  3. Provide the Group ID of an Organization Group, optionally, at, or below the Organization Group of the enrollment user. Else, the user’s enrollment Organization Group is utilized.
  4. The downloading of the User Enrollment MDM profile is confirmed.
  5. Go to Settings in the app and click Enroll in {Company Name}.
  6. To redirect to Azure AD for conditional access and authentication prompts, click through the prompts.
  7. User type, device, organization, or Azure AD configurations determines the type and number of prompts.
  8. User Enrollment is now finished. From the UEM console, the device starts receiving the commands.

​​App Management on User Enrolled Devices

On the User Enrolled devices, applications installed by Workspace ONE UEM are managed and associated with the Managed Apple ID that is utilized to enroll the device. Through the App Store, any application installed by the user is associated with the user’s personal Apple ID and cannot be managed.

Since User Enrollment must associate a Managed Apple ID to a managed application, only with User-Based Licenses managed distribution purchased in Apple Business Manager is supported. For instance, applications assigned through the Public tab within the Resources navigate to Apps page on the UEM console are not aided on User Enrolled devices. There are no dissimilarities between managing User-Based Licenses on User Enrollment in comparison to Device Enrollment. A VPP license is allocated to the Managed Apple ID when the application is assigned to a User Enrolled device associated with the device and the app is installed.

Using Workspace ONE Intelligent Hub Identifier Enrolling an Out-Of-Box Android Device


This exercise serves as a guide on deploying an Android in Work Managed Device mode. Work Managed Device mode enables Workspace ONE UEM to manage the entire device and enforce an extended range of policy controls, but the device is restricted to only corporate use.

Automated Out-of-the-Box Device Onboarding

Workspace ONE UEM allows device life-cycle management starting from onboarding to retirement.

During initial power-up, new devices register over the air (with zero-touch from IT) with customizable configuration tools like automated device enrollment with Apple Business Manager, Windows 10 Out-of-Box Enrollment, zero-touch enrollment of rugged devices, and more. The imageless configuration of work profiles can easily be set up and customized by admins such as WiFi, apps, email, VPN, content, intranet sites, and other back-end resources. Within minutes of device startup, this gives employees access to email, apps, and data, all of which ensures a positive employee experience right from the start and immediate user productivity.

Enrolling Android Devices

Communication is established with the Workspace ONE UEM console with Device enrollment and enables devices to access internal resources. Work Managed devices must use a parent staging process to enroll into Workspace ONE UEM. In this exercise, Using a unique identifier, the admin can enroll an Android Work Managed device.

The procedures are built upon one another and sequential, so make sure each procedure in this section is completed before going to the next procedure.

There are several additional enrollment options for Work Managed Android devices, although this exercise walks through the Workspace ONE Intelligent Hub Identifier enrollment flow.


The admin must meet the following requirements before they can perform the exercises in this tutorial,

  • In out of the box mode, factory reset device
  • Android device running version 5.0 or higher
  • The Group ID from Workspace ONE UEM Console is retrieved

Caution: To complete these exercises, do not factory reset the personal device.

A user is required to enroll their device into Workspace ONE UEM. Note the information in the following table. Based on a test environment, the details are provided in this table. The user account details will be different:

  • Username
  • Password
  • Workspace One Server URL

Enrolling an Out-Of-Box Android Device using Workspace ONE Intelligent Hub Identifier

In this activity, to set up the device in Work Managed Device mode, use Workspace ONE Intelligent Hub Identifier enrollment.

  1. Start Enrollment
    From a factory reset state, turn on the device and tap the arrow.
  2. Accept EULA
    The End User License Agreement is accepted.
    Click on Next.
  3. The Data Import is skipped if needed.
  4. Click on Skip this for now.
    Select Next.
    Make a connection to WiFi.
  5. Click to connect to the appropriate WiFi network depending on the location.
  6. After establishing a connection to WiFi, click on Next.
  7. The Workspace ONE Intelligent Hub Identifier is provided
  8. Into the email or phone text box, Enter afw#hub to download the Workspace ONE Intelligent Hub.
  9. Click on Next.
  10. The agent is installed.
  11. Click on Install
  12. Agent Installation is confirmed
  13. Select Install
  14. Proceed to set up the device
  15. Agree to terms and conditions

Configuring Workspace ONE UEM Server Details

The admin can enroll the device after the agent has launched. In this activity, Workspace ONE UEM authentication details are configured.

  1. Provide the Server details:
  2. Provide the Workspace ONE UEM server URL.
  3. Click on Next.
  4. The Group ID is provided
  5. Provide the Group ID the admin retrieved from the Workspace ONE UEM Console for the Group ID field.
  6. Click on Next
  7. Provide the Agent Credentials
  8. Provide the Username. For instance, user1.
  9. Provide the password. For instance, qwerty@.
  10. Click on Continue.

Completing Android Device Enrollment

The user is ready to complete device enrollment after the device restarts. The user will see several processing screens during the enrollment process. Until the user sees the Workspace ONE Intelligent Hub app confirming their enrollment, they do not need to interact with the device further.

  1. The privacy statement is accepted.
  2. The privacy statement is reviewed, and click on I Understand.
  3. Data sharing statement is accepted.
  4. Click on I agree
  5. For work setup, confirm Android
  6. During the Work Account setup, a number of different processing screens pop up
  7. The account details are confirmed
  8. The user can see the user account details after the device has completed enrollment. Click on This Device to see the device status.
  9. Device enrollment is confirmed.
  10. Establish a connection to Google Cloud Messaging, and it may take several minutes. Before continuing, wait until the user sees the Connectivity Issue notification transform to Connectivity Normal.
  11. The user has now completed the agent configuration wizard. They can now exit the agent.


  • Barry Allen

    A Full Stack Developer with 10+ years of experience in different domain including SAP, Blockchain, AI and Web Development.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.