Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
This article provides common enrollment errors, information on where they can be viewed, their resolutions, and relevant documentation.
Enrollment ErrorLocationCauseResolutionRelevant Resource When attempting to enroll with Workspace ONE UEM, one of the following error messages is received (even though the user has verified that they are signing in with the correct credentials): "Invalid User Credentials." "Failed to validate user credentials." DeviceThis can occur if the account is created at a different organization group in the Workspace ONE Console than where the user is attempting to enroll. To resolve this issue, perform the following steps in the same order. If one step resolves the issue, it is not necessary to move forward to the next step. Step 1: Check Organization Group (OG) If Autodiscovery is being used, make sure the user account is created at the same OG that the email domain is registered, even if the user will be enrolling into a child group. For standard enrollment, make sure the user is entering the appropriate Group ID and check if the Group ID is configured for the OG where the device is being enrolled. Check if child OG is inheriting settings from parent OG and determine whether the User search filter under Directory Services > User tab is configured correctly. Step 2: Test Directory Service Connection Navigate to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services and perform a Test Connection to verify directory services are connected as expected.If Test Connection fails, check on the server running the ACC/VESC application for whether the ACC/VESC service is running.If it is not running: Start the service or reboot the server.Ensure that the service starts.Attempt enrollment again. Step 3: Verify whether Directory user enrollment has been enabled Navigate to Groups & Settings > All Settings > Devices & Users > General > Enrollment.Make sure the Directory is selected for Authentication Modes. Step 4: Verify if the user is active in Workspace ONE Locate the user account in Workspace ONE.In the user detail view, verify if the user account is active. Click More > Activate if the user account is marked as inactive. Workspace ONE Enrollment Error: "Invalid User Credentials" and/or "Failed to validate user credentials." When attempting to enroll a device, the following error appears: "Enrollment Blocked Message: You are not allowed to enroll your device. You have exceeded the maximum number of enrolled devices allowed."Device This error has multiple potential causes: The organization group the user is trying to enroll into has a restrictions policy and that policy is currently being violated.The number of devices enrolled is equal to or greater than the number of device licenses that have been purchased and the device enrollment limit has been reached. Restrictions Policy To resolve this issue, view the enrollment restriction policies that are currently set up in your Workspace ONE UEM environment and update them as needed. On the Workspace ONE UEM Console, go to Groups & Settings > All Settings > Devices & Users > General > Enrollment > Restrictions and review the enrollment restrictions policies.On the Policy Settings section > Restrictions tab, click Add Policy.On the Add/Edit Enrollment Restriction Policy screen, review and edit your policies appropriately so your user can enroll. For more information, see Create an Enrollment Restriction Policy. Device Licensing To verify the number of active device licenses currently associated with your environment, navigate to the Customer Connect portal and follow these instructions outlined in the Knowledge base article Locating Workspace ONE license information in Customer Connect. Notes: If you have exceeded the number of purchased licenses, reach out to our sales team to purchase additional licenses as needed. You can contact our sales team online at https://www.vmware.com/company/contact_sales.html or via phone at 1-877-486-9273 and choose the option for Sales. If you typically purchase through a partner, you can also contact your partner to facilitate this request.If enrollment is suspended for your organization group (OG) and your device licenses have expired, refer to the Knowledge Base article "The device licenses have expired. Enrollment is suspended for this organization group." error on Workspace ONE Intelligent Hub to resolve the issue. "You are not allowed to enroll your device. You have exceeded the maximum number of enrolled devices allowed." error on Workspace ONE When typing email address in Workspace ONE Intelligent Hub during enrollment, the following error occurs: "The device licenses have expired. Enrollment is suspended for this organization group."Device This occurs when the environment has moved to an Expired status. This issue often occurs with expired Free Trial environments when the Free Trial term has been completedHowever, the issue can also occur in Production environments when the Workspace ONE subscription has expired. To resolve this issue, extend or reactivate a Free Trial. Reach out to the Sales Team for assistance. You can contact our sales team online, via email (sales@vmware.com), or by phone at 1-877-486-9273 and choose the option for Sales.If you typically purchase through a partner, you can also contact your partner to facilitate this request. "The device licenses have expired. Enrollment is suspended for this organization group." error on Workspace ONE Intelligent Hub When attempting to enroll, the user receives one of the following "Enrollment Blocked" errors: "Your account is not allowed to enroll. Please contact your system administrator.""Enrollment blocked: You are not allowed to enroll your device. Please contact your administrator.""This device is registered to another user. Contact your administrator" Device This behavior may occur when the account has been blocked, or another user is registered to the device, or when settings are not configured as expected in the Workspace ONE UEM Console. "Your account is not allowed to enroll. Please contact your system administrator." It is possible that the settings on the UEM Console do not allow external accounts(accounts not yet added to the UEM console) to enroll the device. "Enrollment blocked: You are not allowed to enroll your device. Please contact your administrator." The console admin might have configured settings that restrict enrollment to only Registered devices. This issue occurs if the device is not registered by the admin. "Enrollment blocked: This device is registered to another user. Contact your administrator" This issue occurs on Corporate-Owned devices where the device is still registered to the previous user. You must delete and re-register the device with the new user. To resolve these errors, verify whether the restrictions below are currently in place: "Your account is not allowed to enroll. Please contact your system administrator." Within the Workspace ONE UEM Console, switch your view to the organization group where the device is attempting to enroll, then navigate to Groups & Settings > All Settings > Devices & Users > General > Enrollment.Click on Restrictions and determine if any enrollment restrictions are in place. If the Restrict Enrollment To Known Users option is selected, ensure the relevant user account is already present in the Console before enrollment.If the option Restrict Enrollment To Configured Groups is selected, ensure that the user is included in those approved user groups. Note: If you would prefer that no restrictions are in place, disable the two options listed above. "Enrollment blocked: You are not allowed to enroll your device. Please contact your administrator." Within the Workspace ONE UEM Console, switch your view to the organization group where the device is attempting to enroll, then navigate to Groups & Settings > All Settings > Devices & Users > General > Enrollment.Under the Authentication tab, check the Device Enrollment Mode setting. It will be set to 'Registered devices only'.Navigate to the UEM Console home screen and click Accounts > Users > List View.Select the user in question and click Add Device located on the top-right section.Fill in the required details to register a device for the user and save the changes.Try enrollment after making these changes. "Enrollment blocked: This device is registered to another user. Contact your administrator" Log into the relevant Workspace ONE UEM ConsoleNavigate to Devices > Lifecycle > Enrollment Status and search for the affected device using the parameter used to register the device previously(e.g. Serial number, IEMI number etc.). Alternatively, you can also search for the user to which the device was previously enrolled.Once the device is found, click on the check box next to the device name. Click More Actions as shown in the image below and revoke the token from the device and then proceed to delete it. Please make sure to double-check if we are deleting the correct device and it is not currently enrolled to any user.When the device registration is deleted, register this device again with the new user. Register the device following steps as suggested in the Error 2 resolution and ask the user to enroll the device. If you are attempting to unenroll and reenroll the same device into Workspace ONE, see How to Unenroll and Reenroll devices into Workspace ONE UEM. Error: "Enrollment Blocked" during Workspace ONE enrollment When attempting to enroll devices into Workspace ONE UEM, you see the error: "Please wait while we process the enterprise EULA."DeviceThe Organization Group (OG) where the user is attempting to enroll may not have a Group ID assigned. To resolve this issue, verify that the Organization Group (OG) where the user is attempting to enroll has a Group ID assigned. To confirm the Group ID of the Organization Group: Hover over the name of the OG or navigate to Groups & Settings > Groups > Organization Groups > Details in the Workspace ONE UEM Console.If the field is blank and no Group ID is present, add a new Group ID composed of alpha-numeric characters and click Save. For illustration, refer to Resolution step 3a on Knowledge Base article "Group ID is missing" error when you register, enroll, manage devices within OG on Workspace ONE. Error "Please wait while we process the enterprise EULA" during Workspace ONE enrollment When attempting to enroll an iOS device with Workspace ONE, you are presented with the following error message: "Device Not Approved, You are not allowed to enroll your device. Please contact your administrator if you feel you have received this message in error" Device This error may occur when: The account has been blocked, or another user is registered to the device, or when settings are not configured as expected in the Workspace ONE UEM Console.The organization group (OG) that you are attempting to enroll in has the setting Registered Device Only enabled.There is an enrollment restriction policy in the OG where the device is trying to enroll which restricts a particular model or OS from enrolling. To resolve this issue, use one of these options: Option 1: Register the device Create a device registration record for the user in the Workspace ONE UEM Console: Navigate to Device List View and click on Add Device to register the device for the user.Alternatively, you can enable Open Enrollment by navigating to Groups & Settings > All Settings > Devices & Users > General > Enrollment, and selecting Open Enrollment. Option 2: Check if there is any enrollment restriction in the OG(Organization Group) Update your view in the Console to the OG where enrollment is being attempted.Navigate to Groups & Settings > All Settings > Devices & Users > General > Enrollment.Go to the Restrictions tab and view Policy Settings. A restriction policy to block or allow certain OS/Platform will likely be present. Change the setting to ensure the OS/Platform of the device you are going to enroll in is allowed Option 3: Check if the device is added to the Denylist (also known as Blacklist in some older console versions) In the Console, navigate to Devices > LifeCycle > Enrollment Status.Select Filters and choose Denylist under Enrollment Status. Verify whether the device you are enrolling on a denylist. Note: Older versions of the Console may have this filter labeled as Blacklisted. If the device is present, it is likely that the device was placed on the denylist when the device was last unenrolled, as the option to add the device to the denylist is presented upon unenrolling from the Console.Remove the device from the denylist. For more information, see How to remove a device from the Deny List on Workspace ONE. "Enrollment Denied, Device Not Approved" error during iOS device enrollment in Workspace ONE When attempting to enroll devices through tag-based assignment, the error "403: Not allowed" occurs on Workspace ONE UEM.This error can be viewed in IIS logs, API logs, API tool responses, and the Intelligence activity tab (for tags using automation). Workspace ONE UEM ConsoleThis error occurs when the Assign Tag limit has been reached. The Assign Tag limit can be viewed in the Workspace ONE UEM Console by navigating to Devices & Settings > All Settings > Device & Users > Advanced > Bulk Management and scrolling to the Assign/Unassign Tag field. This can also be verified through API logs and Intelligence activity logs. To resolve this issue: Within the Workspace ONE UEM Console, navigate to Groups & Settings > All Settings > Device & Users > Advanced > Bulk ManagementScroll down to the Assign/Unassign Tag field and increase the number listed there to represent the number of devices you would like to enroll using the tag-based assignment.Finally, click the Save button in the lower right-hand corner. Enrolling devices based on tag assignment fails with error "403: Not allowed" on Workspace ONE UEM Device enrollment fails or will not enroll successfully into the Workspace ONE UEM Console. You might observe these errors: A time out error is received: "Page not loading. Go back to the previous page or refresh the page to try again."The enrollment process cycles through a continuous loop without completion. Device To resolve this issue, follow these troubleshooting steps: Check the Enrollment Restrictions in the Workspace ONE UEM Console. Ensure that certain device types are correctly blocked from enrollment. Refer to Error: "Your account is not allowed to enroll. Please contact your system administrator" during Workspace ONE enrollment for additional details on enrollment restrictions. If the issue affects a certain Organization Group, attempt enrollment in other OGs. Try to determine if the issue is isolated or global. For more information, see Organization Groups.Attempt to reproduce the issue with different user types (Basic and Directory users). The authentication flows are different for these user types, so this can help isolate the issue. Refer to Basic vs. Directory Services Enrollment for details on these separate user and enrollment types. Attempt to enroll different device types (iOS, Android, etc) that are supported in your environment. Again, this can help isolate where the issue lies.Determine if the issue only affects certain networks. Attempt to enroll in 3G and various WiFi networks.Check that the Device Service Server clock is set accurately. This can affect SSL connections if it is more than a few minutes off the device time (after factoring in time zone differences).Check Device Service Server utilization by right-clicking on the taskbar and opening Task Manager. Ensure that the processes and CPU utilization are functioning as expected. Note: Ensure that CPU utilization is less than 75-80% usage as this could cause slowness in enrollment/command processing, which eventually may result in time-outs during the enrollment process. If need be, add additional processing power for this server for smooth seamless processing. If this issue persists, reach out to Workspace ONE Support by filing a ticket or starting a Chat in the My Workspace ONE portal. "Page not loading. Go back to the previous page or refresh the page to try again" time out error and/or enrollment stuck with Workspace ONE In the Workspace ONE UEM Console, you see an error when you attempt to register, enroll, and/or manage devices within Organization Group (OG) that indicates: "Save Failed due to Group ID missing."A similar error that commonly occurs is: "Save Failed: Device registration is not allowed at this Organization Group because Group ID is missing. Please create a Group ID for this Organization Group." Workspace ONE UEM Console To resolve this issue, add the Group ID for the Organization Group (OG): Within the Workspace ONE UEM Console, locate the OG where the Group ID needs to be added.Navigate to Groups & Settings > Groups > Organization Groups > Details.A Group ID field will be present on this page. Edit the text within the field by adding a new Group ID composed of alpha-numeric characters and click Save. If text is not already present within the Group ID field and it is blank, follow the same process (add a new Group ID composed of alpha-numeric characters and click Save). "Group ID missing" error when attempting to register, enroll, and/or manage devices within OG in Workspace ONE UEM When attempting to enroll a device into Workspace ONE with Android for Work, the following error is received: "Enrollment Blocked The domain being used is not a registered sub domain."DeviceThis error often occurs with the G-suite method of enrollment when the email address of the enrollment user account does not feature the same domain as the domain used for the Android for Work (AfW) configuration. To resolve this error, ensure that the enrollment user account features the same domain as the one used for the Android for Work configuration. Verify the domain on the following two areas within the Workspace ONE UEM Console: Android EMM Registration page: Navigate to Groups & Settings > All Settings > Devices & Users > Android > Android EMM Registration.Ensure that the domain being used is present on this page. Note: Android EMM may still appear as Android for Work in older Console versions. Enrollment Settings page: Navigate to Groups & Settings > All Settings > Devices & Users > General > Enrollment.Navigate to the Authentication tab.Ensure that the domain being used is present in the domain list on this page and that its associated status is listed as Complete. If it is not present, please manually enter it so that it is approved and added to the list. Attempting to enroll device into Workspace ONE with Android for Work reports error: "Enrollment Blocked The domain being used is not a registered sub domain" When attempting to enroll Windows desktop devices into Workspace ONE UEM, you see the error "DM Enrollment Failed".Device To resolve this issue, troubleshoot the following steps: Note: If one step resolves the issue, it is not necessary to move forward to the next step. If the original attempt to enroll the device was made via Intelligent Hub, attempt to enroll the device through the Native - Work Access workflow. Conversely, if the original attempt to enroll the device was made via the Native - Work Access workflow, attempt to enroll the device through via Intelligent Hub. For additional details on these workflows, see Workspace ONE Intelligent Hub for Windows Enrollment and Native MDM Enrollment for Windows Desktop . Ensure that Admin rights to enroll the device are enabled on the desktop.Ensure that the device root certificate in the Workspace ONE UEM Console is in pfx format. You can verify this by navigating to Groups & Settings > All Settings > System > Advanced > Device Root Certificate. If the device root certificate type is listed as cert, it will be necessary to generate a new certificate by selecting the Generate New Certificate button on the page. The device should now enroll successfully. "DM Enrollment Failed" error when enrolling Windows desktop devices with Workspace ONE When attempting to delete and wipe devices in the Workspace One UEM Console, you receive the following error message: "The wipe limit has been reached."Workspace ONE UEM ConsoleThe Wipe Protection settings within the Workspace ONE UEM Console are used for configuring the number of wipe commands in a specific time frame (such as ten wipe commands per every five minutes). If devices are wiped faster than the specified rate, the system will block the wipe command temporarily and present the error. If wipe commands do not process on devices and/or you receive the aforementioned error, navigate in the Workspace One UEM Console to Devices > Lifecycle > Wipe Log. If it is locked, select Unlock System. You can view the Wipe Protection settings within the Workspace ONE UEM Console by navigating to Settings > Devices & Users > Advanced > Wipe Protection. To modify the maximum number of wipe commands allowed at one instance (and therefore resolve the error): Set the maximum wipe commands allowed at one instance under Settings > Devices & Users > Advanced > Bulk Management. This setting helps in sending wipe commands to multiple devices at the same time. Select Override to change this value as needed. Note: Some commands can be stopped before they are executed by navigating to Devices > Lifecycle > Wipe Log > Filters > Status > On Hold. These are the devices set for a Wipe command; only these commands can be stopped. If the command has already been processed, the procedure cannot be reversed. Error: "The wipe limit has been reached" when attempting to unenroll devices from Workspace ONE
For additional enrollment troubleshooting techniques, see Device enrollment issues with Workspace ONE.For Workspace ONE enrollment information, see Workspace ONE Enrollment Guide. Details on how to unenroll and reenroll devices with Workspace ONE are available at How to Un-enroll and Re-enroll devices from Workspace ONE UEM Console and using Intelligent Hub.To address HTTP Error Codes encountered during enrollment, see Understanding commonly encountered HTTP Error Codes during Workspace ONE troubleshooting.