VMware Workspace ONE Community
BrianPitt
Enthusiast
Enthusiast
‎05-13-2019 09:49 AM

DEP Enrollment and Tokens

I am confused over some DEP Enrollment Details and hoping someone can help me out In out WorkSpace ONE we have had users enrolled to device via our server URL site where they enter their Group ID and are then login with their Directory Account that uses SAML Authentication to verify and enroll them. We have been doing this for some time but are now wanting to use Apple DEP to enroll users iOS and macOS Devices into the system. However, when applying a DEP Profile and getting to the username and password login screen, our Directory account username and passwords do not work and come back with errors or unknown user or password. I know this is most likely due to SAML Authenticated Accounts and DEP not playing well together, but that is just an assumption. To get around this and from reading through VMWare Documentation, it states that we can Batch Import Devices via .csv file and the users listed in the Import will get a message (via SMS or E-Mail) that mentions downloading the Intelligent Hub as well as being given a Generated Token. They can then use that Token for username and password fields when enrolling the device. Putting the two together, we have attempted to do the following



  1. Add the Device Serial Number in DEP Portal and Sync WorkSpace One which brings Device record into WorkSpace One Enrollment Status as Discovered

  2. Apply a DEP Profile to the Device by choosing Assign Profile and Choosing the Right DEP Profile which is then applied

  3. Uploading a Batch Import .csv file with our Directory Account Username, First Name, Last Name, Group ID where the Directory Accounts are, E-mail address, Message Type and Serial Number of the Device to be tied to that user. Importing this and looking at Enrollment Status shows the user ID now tied to the Device Serial Number

At this point, we expect to get a notification from the system with a Token listed that we could then use to enter for username and password when prompted during Setup when DEP Profile Registration comes up. Instead, we are getting a Notification that lists the user's Directory Services name and for password just says Directory Services Password. Am I reading the documentation correct?


https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.6/vmware-airwatch-guides-96/GUID-AW96-Enroll_M...


It says: To generate a Token, map an enrollment user to DEP device serial number. This will generate a token and deliver it to the user according to their preferred method of notification, which is specified under User Settings.


I have had a ticket open with VMWare Support for over a week now and cant get an answer to my question....

Labels (1)
Labels
Reply
0 Kudos
2 Replies
AbrahamSanchez
Contributor
Contributor
‎05-13-2019 10:52 AM

DEP works great. I am not familiar with how you are attempting to setup a device.  We are AD integrated.  When the device comes in DEP we just walkthrough the prompts.  Once at HUB, the user either enters their AD credentials and enrolls the device or we enter a auto login account we create for shared devise. 
The user does not have enter any group ID or anything like that. Credentials and password is all that's needed.
If the device was not purchased through your DEP partner, you will not be able to upload those accounts to DEP.  If there is a way to do that, we have not been successful.  When a device is purchased outside of our Verizon DEP partner, we are forced to enroll via Configurator.  This is not something that happens often, and when it does happen we ask the user to return the device and purchase via our DEP partner.  
If your DEP is setup correctly you should not have to do all that work you are doing.  With AD integration the process is simple.
Reply
0 Kudos
KevinMigliaccio
Contributor
Contributor
‎05-14-2019 03:54 AM

wE LIKE YOU HAVE BEEN USING tOKENS for enrollment and things worked great when we first had Airwatch... however somewhere around version 9.4 DEP enrollment failed with errors etc... What we found after working with Support was that they ' fixed'  DEP to follow the registered devices rule for enrollments.  Everytime we enroll a new DEP device now we have to go to console/groups and settings/all settings/devices and users/ general/enrollment turn off require registration token  and save. device will enroll then turn token back on making sure to check expiration time because it doesn't save it after a short period. I hope this helps. We love DEP just wish they gave us option to enforce the token rule on DEP devices or not.
Reply
0 Kudos