Troubleshooting Workspace ONE Auto Discovery

Workspace ONE UEM makes the enrollment process simple, using an auto discovery system to enroll devices to environments and organization groups (OG) using user email addresses. Auto discovery can also be used to allow end users to authenticate into the Self-Service Portal (SSP) using their email address.

It’s a nice feature, but recently some customers reached out to me, saying that it’s not working for them especially when deploying Workspace ONE UEM on premises.

The cloud service is pretty straight forward, API call to VMware’s Workspace ONE servers will return a JSON with your device services server and organization group (Group ID), which is then pre-filled for you to the Workspace ONE Intelligent Hub app. So, what can go wrong?

#1 Network Connectivity

If you are using SaaS (Cloud based) installation of Workspace ONE, you don’t need to worry about this section, because the problem is for sure not related to network.

For on premises installation make sure you have the right ports (443) open from you console servers to our cloud hosted discovery servers ( and More about required ports can be found in the official documentation here:

#2 There is no “Auto discovery form” in your console

You open your freshly installed console, go to Groups & Settings > All Settings > Devices & Users > General > Enrollment, but on the Authentication tab, where you’d normally add your email domains is nothing. Well, most probably you forgot to integrate with VMware’s cloud services…

Go to Groups & Settings > All Settings > Admin > Cloud Services… You don’t see this section in settings? You must be switched to you Global organization group. What? You don’t see Global? Well switch your role from “Console Admin” to “System Admin“…

OK, so go to Groups & Settings > All Settings > Admin > Cloud Services, click override and configure the first section. You will need a My Workspace ONE account and a password, The password is NOT the same you use to login to the My Workspace ONE password, but it’s generated on this URL If you’ve entered everything correctly the HMAC token should be populated and you can flip the switch below to enable Airwatch Auto Discovery.

And voila, the form for binding domains is now visible under enrollment settings.

#3 Nothing happened after entering the domain and verification email

When you enter your domain and email address the Workspace ONE console will send an email to that address asking for confirmation. In SaaS environment SMTP server is already configured so it works flawlessly.

For on premises, STMP is not configured by default, so you will need to configure is in Groups & Settings > All Settings > System > Enterprise Integration > Email (SMTP) before you try to add your auto discovery email domain. Otherwise it will not know how to send the email.

#4 Error after clicking the validation link

Actually, two things might happened. The first one can be that you took your time and the link expired (expiration is after 24hrs). In that case just click on resend button in console and do it again. You will know that it’s the case because the status of your domain will be “pending”.

If the status is “not allowed” or the error after clicking the link looks like this:

That means the domain is already registered to a different Workspace ONE server and Group ID. There is an easy was how to check the current set up, just open this URL (replace the last part with the domain you are trying to register):

It will return a JSON with current configuration, something like this:


If you have access to that server, you can manually unregister it from the Workspace ONE console.

If not or if it returns blank page (it means, there is nothing registered) you will need to open a support request with VMware.