Skip to content

Workspace ONE: as Target

Required environment’s information

You need to first set up all general prerequisites before proceeding to this guide.

Configure your users

In order for Exodus to verify that each of your Source Tenant users is present in your Target Tenant, you need to make sure that each user's email in your Source Tenant matches the email value of the associated user in the Target Tenant.

Warning

Any device for which Exodus can't find a matching user in the Target Tenant, will be marked as failed with a sub-status: Target user not found (see the Console Guide's Device Statuses section for more details).

The next steps depend on the type of devices that you are about to migrate. Refer to the below sections accordingly.

iOS

Setup token authentication

In order to be able to enroll your devices in your Target Tenant, you'll need to enable token authentication.

To do so, in your Workspace ONE portal, navigate to DevicesDevice SettingsDevices & UsersGeneralEnrollment and select the Authentication tab.

Scroll down and select Registered Devices Only as the Devices Enrollment Mode (see Fig. 1.1).

  1. A checkbox labeled Require Registration Token appears. Enabled this option to restrict enrollment to only token-registered devices.
  2. Select Single-Factor as Registration Token Type
  3. Set the Registration Token Length. This required setting denotes how complex the Registration Token is and must contain a value between 6 and 20 alphanumeric characters in length.
  4. Set the Token Expiration Time (in hours). This required setting is the amount of time an end-user will have to migrate his device before requiring a new Workspace ONE enrollment token.

Figure 1.1

App Assignment Screenshot

Info

If your iOS devices are going through an Erase, the steps above are not required.

If your iOS devices are bound to Apple's Automated Device Enrollment (ADE) program, you must follow the extra steps below.
If your iOS devices are not bound to ADE, then no extra steps are required.

Access to Apple Business Manager portal

You must have access to the Apple Business Manager portal where both your Source and Target Tenants are configured.

This is required so that you can reassign the ADE devices to the Target Tenant virtual server.

Warning

To avoid any false device reallocation in the event of an Erase, devices must be reassigned prior to any device migration.

ADE Profile

Before proceeding to the migration, you need to check the configuration of your ADE profile in your Target's Workspace ONE portal in Groups & SettingsAll SettingsDevices & UsersAppleDevice Enrollment Program.

Set up the ADE Profile

In order to allow Exodus to migrate all your users without the need for them to authenticate once the migration is done, we need you to configure your Target Tenant's ADE Profile with the following settings:

  1. Set Authentication to OFF to disable the authentication screen during enrollment.
  2. Set Staging Mode to Single user device.
  3. Set Default Staging User to the Default Staging User which is created by default on every Workspace ONE Tenants. This is the user that will authenticate automatically on the device during the re-enrollment.

Figure 1.1

Figure 1.1

Assign the ADE Profile

Next, you must assign a default ADE profile in Groups & SettingsAll SettingsDevices & UsersAppleDevice Enrollment Program (see Fig. 2.1).

Figure 2.1

Figure 2.1

Android

In order to be able to enroll your devices in your Target Tenant, you'll need to enable token authentication.

To do so, in your Workspace ONE portal, navigate to DevicesDevice SettingsDevices & UsersGeneralEnrollment and select the Authentication tab.

Scroll down and select Registered Devices Only as the Devices Enrollment Mode (see Fig. 1.1).

  1. A checkbox labeled Require Registration Token appears. Enabled this option to restrict enrollment to only token-registered devices.
  2. Select Single-Factor as Registration Token Type
  3. Set the Registration Token Length. This required setting denotes how complex the Registration Token is and must contain a value between 6 and 20 alphanumeric characters in length.
  4. Set the Token Expiration Time (in hours). This required setting is the amount of time an end-user will have to migrate his device before requiring a new Workspace ONE enrollment token.

Figure 1.1

App Assignment Screenshot

If your Android devices are bound to Google's Android Enterprise (AE) program, you must follow the extra steps below.
If your Android devices are not bound to AE, then no extra steps are required.

Google account setup

You first need a regular Google account or a G Suite account with administration rights.

Then you need to link this account to your Workspace ONE Target Tenant. To do so, in your Workspace ONE portal, go to Groups & SettingsAll SettingsDevices & UsersAndroidAndroid EMM Registration and verify that your account is correctly setup following the official documentation.

Enrollment token and QR Code

Once configured, you'll need to provide to your users an enrollment token or a QR Code, so they can finish the Fully Managed enrollment process successfully.

To do so, go to Device > Lifecycle > Staging > List View and click on Configure Enrollment then follow the Enrollment Configuration Wizard to match your organization requirements.
See the official documentation for further details.