Lab 5: Device enrollment

Objective and Tasks

  1. Enable Directory Authentication Enrollment
  2. Define grouping
  3. Define a Terms of Use policy
  4. Define privacy settings
  5. Enroll a Windows Desktop device using Hub Enrollment
  6. Enroll a Windows Server device using scripted enrollment
  7. Enroll a Linux Device
  8. Verify the Assignment Group
  9. Navigate the Workspace ONE Intelligent Hub Application
  10. Configure Windows Multi-User on a Windows Desktop device

Task 1: Enable Directory Authentication

You enable directory authentication to support device enrollment with directory accounts.

  1. Open the Workspace ONE UEM administration console.

    1. On the ControlCenter Windows taskbar, click the Google Chrome icon.

    2. From the bookmarks bar, select Workspace ONE UEM. You can also enter https://omnissatraining.awmdm.com/Airwatch in the address bar to access the console page.

  2. Log in to Workspace ONE UEM.

    • User name: studentadmin{labid}

    • Password: Pa$$w0rd

  3. In the upper-right corner of the console, click the drop-down menu with your administrator name and verify that Student{labid} organization group is selected from the Organization Group drop-down menu.

  4. In the navigation pane on the left, select Groups & Settings. Then, select All Settings > Devices & Users > General > Enrollment.

  5. On the Authentication tab, click Override next to Current Setting.

  6. Next to Authentication Modes(s), make sure Basic and Directory are checked.

  7. Next to Source of Authentication for Intelligent Hub, click Workspace ONE UEM.

    1. Note: This should be selected by default. In a later lab we will also showcase authentication with Access.

  8. Click Save.

  9. On the Restrictions tab, click Override next to Current Setting.

  10. Next to User Access Control, de-select Restrict Enrollment To Known Users.

    a. Note: This will allow users, who have not been synced into UEM, to be synced when they enroll a device.

  11. Click Save.

Task 2: Define grouping

You define the organization group (OG) assignment mode for enrolling devices.

Grouping permits Workspace ONE UEM to place the devices into the correct OGs based on your configuration.

  1. In the upper-right corner of the console, click the drop-down menu with your administrator name and verify that Student{labid} organization group is selected from the Organization Group drop-down menu.

  2. In the Settings dialog box, select Groups & Settings. Then, select All Settings > Devices & Users > General > Enrollment in the navigation pane on the left.

  3. Click the Grouping tab.

  4. Next to Current Setting, click Override.

  5. Next to Group ID Assignment Mode, verify that Default is selected.

  6. Click Save.

Task 3: Define a Terms of Use policy

You define the terms of use policy for the devices to be enrolled.

  1. In the upper-right corner of the console, click the drop-down menu with your administrator name and verify that Student{labid} organization group is selected from the Organization Group drop-down menu.

  2. In the Groups & Settings dialog box, select All Settings > Devices & Users  > General > Enrollment in the navigation pane on the left.

  3. Click the Terms of Use tab.

  4. Next to Current Setting, click Override.

  5. Next to Require Enrollment Terms of Use Acceptance, click Enabled and then click Save.

    • When an Enrollment Terms of Use policy is required, all device users must accept the Terms of Use during enrollment. If a Terms of Use policy is not set, the Terms of Use from a parent OG is enforced, if it has one.

  6. Click Add New Enrollment Terms of Use.

  7. Enter Custom Terms of Use in the Name text box.

  8. Review all settings, such as enforcing the policy for specific platforms, device ownership types, and enrollment types.

If you exclude the device that you plan to enroll, the Terms of Use are not shown during your enrollment in later lab activities.

  1. (Optional) Click the Select Language drop-down menu to change the language. The default language is English.

  2. In the text editor, enter This is a test terms of use for the Workspace ONE training course and click Save.

  3. Click Save.

Task 4: Define privacy settings

When you enroll your device, the Workspace ONE UEM console default is to enroll it as an employee-owned device.

  1. In the upper-right corner of the console, click the drop-down menu with your administrator name and verify that Student{labid} organization group is selected from the Organization Group drop-down menu.

  2. In the Settings dialog box, select Groups & Settings. Then, select All Settings > Devices & Users > General > Privacy in the navigation pane on the left.

  3. Next to Current Setting, click Override.

  4. Scroll down to the Applications section.

  5. In the Personal Application row, change the setting for Employee Owned to Collect Do Not Display.

    • By changing this setting to Collect and Display, you can gather user data and make the data visible in the Workspace ONE UEM console

    • By changing this setting to Collect Do Not Display, you can collect user data for use in reports and compliance, but data is not displayed within the Workspace ONE UEM console.

    • By changing this setting to Do Not Collect, you can prevent user data from being shown in both the Workspace ONE UEM console and in generated reports.

When you enroll your device, the Workspace ONE UEM console default is to enroll it as a Corporate - Dedicated device. Enrollment results in personal applications being shown in the device details under the Application section. To prevent your personal applications from appearing in the Workspace ONE UEM console, you change the setting to Do Not Collect and click Save.

  1. Click Save.

  2. Enter 1234 if you are asked to enter a security PIN.

  3. Review all remaining privacy settings, including whether the Workspace ONE UEM administrator can remotely erase a device (factory wipe), remote control a device based on ownership, display user information, and so on.

  4. Close the Settings dialog box.

Task 5: Enroll two Windows Desktop devices using Hub Enrollment

You use the Workspace ONE Intelligent Hub application to enroll two Windows VMs to your Workspace ONE UEM environment.

  1. From the VM Switcher, select Win11Client-01.
  2. If you receive a prompt to log in to, enter the password for the local account.
    • User name: administrator
    • Password: Pa$$w0rd
  3. If a "Get even more out of Windows" dialog box appears, click Skip for now.
  4. From the Win11Client-01 VM desktop, open Google Chrome.
  5. Go to https://getwsone.com and click Download Hub for Windows x86/x64.
  6. After 2 minutes, you should find the AirwatchAgent in the Downloads folder of File Explorer in the Win11Client-01 VM.
  7. Double-click AirwatchAgent to start the installation.
  8. Click Next.
  9. Click I accept the terms in the license agreement and click Next.
  10. Click Install.
  11. Click Finish.
  12. Click the Windows Start menu and select Administrator in the lower left corner.
  13. Click Sign Out.
  14. On the Logon screen, log in as craig.
    • User name: omnissatraining\craig
    • Password: Pa$$w0rd
  15. The Workspace ONE Intelligent Hub application will automatically open once you have logged in..
    • If it does not open, you can click the W11Client-01 Start menu to open Workspace ONE Intelligent Hub manually.
  16. Enter your Workspace ONE UEM enrollment information in the Workspace ONE Intelligent Hub application.
  17. Enter omnissatraining.awmdm.com in the Email or Server Address text box.
  18. Click Next.
  19. Enter student{labid} in the Group ID text box.
  20. Click Next.
  21. Enter craig in the username text box.
  22. Enter Pa$$w0rd in the password text box.
  23. Click Sign In.
  24. If a "Want an even better experience?" message appears, click Not Now.
  25. When the Congratulations dialog box appears, click Done.
  26. To complete enrollment, click Get Started.
  27. On the ControlCenter Windows taskbar, click the Google Chrome icon to return to the Workspace ONE UEM console.
  28. In the navigation pane at the top, select Devices. Then, select Devices from the menu on the left. The Craig Desktop Windows VM should appear in the list.
  29. From the VM Switcher, select Win11Client-02.
  30. If you receive a prompt to log in to, enter the password for the local account.
    • User name: administrator
    • Password: Pa$$w0rd
  31. If a "Get even more out of Windows" dialog box appears, click Skip for now.
  32. From the Win11Client-01 VM desktop, open Google Chrome.
  33. Go to https://getwsone.com and click Download Hub for Windows x86/x64.
  34. After 2 minutes, you should find the AirwatchAgent in the Downloads folder of File Explorer in the Win11Client-02 VM.
  35. Double-click AirwatchAgent to start the installation.
  36. Click Next.
  37. Click I accept the terms in the license agreement and click Next.
  38. Click Install.
  39. Click Finish.
  40. Click the Windows Start menu and select Administrator in the lower left corner.
  41. Click Sign Out.
  42. On the Logon screen, log in as nancy.
    • User name: omnissatraining\nancy
    • Password: Pa$$w0rd
  43. The Workspace ONE Intelligent Hub application will automatically open once you have logged in.omnissatraining
    • If it does not open, you can click the W11Client-01 Start menu to open Workspace ONE Intelligent Hub manually.
  44. Enter your Workspace ONE UEM enrollment information in the Workspace ONE Intelligent Hub application.
  45. Enter omnissatraining.awmdm.com in the Email or Server Address text box.
  46. Click Next.
  47. Enter student{labid} in the Group ID text box.
  48. Click Next.
  49. Enter nancy in the username text box.
  50. Enter Pa$$w0rd in the password text box.
  51. Click Sign In.
  52. If a "Want an even better experience?" message appears, click Not Now.
  53. When the Congratulations dialog box appears, click Done.
  54. To complete enrollment, click Get Started.
  55. On the ControlCenter Windows taskbar, click the Google Chrome icon to return to the Workspace ONE UEM console.
  56. In the navigation pane at the top, select Devices. Then, select Devices from the menu on the left. The Nancy Desktop Windows VM should appear in the list.

Task 6: Enroll a Windows Server device using scripted enrollment

You enroll a Windows Server device using scritped enrollment.

  1. Open the Workspace ONE UEM administration console.

    1. On the ControlCenter Windows taskbar, click the Google Chrome icon.

    2. From the bookmarks bar, select Workspace ONE UEM. You can also enter https://omnissatraining.awmdm.com/Airwatch in the address bar to access the console page.

  2. Log in to Workspace ONE UEM.

    • User name: studentadmin{labid}

    • Password: Pa$$w0rd

  3. In the upper-right corner of the console, click the drop-down menu with your administrator name and verify that Servers organization group is selected from the Organization Group drop-down menu.

  4. In the navigation pane on the left, select Groups & Settings. Then, select All Settings > Devices & Users > General > Enrollment.

  5. On the Management Mode tab, click Override next to Current Setting.

  6. Next to Windows, make sure No OMADM Management is selected.

  7. Next to Management Mode, select the button for Intelligent Hub Managed Mode.

  8. Select Enabled next to All Windows devices in this Organization Group.

  9. Click Save.

  10. On the Grouping tab, click Override next to Current Setting.

  11. From the dropdown menu for Default Action For Inactive Users, select Restrict Additional Device Enrollment.

  12. Click Save.

  13. In the navigation on the left, select Devices and Users. Then select General > Shared Device.

  14. Click Override.

  15. Navigate to the Grouping tab.

  16. Enable Fixed Organization Group for the Group Assignment Mode.

  17. Click Save.

  18. In the navigation on the left, select Devices & Users. Then, select Microsoft > Windows > Intelligent Hub Settings.

  19. Click Override next to Current Setting.

  20. Scroll down to Default User Mode for Enrollment. From the dropdown menu for Windows Enrollment User Mode, select Single User Mode.

  21. Click Save.

  22. Close the All Settings windows by cllicking the X in the upper right corner.

  23. From the VM Switcher, select WS2025-Server.

  24. If you receive a prompt to log in to, enter the password for the local account.

    • Username: administrator

    • Password: Pa$$w0rd

  25. Navigate to C:\Resources.

  26. Double-Click the Update Group ID file.

  27. Type your assigned Group ID. For example: Student########  (Note: Make sure to preface the Group ID with "Student")

Make sure to preface the Group ID with "Student".

  1. Click OK 

  2. Then click OK to the Replacement complete... message.

  3. Right-click on the newly created file, Right-Click Me and choose Run As Administrator batch file, And choose Run As Administrator.

  4. Enter:

    • Username: Administrator

    • Password: Pa$$w0rd

  5. Click Yes.

  6. A command window will appear briefly for about a minute and then go away on its own. This starts the enrollment process.

You will have to wait about 2 minutes while the device enrolls.  There will be no visible progress while the enrollment is happening.

  1. While silent enrollment is in progress, take a look at the script.  Go to C:\Resources\Right-click me and choose Run As Administrator.  Right-click and select Edit in Notepad.  Do not click Open.  Note the parameters that have been embedded within the script.  Close Notepad after viewing.

Task 7: Enroll a Linux Device

You use the Workspace ONE Intelligent Hub application to enroll a Linux VM to your Workspace ONE UEM environment.

  1. Select the Linux-01 VM from the drop-down at the top-left area of your window.
  2. Log in to the Linux-01 VM.
    1. User name: Administrator
    2. Password: Pa$$w0rd
  3. This will bring you to the desktop of the Ubuntu Linux machine.
  4. On the left-side bar, click on the Terminal icon (The icon looks like a Command Prompt)
  5. This will bring up the command-line interface window.
  6. The Intelligent Hub Debian has been pre-downloaded into the downloads folder.
  7. Now let's run the installation command. Type the following:
sudo apt install "./Downloads/workspaceone-intelligent-hub-amd64-25.06.0.23.deb"
Click to copy
  1. Click enter after the you input the command.
  2. Now enter the password (Note: The password will not be visible when you type)
    1. Type Pa$$w0rd
    2. Click enter.
  3. When prompted to approve installation of packages type Y and hit enter.
  4. The Workspace ONE Intelligent Hub application will be installed to the Linux VM.
  5. Run the following cd command to navigate to the Hub binary directory under the installation directory.
cd "/opt/omnissa/ws1-hub/bin"
Click to copy
  1. Hit enter on your keyboard
  2. Run the following sudo command to use the ws1HubUtil utility.
sudo ./ws1HubUtil enroll --server https://ds1605.awmdm.com
Click to copy
  1. Hit enter on your keyboard.
  2. You will then be prompted for the OrganizationGroup:
    1. Type Student{labid}
    2. Hit enter on your keyboard.
  3. You will now be prompted for the UserName:
    1. Type studentuser{labid}
    2. Hit enter on your keyboard.
  4. Then the Password
    1. Type Pa$$w0rd
    2. Hit enter on your keyboard
    3. Note: Wait about 15 seconds for the device to enroll.
  5. You should see a message, confirming the "Workspace ONE Intelligent Hub enrollment completed successfully."
  6. Return to the Workspace ONE UEM console in the ControlCenter VM.
  7. In the navigation pane at the top, select Devices. Then, select Devices in the menu on the left.
  8. The Linux VM should appear in the list. If not, you might need to refresh the page.

Task 8: Verify the Assignment Group

You verify that the enrolled devices are automatically included in the correct assignment groups.

  1. In the upper-right corner of the console, click the drop-down menu with your administrator name and verify that Student{labid} organization group is selected from the Organization Group drop-down menu.

  2. In the navigation plane on the left, select Groups & Settings. Then, under Groups, select  Assignment Groups.
  3. Verify that a number appears in the Devices column for the respective Smart Groups.

Task 9: Navigate the Workspace ONE Intelligent Hub Application

You navigate the Workspace ONE Intelligent Hub application and become familiar with the Hub Catalog user interface.

  1. From the VM Switcher, select Win11Client-01.
  2. If you receive a prompt to log in to, enter the password for the local account.
    • User name: omnissatraining\craig
    • Password: Pa$$w0rd
  3. Click the Start menu and open Workspace ONE Intelligent Hub.
  4. If you are prompted to sign in again into the Intelligent Hub
    1. Ensure that omnissatraining.com is selected from the Select your domain drop-down menu.
    2. Click Next.
    3. Enter craig in the username text box.
    4. Enter Pa$$w0rd in the password text box.

Either the Apps or the Favorites page appears when the application opens.

No assigned applications appear yet because you have not deployed resources to any devices. This is covered in a later lab.

  1. If the Always Accessible window appears, click Got It.
  2. In the Workspace ONE Intelligent Hub application, review the available menu options.
    • Favorites
    • Apps
    • For You
    • Support
    • User icon
  3. To open the device information page, click Craig Stroser in the bottom-left corner.
    • Here you can view information about Enrollment, Compliance, Network, Profile, and Support.
  4. To synchronize with the Workspace ONE UEM console, click Sync Device.

The Workspace ONE Intelligent Hub application performs periodic automatic background syncs with the Workspace ONE UEM console.
 

The Sync Device control serves as a manual approach to trigger an immediate one-time sync with the Workspace ONE UEM console.

  1. Minimize the Remote Desktop Connection window.

Task 10: Configure Windows Mulit-User on a Windows Desktop device

You enable Windows Mutli-User on a Windows Desktop device.

  1. From the ControlCenter VM, in the Workspace ONE UEM console, navigate to Groups & Settings > All Settings > Devices & Users > Microsoft > Windows > Intelligent Hub settings.

  2. Click Override.

  3. Expand the section for Attributes for Unique Identifier.

  4. Set UEM Attributes to User Principal Name.

  5. Set Client Attributes to User Principal Name.

  6. Click Save.

  7. Close Intelligent Hub Settings window.

The Shared Device Grouping setting controls how to map a device to the right Organization Group.  To avoid prompting for OG and enabling silent reassignment, “Fixed Organization Group” should be configured. 

  1. Within the Workspace ONE UEM console, open Groups & Settings.

  2. Navigate to All Settings > Devices and Users > General > Shared Device.

  3. Click Override.

  4. Navigate to the Group Assignment Mode section.

  5. Enable Fixed Organization Group.

  6. Click Save.

  7. Close the Shared Device window.

  8. In Workspace ONE UEM console, go to Devices > Devices.

  9. Click Layout. Select Custom from the options provided.

  10. Scroll through the available columns until you find Windows User Mode

  11. Confirm that your enrolled Windows Desktop devices shows Multi User.

Multi User is the default regsitration mode in Workspace ONE UEM version 2406 and 2410.

  1. Click on the Friendly Name of the Craig... Windows computer  

  2. In the upper right corner, select More Actions.

  3. Scroll down to the Admin section and click Single User Mode.  

    • You will receive a message that says, "Request to pause the device reassignment was success."

    • Click OK to the message. The device is queued for Single user assignment.  

  4. In the Workspace ONE UEM console, go to Devices > Devices.

  5. Select the double right arrows next to Filters.  

  6. Select Advanced > Windows User Mode.

  7. CheckSingle User (Legacy) and Multi User Capable.

  8. Click Apply.  Note that no records were found.

  9. Uncheck Single User (Legacy) and Multi User Capable.

  10. Check Single User and Multi User.

  11. Click Apply.  Note that the Windows mode setting for one VM is shown as Single User and the other VM is shown as Multi User.

  12. Using the VM Switcher, log into the w11Client-02 device, and then restart it.

  13. After the device reboots, select Other user in the lower left corner of the login screen.

  14. Designate the user as omnissatraining\Craig and Pa$$w0rd.

  15. Because this device is enabled for multi User, you will have to wait about 1 minute for the device to automatically enroll for Craig.

  16. When it is done, you will be presented with the Want an even better experience screen.

  17. Click Not Now. From the Hello, Craig window, click Get Started.

  18. The Hello, Craig screen validates that enrollment has now flipped to Craig.

  19. Logout of the Win11Client-02 desktop and log back in as Nancy.

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.