Managing Multiple Device Ownership Types

Assignment of Resources 

The first step in managing corporate and employee-owned devices are to assign some resources to both. I've seen customers do this one of two ways - either at an OG level, or using smart groups.

Device ownership based on OG

Let's take an example OG structure: 

Parent OG 

-Corporate Owned Devices

-BYOD 

This way, you can assign resources to those OG's directly. You can also create admin roles that have access to only one or more select OG's. The downside to this method is that you have to make sure that devices enroll into the correct OG, and that OG's are more rigid than smart groups. If you are assigning devices based on OG, you may run into visibility issues (resources not able to be assigned if in a parallel OG, for instance) versus using smart groups. 

Device ownership based on Smart Group (preferred)

Let's take another example of an OG structure: 

Parent OG 

-Finance

-Accounting

-Marketing

The main difference with the first OG example is that we are not putting devices into an OG based on ownership. Each device in UEM has an ownership associated with it, and we can simply use smart groups to dynamically pull these devices. You can still assign policies/applications based on the department the user is in (in the above example), and then further separate those policies based on ownership. So we can, say, create a smart group for all devices in finance of type BYOD. The benefit is that this is more flexible in its use than utilizing OG's, but the downside is that it will, in a particular OG, show both corporate and BYOD devices in the same device list view. This doesn't mean that assignments will get mixed, just cosmetic in terms of looking in an OG at device list view. All of that said, this method (using smart groups and the existing device ownership info) is ideal, in my opinion. 

Assigning Applications/Profiles

Last but not least, with all of the above in mind, you can assign profiles and applications to either OG's or Smart Groups (as shown below). Next, we'll talk about making sure devices are assigned properly in UEM upon enrollment. 

Assignment of Devices 

At this point, we have our applications uploaded into WS1 UEM, profiles set up and assigned, and compliance policies set for different OG's or Smart Groups. Next, we need to make sure that devices are correctly assigned in WS1 UEM to make sure they receive the applicable policies. I'll once again separate the options here based on whether this is being done with OG's or Smart Groups - 

Device Ownership based on OG 

If you are going to build out an OG structure to differentiate device ownership, the end goal is to make sure that devices end up in the correct OG. There are a couple of ways of doing this - (that is to say, these are all options, not necessarily to be done sequentially) 

Prerequisite- Make sure that the OG's that you have created for corporate owned, BYOD, etc - are all set with the correct default ownership. You can set this in Groups and Settings - All Settings - Devices & Users - General - Enrollment - Grouping Tab. Make sure you are in the correct sub-OG, and set the default ownership type as such. This is to ensure that devices receive the correct settings (for things like privacy).

1. Enroll via server URL and Group ID - If you have a sub-OG that is set for a particular device ownership type, you can have users manually type in that server URL and Group ID to have that device enroll into that OG specifically. Information on identifying what OG you are in can be found here. You can also change/create a group ID for an OG in Groups and Settings - Groups - Organization Groups - details. More info here.  

2. Move the autodiscovery email domain to a sub-og - Part of Workspace ONE is that you can use your domain to direct where users should enroll. That is, anyone at mycompany.com will be automatically directed to authenticate into, and enroll into, a particular UEM console in a particular group ID. It is common that this is set up at a top level OG. You can, instead, create this autodiscovery email registration at a sub-OG (for BYOD) so users can type their email address and it will point them to the BYOD OG. Corporate devices, setup by OG, can manually enter the corp-owned OG for staging purposes (through something like command line-based enrollment). You can configure the autodiscovery email domain for your UEM environment by following these instructions. 

3. Allow users to select OG to enroll into - By default, Workspace ONE will enroll devices into the OG that they are pointed to (whether it be by manually specified group ID, or by where the email domain is registered for autodiscovery). You can allow users to select the OG to enroll into so that they can effectively select what device ownership the device is subject to. In the UEM console, go to Groups and Settings - All Settings - Devices & Users - General - Enrollment - Grouping tab, see the option "Group ID Assignment Mode". You can select "Prompt User to Select Group ID" so when they are enrolling a device, they will be prompted to select an OG to enroll into.