This post is long overdue. When things were just 'AirWatch' it was much simpler to automate enrollment of devices with no touches from the end user. With the transformation into Workspace ONE and supporting modern authentication, 3rd party IdPs, not relying on Connectors or AD, stuff got just a tad more complicated. I want to try and break down how it is still possible. To ensure I set the correct expectations this is not how to setup automated enrollment for every platform, but rather if you have automated enrollment and want to not ask for credentials so its no touch (or very low touch) from the end user, this post is for you.
What is automated enrollment and why would you use it?
There are a few reasons you want to automate enrollment.
- Ensure when the device is booted up or after a wipe, you still have control.
- Prevent the misuse of a lost or stolen device
- Silently enroll end users who are already working on the device
- Make provisioning as easy as possible for you and your users!
- Staging - where you silently enroll the device, but afterwards ask the user for their credentials to deliver personalized apps, profiles, and experiences.
- Enroll on Behalf of - where you stage the device and automatically switch to the already logged in user.
Why does Source of Authn to Workspace ONE Access complicate this process?
- Custom Enrollment: On - this requires authentication and will use UEM's SAML configuration. This option is NOT for no credential prompting enrollment.
- Custom Enrollment: Off & Authentication: On - this require authentication and will use UEM's native directory. If you need to use a SAML IdP, this is not for you, use Custom Enrollment: On. This option is NOT for no credential prompting enrollment.
- Custom Enrollment: Off & Authentication: Off - Finally, a DEP workflow with as minimal amount of input as possible. This is nice as if you have a lost or stolen device, whoever boots it up, will click next next next, and end up with a managed device, where you as the admin can find it, and control it. The workflow can be 3 fold:
- Authentication Off and Staging Off: This will directly enroll to the end user you select. This method can be useful if you have a line of business device, where there isnt a concept of user identity needed. Think kiosk.
- Authentication Off and Staging Single user: This will directly enroll to a staging user selected. This is perfect as you can apple a single app mode profile to the staging user, which locks the user into Workspace ONE Intelligent Hub. The Hub will prompt the user to sign into the device with their own credentials, through Workspace ONE Access. Once signed in the device is personalized to the end user, with their normal profiles and apps.
- Authentication Off and Staging Multi user: This is the same concept as Single user except the Hub will include a log off button which allows the user to log out of the device. This is when a device is shared between shifts.
- Google Zero Touch
- Samsung Knox Mobile Enrollment
- Zebra StageNow
- Honeywell Enterprise Provisioner
- QR Code
- AirWatch Relay with NFC Bump