This post is long overdue. When things were just 'AirWatch' it was much simpler to automate enrollment of devices with no touches from the end user. With the transformation into Workspace ONE and supporting modern authentication, 3rd party IdPs, not relying on Connectors or AD, stuff got just a tad more complicated. I want to try and break down how it is still possible. To ensure I set the correct expectations this is not how to setup automated enrollment for every platform, but rather if you have automated enrollment and want to not ask for credentials so its no touch (or very low touch) from the end user, this post is for you.
What is automated enrollment and why would you use it?
There are a few reasons you want to automate enrollment.
- Ensure when the device is booted up or after a wipe, you still have control.
- Prevent the misuse of a lost or stolen device
- Silently enroll end users who are already working on the device
- Make provisioning as easy as possible for you and your users!
The concept of a silent enrollment that does not ask for credentials relies on 2 factors.
- Staging - where you silently enroll the device, but afterwards ask the user for their credentials to deliver personalized apps, profiles, and experiences.
- Enroll on Behalf of - where you stage the device and automatically switch to the already logged in user.
Why does Source of Authn to Workspace ONE Access complicate this process?
Workspace ONE Access is an Identity Provider (IdP). The concept of using an IdP is so each application is not responsible for authentication the end user. Workspace ONE UEM acts as a Service Provider (much like O365, Salesforce, Workday, etc) and redirects the Hub to Workspace ONE Access to challenge the end user 'Who are you?' to which the end user inputs their credentials to be validated. Workspace ONE Access sends a response to the Hub saying, yes Joe authenticated correctly, and here are some attributes about Joe you may need. The entire workflow is built on a concept the end user must input their credentials to verify who they are.
BUT WAIT we are trying to stage a device to a generic user, whom doesn't matter, so after which, the real end user can sign in. Therein lies the conflict. When using an IdP
The underlying assumption and point of complication here is that Hub Source of Auth is set to Workspace ONE Access. Lets break it down by each platform.
The only automated way to enroll devices out of the box is with Device Enrollment Program. Details from Apple are here: https://support.apple.com/en-us/HT204142
Once you setup DEP and assign devices there are a few options:
- Custom Enrollment: On - this requires authentication and will use UEM's SAML configuration. This option is NOT for no credential prompting enrollment.
- Custom Enrollment: Off & Authentication: On - this require authentication and will use UEM's native directory. If you need to use a SAML IdP, this is not for you, use Custom Enrollment: On. This option is NOT for no credential prompting enrollment.
- Custom Enrollment: Off & Authentication: Off - Finally, a DEP workflow with as minimal amount of input as possible. This is nice as if you have a lost or stolen device, whoever boots it up, will click next next next, and end up with a managed device, where you as the admin can find it, and control it. The workflow can be 3 fold:
- Authentication Off and Staging Off: This will directly enroll to the end user you select. This method can be useful if you have a line of business device, where there isnt a concept of user identity needed. Think kiosk.
- Authentication Off and Staging Single user: This will directly enroll to a staging user selected. This is perfect as you can apple a single app mode profile to the staging user, which locks the user into Workspace ONE Intelligent Hub. The Hub will prompt the user to sign into the device with their own credentials, through Workspace ONE Access. Once signed in the device is personalized to the end user, with their normal profiles and apps.
- Authentication Off and Staging Multi user: This is the same concept as Single user except the Hub will include a log off button which allows the user to log out of the device. This is when a device is shared between shifts.
The winning combination for the most used case of automated enrollment without credentials, to an end user is italicized above 'Custom Enrollment and Authentication Off and Staging Single user.' With this method you have the best of both worlds, no credential prompt to the end user, until after the device is under management. Its that simple.
Android is a bit more complicated compared to iOS, due to the nature of the ecosystem and how flexible it is. Automated enrollment comes in quite a few flavors.
Out of the box without IT:
- Google Zero Touch
- Samsung Knox Mobile Enrollment
Out of the box with IT:
- Zebra StageNow
- Honeywell Enterprise Provisioner
- QR Code
- AirWatch Relay with NFC Bump
There may be even more that I am unaware of. In all of those methods we are essentially sending a configuration to the Hub with the enrollment details. If you have Workspace ONE Access as the source of auth, it will ask the end user for credentials, breaking your staging workflow. Just like with iOS staging allows the device to enroll out of the box or through IT team, to gain management, than hand to the end user for them to sign in and personalize the device.
The Hub supports 'provisioning extras' in the QR code, or JSON payload through Zero Touch, KME, and so on. There are quite a few listed here: Enrollment Flags for Android Enrollment. The one of interest is "useUEMAuthentication":"Boolean" which tells the Hub use the provided staging username and password against a local user in UEM and not modern authentication against Workspace ONE Access. That allows enrollment to the UEM local staging user, and allow the end user to open Hub to sign into the device for personalization.
Great knowledge, do anyone mind merely reference back to it Credentialing & EnrollmentsReplyDelete