Workspace ONE - Enroll Devices Using Staging Accounts

This document describes the process for using staging accounts to enroll endpoints into Workspace ONE (WS1).

Staging options

Apple Devices – Staging Apple devices into Workspace ONE is only possible through Apple’s Device Enrollment Program ( formerly DEP).

Windows Devices – Staging Windows devices into Workspace ONE is only possible using Windows command line script.

Ensuring that your WS1 environment is ready for using staging accounts

  1. In the WS1 console navigate Groups & Settings > All Settings > Device & Users > General > Enrollment
  2. In the Authentication menu for Authentication Mode(s) make sure the box for Basic is checked.
  3. Click SAVE.

Built-in Staging account

WS1 has built-in staging accounts for each OG that you can use for staging device enrollment into WS1. To view these accounts in the WS1 console navigate to Group & Settings > All Settings > Devices & Users > Windows > Windows Desktop > Staging & Provisioning.

In the UPN field is the staging account name and in the Password field is the password for the staging account.

These staging accounts can be used to stage your devices but the disadvantage to using it is that you can only enroll devices to the staging account’s OG. You will not be able to enroll devices to other OGs.

The steps in this document are written with the assumption that you’re creating your own staging account.

Turning on basic authentication mode for creating a Basic account for staging devices

Turning on basic authentication for our OG is a one-time setup requirement. 

  1. In the WS1 console navigate to Groups & Settings > All Settings > Devices & Users > General > Enrollment 
  2. For Current Setting change the radio button to Override.
  3. For Authentication Mode(s) check the box for Basic.
  4. Click Save when done.

Creating a Basic staging account for WS1 device enrollment

  1. In the WS1 console navigate to Accounts > User > List View
  2. Click ADD > Add User
  3. Click Basic for the security type.
  4. Give your staging account a username, password, full name, and display name of your choice.
  5. For the email address field entered in an email, you want to receive notifications for the staging account.
    1. Successful enrollment status, un-enrollment of a device, etc. are typical notification emails that will go out to this email.
  6. Click on the Advanced tab.
  7. Scroll down to the Staging section.
  8. Select Enable Device Staging.
  9. Select Enable Single User Devices.
  10. Select Standard – Users are asked to log in after staging.
  11. Click SAVE.

Ensuring that your Apple Devices are assigned to your WS1 MDM environment

  1. Navigate to https://school.apple.com
  2. Click on Devices and type in the serial number(s) of your Apple device(s).
  3. Click to select your search serial number result.
  4. Click Edit Device Management.
  5. Under Assign to Server select your department’s MDM server.
  6. Click Continue.
  7. In the WS1 console navigate to Devices > Lifecycle > Enrollment Status.
  8. Click Sync Devices > Apple.
  9. Click Sync.
  10. Click the refresh button for the Enrollment Status table and you should see the devices you assigned in step 3 in the list of devices.

Enrollment of Apple devices into WS1 using Apple Enrollment Program (formerly DEP) - (Apple Devices)

  1. In the WS1 console navigate to Groups & Settings > All Settings > Devices & Users > Apple > Device Enrollment Program.
  2. Click Add Profile.
  3. Turn Custom Enrollment OFF.
  4. Turn Authentication OFF.
  5. Staging Mode select Single user device.
  6. Default Staging User: select the staging account you created.
  7. Device Ownership Type: select what best describes the devices you’re going to be enrolling into WS1 using this DEP profile.
  8. For the Device Organization Group select the OG in which you want your devices to be enrolled.
  9. Fill in the Profile Name, Department, and Support number.
  10. Select Enabled for the following:
    1. Require MDM enrollment
    2. Supervision
    3. Lock MDM Profile
    4. Device pairing
    5. Auto Advance Setup
    6. Anything not mentioned in this list should be Disabled
  11. Under Setup Assistant select Don’t Skip for Location Services. Everything else you can skip.
  12. Click Save.
  13. In the WS1 console navigate to Devices > Lifecycle > Enrollment Status.
  14. Type in the serial number of your device to search for it.
  15. Check the box to the left of the found device.
  16. Click More Actions > Assign Profile.
  17. Assign your device the profile you created in steps 2-12 above.
  18. Click Save.
  19. Power on your Apple Device.
  20. Connect it to WIFI.
  21. Go through the setup wizard taking the defaults.
  22. Once you’ve hit the Remote Management screen with the message “University of Wisconsin-Madison” will automatically configure your iPhone, tap on Next.
    1. Getting this message confirms you’ve set up DEP enrollment correctly.
  23. Enable Location Services.
  24. In the WS1 console navigate to Devices > List View.
  25. Search for your device by its serial number to confirm its been enrolled into WS1.

Enroll devices into WS1 using a command-line script (Windows)

Further customization to the script in these instructions can be completed by referencing the doc here.

  1. Navigate to https://getwsone.com to download Workspace ONE Intelligent Hub for Windows.
    1. Only download Workspace ONE Intelligent Hub. Do not start the executable or select Run as that initiates a standard enrollment process and defeats the purpose of silent enrollment. If necessary, move Workspace ONE Intelligent Hub from the download folder to a local or network drive folder.
  2. Open up Notepad and copy the below commands (red font color) replacing everything in quotes with your WS1 environment’s information.
    1. Note the parameter ASSIGNTOLOGGEDINUSER=Y will assign the device to the domain user that is logged in.
      1. If you do not want this remove this parameter and run the script using an admin account.
      2. After the script is done running, log out of your admin account and the next user that logs into the Windows computer will be assigned to the device in WS1.

msiexec.exe /i “The absolute path of the WS1 intelligent hub installer” /quiet /norestart ENROLL=Y SERVER=cn1733.awmdm.com LGName=”The Group ID of your OG” USERNAME=”The name of your staging user” PASSWORD=”The password of the staging account”  ASSIGNTOLOGGEDINUSER=Y

  1. Save your notepad as a .bat file.
  2. Locate and run your .bat script file from an Admin-level (elevated) command prompt. 
  3. It takes about 50-60 seconds for the script to run. Once the script is done and enrollment is completed you will get a notification that WS1 has completed the enrollment.
    1. If you chose to leave out the ASSIGNTOLOGGEDINUSER=Y parameter you will not get a successful enrollment completion notification.
      1. Open up Regedit and navigate to HKLM\Software\AIRWATCH\EnrollmentStatus.
      2. The value for Status in EnrollmentStatus should be set to Completed after the script is done running. This is how you will know that you can safely log out and have the user you want to assign the device to log in.
  1. In the WS1 console navigate to Devices > List View.
  2. Search for your device by serial number or computer name to verify that your device has been enrolled into WS1 successfully using the script.




Keywords:Workspace ONE, WS1, Staging   Doc ID:117532
Owner:Chou Y.Group:Endpoint Management
Created:2022-03-23 09:20 CDTUpdated:2022-07-19 13:32 CDT
Sites:DoIT Help Desk, Endpoint Management
Feedback:  0   0