Simplified Enrollment with AirWatch AutoDiscovery

Simplified Enrollment Workflow for End Users

Enrollment is the process of securing a connection to devices and associating them to your AirWatch environment.

Install the AirWatch Agent 

Enrollment begins by installing the AirWatch Agent. The AirWatch Agent is an application that runs on your devices to ensure security, allow real time management functionality, and provide users with access to important device information. 


  • Navigate to from a device browser of your choice. 
  • AirWatch auto-detects if the Agent is already installed and redirects to the appropriate store to download the Agent if needed. 
  • Once installed, launch the Agent to continue enrollment. 

Enroll with your Credentials 

  1. You will now be prompted to enter your email address. 
    • If your email domain is not found you will be prompted for Environment URL and Group ID
    • (For Administrator steps to associate an email domain to your environment please see below)
  2. Now provide your username and password to verify your identity and authenticate to the system. 
  3. Follow the remaining prompts to finalize enrollment. 


Configuring an On-Premise environment for Auto-Discovery

Note that these steps are only required for On-Premise environments.  In order to configure your environment to allow Auto-Discovery and simplified enrollment, follow the steps below:

  • At the Global Organization Group, navigate to Groups and Settings -> All Settings -> System Configuration -> Admin -> Cloud Services.
  • Set Auto Discovery Mode to AirWatch ID.
  • Enter a valid AirWatch ID (the account you use to log into myAirWatch) and select Set Identity.
  • Enter the password for your AirWatch ID.
  • Verify that an HMAC Token is present
  • Verify that Auto Discovery Enabled is selected.
  • Select Save.


Setting up Email Auto-Discovery by AirWatch Admins

Register and Verify your Email Domain

The simplified enrollment workflow leverages the AirWatch AutoDiscovery Service to associate your email domain to your environment. This service checks for email domain uniqueness and will only allow a domain to be registered at one Organization Group* in one Environment. It is therefore recommended that your domain is registered at your highest level Organization Group.

Follow the steps below to register and verify your email domain with the AirWatch AutoDiscovery Service. This will be configured automatically for new SaaS customers that start on at least AirWatch 6.4. 

  1. From the AirWatch Admin Console navigate to Groups and Settings -> Groups -> Organization Groups -> Organization Group Details at the OG for which you want to set up Auto Discovery.  Make sure this has type Customer listed. Email domains can only be registered for organization groups of type Customer. Validate the type of the group where you want to register the domain. If the Organization Group type is not Customer, the Add Email Domain button will not be visible on the enrollment page.
  2. Navigate to Groups and Settings -> All Settings -> Devices & Users -> General -> Enrollment and choose Add Email Domain.

  3. Verify the Group ID you want to associate with this domain and then enter your Email Domain and Confirmation Email Address. 
    • This Group ID will be used to associate users to your environment and serve as the starting point for possible Group ID selection prompts. 

  4. Verify your email address by clicking the confirmation link in the email sent to the address you provided. 
  5. Add more Email Domains as required, such as or
    • Multiple email domains can be added to the same Organization Group level
    • Consider adding alternate email domains to other Organization Groups to facilitate multi-tenancy 
  6. If you do not receive the confirmation email, make sure SMTP is functioning correctly under Groups and Settings / All Settings / System / Enterprise Integration / Email (SMTP).

On-Premise and SaaS Requirements 

To enable auto-discovery you will need to make sure that your AirWatch Console and Device Services servers (on-premise only) and devices (SaaS and on-premise deployments) can communicate with the AirWatch AutoDiscovery servers, with the network rules below. 

Source Component Destination Component Destination Host Destination IP Protocol Port
AirWatch Console and Device Services Servers

AirWatch Auto-Discovery Server

Devices (Android, iOS, Windows Phone 8)

AirWatch Auto-Discovery Server


Admin Considerations

Do I have to use this new enrollment process? 

No - this is not a mandatory enrollment change. If your organization prefers to maintain the original method of enrollment, or decide that this workflow is not the best approach for your requirements, users can always choose to provide an Environment URL and Group ID instead of their email address. 


You will notice the new iOS, Android, and Windows Phone 8 agents prompt the user for their email address by default. You should instruct end users to expand the Server URL and Group ID option by clicking “Continue without email address”. If users accidently provide an email address before it is registered to an environment, the AirWatch AutoDiscovery Service will recognize this and automatically prompt them for Server URL and Group ID. 


pic.jpg pic1.jpg

How will devices be grouped without a Group ID? 

When devices enroll using the email address prompt they will be enrolled to the group associated with their AirWatch User, based on the Enrollment Location Group field. 




The field for Enrollment Location Group does not exist for versions of AirWatch prior to 6.2. For any users accounts created before AirWatch 6.2 that are enrolling new devices, they will be enrolled by default to the Organization Group where the email domain for enrollment is configured. If this is not the desired outcome for your users it can be corrected by prompting them to select a Group ID during enrollment. This can be enabled under System Configurations > Devices & Users > General > Enrollment > Grouping




If your organization is transitioning away from the use of Group IDs consider double checking that new users are created with the correct Enrollment Location Group

For organizations currently leveraging User Groups for device configurations instead of Group IDs, this approach is fully compatible with the new enrollment process.              

Have more questions? Submit a request


Article is closed for comments.