I assume that you have a local admin account on the devices? If you do then you can send the users a script that will run the MSI as that account, here is something that I quickly wrote up that should work (its untested but in theory should do what you want, or at least give you a starting place). Just fill in the bits at the top with your information and give it a test. It will download the latest version of the client from the VMWare servers and then run the MSI as the admin account and attempt to enroll using the enrollment account you specify. The only issue is that your admin password will be in plain text. You could get around that be encrypting it.
See how you go 
$servername = "##Server FQDN##"
$OGID = "##OGID##"
$AdminUser = "##ADMINUSER##"
$AdminPassword = "##ADMINPASSWORD##"
$StagingUsername = "##staging username##"
$StagingPassword = "##staging password##"
$credentials = New-Object System.Management.Automation.PSCredential ("$AdminUser", $(ConvertTo-SecureString "$AdminPassword" -AsPlainText -Force) )
$proxy = [System.Net.WebProxy]::GetDefaultProxy().Address.OriginalString
$tempFile = "$env:Temp\AirwatchAgent.msi"
if ($Proxy) {
Invoke-WebRequest -OutFile ($tempFile) -Uri "https://storage.googleapis.com/getwsone-com-prod/downloads/AirwatchAgent.msi" -Proxy $proxy
} else {
Invoke-WebRequest -OutFile ($tempFile) -Uri "https://storage.googleapis.com/getwsone-com-prod/downloads/AirwatchAgent.msi"
}
Start-Process msiexec.exe -Wait -ArgumentList "/I $tempFile IMAGE=N ENROLL=Y SERVER=$servername LGName=$OGID USERNAME=$StagingUsername PASSWORD=$StagingPassword ASSIGNTOLOGGEDINUSER=Y DOWNLOADWSBUNDLE=True /Log $Env:Temp\Workspaceoneinstall.log" -Credential $credentials