Managing Multiple Device Ownership Types

Overview

With Workspace ONE UEM, you can manage both corporate-owned assets and employee-owned devices in the same console. Naturally, both need separate resources. BYOD may receive wifi credentials, a certificate for sign-in, and compliance policies. Corporate assets may have restrictions, requirements for updates, internal applications, and scripts deployed. This article aims to depict how to control resource assignments to devices of different device ownership, and ensure that these devices are placed in the correct ownership type upon enrollment. For information on driving BYOD adoption, see this previous article.

Assignment of Resources

The first step in managing corporate and employee-owned devices are to assign some resources to both. I've seen customers do this one of two ways - either at an OG level, or using smart groups.

Device ownership based on OG

Let's take an example OG structure:

Parent OG

-Corporate Owned Devices

-BYOD

This way, you can assign resources to those OG's directly. You can also create admin roles that have access to only one or more select OG's. The downside to this method is that you have to make sure that devices enroll into the correct OG, and that OG's are more rigid than smart groups. If you are assigning devices based on OG, you may run into visibility issues (resources not able to be assigned if in a parallel OG, for instance) versus using smart groups.

Device ownership based on Smart Group (preferred)

Let's take another example of an OG structure:

Parent OG

-Finance

-Accounting

-Marketing

The main difference with the first OG example is that we are not putting devices into an OG based on ownership. Each device in UEM has an ownership associated with it, and we can simply use smart groups to dynamically pull these devices. You can still assign policies/applications based on the department the user is in (in the above example), and then further separate those policies based on ownership. So we can, say, create a smart group for all devices in finance of type BYOD. The benefit is that this is more flexible in its use than utilizing OG's, but the downside is that it will, in a particular OG, show both corporate and BYOD devices in the same device list view. This doesn't mean that assignments will get mixed, just cosmetic in terms of looking in an OG at device list view. All of that said, this method (using smart groups and the existing device ownership info) is ideal, in my opinion.

Assigning Applications/Profiles

Last but not least, with all of the above in mind, you can assign profiles and applications to either OG's or Smart Groups (as shown below). Next, we'll talk about making sure devices are assigned properly in UEM upon enrollment.

The Power of Smart Group-Based Assignment

The last part I want to mention as part of this article is creating new smart groups specifically as it pertains to BYOD vs corporate-owned devices. In Groups and Settings - Groups - Assignment Groups, you can create new smart groups that can pick out subsets of devices based on criteria. You are able to say "I want all BYOD devices that are iOS" or "I want corporate Windows devices running Windows 10" or of particular device types. More details on the use of smart groups can be found here.

Assignment of Devices

At this point, we have our applications uploaded into WS1 UEM, profiles set up and assigned, and compliance policies set for different OG's or Smart Groups. Next, we need to make sure that devices are correctly assigned in WS1 UEM to make sure they receive the applicable policies. I'll once again separate the options here based on whether this is being done with OG's or Smart Groups -

Device Ownership based on OG

If you are going to build out an OG structure to differentiate device ownership, the end goal is to make sure that devices end up in the correct OG. There are a couple of ways of doing this - (that is to say, these are all options, not necessarily to be done sequentially)

Prerequisite- Make sure that the OG's that you have created for corporate owned, BYOD, etc - are all set with the correct default ownership. You can set this in Groups and Settings - All Settings - Devices & Users - General - Enrollment - Grouping Tab. Make sure you are in the correct sub-OG, and set the default ownership type as such. This is to ensure that devices receive the correct settings (for things like privacy).

Enroll via server URL and Group ID - If you have a sub-OG that is set for a particular device ownership type, you can have users manually type in that server URL and Group ID to have that device enroll into that OG specifically. Information on identifying what OG you are in can be found here. You can also change/create a group ID for an OG in Groups and Settings - Groups - Organization Groups - details. More info here.
Move the autodiscovery email domain to a sub-og - Part of Workspace ONE is that you can use your domain to direct where users should enroll. That is, anyone at mycompany.com will be automatically directed to authenticate into, and enroll into, a particular UEM console in a particular group ID. It is common that this is set up at a top level OG. You can, instead, create this autodiscovery email registration at a sub-OG (for BYOD) so users can type their email address and it will point them to the BYOD OG. Corporate devices, setup by OG, can manually enter the corp-owned OG for staging purposes (through something like command line-based enrollment). You can configure the autodiscovery email domain for your UEM environment by following these instructions.
Allow users to select OG to enroll into - By default, Workspace ONE will enroll devices into the OG that they are pointed to (whether it be by manually specified group ID, or by where the email domain is registered for autodiscovery). You can allow users to select the OG to enroll into so that they can effectively select what device ownership the device is subject to. In the UEM console, go to Groups and Settings - All Settings - Devices & Users - General - Enrollment - Grouping tab, see the option "Group ID Assignment Mode". You can select "Prompt User to Select Group ID" so when they are enrolling a device, they will be prompted to select an OG to enroll into.

Device Ownership based on Smart Group (preferred)

The more dynamic nature of smart groups makes differentiating device ownership types a little easier than via OG, outlined above. Below are some of the methods you can use to make sure that devices are being tagged with the correct ownership. Keep in mind, you can use some of the above methods to make sure devices are landing in the correct OG, however this won't affect device ownership type if using the smart group method.

Optional Prompt - As part of the enrollment process, you can ask the user whether their device is corporate owned or BYOD. In Groups and Settings - All Settings - Devices & Users - General - Enrollment - Optional Prompt tab, see "Prompt for Device Ownership".

2. Utilizing default ownership and registration - You can set the default ownership type for an OG to be employee owned (You can set this in Groups and Settings - All Settings - Devices & Users - General - Enrollment - Grouping Tab). This is so that any hub-driven enrollment will set that ownership type to be employee owned. Then, devices that are enrolled by the IT team, whether it be command-line staging or pre-registration, will still be enrolled as corporate-dedicated (see previously linked Omnissa documentation for greater detail). With this method, it requires no action from the end-user / no prompt for the end user.

Note: If you have Workspace ONE integrated with Entra ID, and have Workspace ONE setup as the MDM in Entra ID (and Hub is pushed via Entra ID, such as with AutoPilot), devices that are Entra-ID joined will still show up as corporate-dedicated. This is regardless of the default ownership type mentioned earlier.

3. Intelligence Automation - If you are licensed for Intelligence automations, you can use it to change the device ownership type as well depending on the filters used as part of the intelligence automation. Some information on the filters you can use can be found here, and then set it to be automatic to change a device type to be employee-owned or corporate-dedicated.

Note: Device ownership can always be corrected in the console by going to a device's detail view, going to More Actions - Edit Device, where you can change the "device ownership" field.

Honorable Mentions

Device Enrollment Restrictions (specify what devices can/cannot enroll based on device type)
BYOD Device Enrollment (Omnissa official documentation)
Groups and Settings - All Settings - Devices & Users - General - Enrollment documentation (of all options for enrollment process of devices)