The admin can add one at a time or use a batch import process to add directory service user groups within Workspace ONE UEM. For when the admin has a limited number of groups to add, adding directory user groups one at a time is ideal. When the admin has multiple groups to add, it is preferable to batch import directory, user groups.
In a .csv (comma-separated values) template file, uploading a list of your existing directory service groups is meant by using the batch import method. For each of the directory service accounts, this method does not immediately create user accounts. However, it makes sure Workspace ONE UEM identifies them as belonging to a configured group. As a way of restricting who can enroll, the admin can then use this recognition.
User groups within Workspace ONE UEM can be synced – with the directory service groups to merge changes or add missing users – automatically when configured with a scheduler.
- Pros – The admin can restrict on a user group level who can enroll with this option of prohibiting enrollment to only known groups. This method allows the admin to assign profiles, policies, content, and apps based on these existing group setups and also keep the existing directory service group infrastructure.
- Cons – Workspace ONE UEM user accounts are not automatically created by uploading directory service user groups. The admin must add those user accounts into the UEM console manually if they have restricted enrollment for known users.
Table of Contents
Individual Directory User Group Addition to Workspace ONE UEM
Take the following steps if the admin has just a few user groups to add to Workspace ONE UEM, to add a directory service user group.
- Go to Accounts, navigate to User Groups, go to List View, click on Add, then select Add User Group.
- In the Add User Group screen, complete the settings as applicable, ensuring the user group Type is Directory.
- Type: The type of User Group is selected.
- Directory – A user group is created that is aligned with the existing active directory structure.
- Custom – A user group is created outside of the organization’s existing Active Directory structure. For basic and Directory users, this user group type grants access to features and content to customize user groups according to the deployment. At a customer-level organization group, Custom user groups can only be added.
- External Type: The external type is selected of the Group the admin is adding.
- Group – Refers to on which the user group is based and is called group object class. Customize this class by going to Groups & Settings, navigate to All Settings, go to system, select Enterprise Integration, click on Directory Services, and select Group.
- Organizational Unit – Refers to on which the user group is based and is called the organizational unit object class. Configure this class by going to Groups & Settings, navigating to All Settings, go to system, click on Enterprise Integration, then click on Directory Services, and select Group.
- Custom Query – By running a custom query, the admin can also create a user group containing users they locate. Choosing this external type replaces the Search Text function but shows the Custom Query section.
- Search Text: by entering the search criteria and selecting Search, identify the name of a user group in the Directory to search for it. A list of group names displays, if a directory group contains the search text. When External Type is toggled to Custom Query, this option is unavailable.
- Directory Name: The address of your directory services server is displayed by this read-only setting.
- Domain and Group Base DN: based on the directory services server information the admin provides, this information automatically populates on the Directory Services page (Navigate to Groups & Settings, go to system, click on Enterprise Integration, and select Directory Services). A list of distinguished name elements is displayed by selecting the Fetch DN plus sign (+) next to the Group Base DN setting, from which the admin can select.
- Custom Object Class: Under which the query runs, identifies the object class. To identify the users with greater success and accuracy, the admin can supply a custom object class, although, by default, the object class is ‘person.’ Only when Custom Query is toggled as External Type, this option is available.
- Group Name: From the Search Text results list, select a Group Name. In the Distinguished Name setting, selecting a group name automatically alters the value. Only after the admin has completed a successful search, this option is available in the Search Text setting.
- Distinguished Name: the full distinguished name of the Group is displayed by this read-only setting that the admin is creating. Only when Group or Organizational Unit is toggled, this option is available as External Type.
- Custom Base DN: The distinguished base name is identified, which serves as the starting point of the query. A base distinguished name is ‘AirWatch’ and ‘sso’ by default. However, the admin can supply a custom base distinguished name if they want to run the query with a different starting point. Only when Custom Query is toggled as External Type, this option is available.
- Organization Group Assignment: This optional setting allows the admin to assign the user group they are creating to a specific organization group. Only when Group or Organizational Unit is toggled as External Type, this option is available.
- User Group Settings: For this user group, select between Apply default settings and Use Custom settings. From the permission settings, the admin can configure this option after the Group is created. Only when Group or Organizational Unit is toggled as External Type, this option is available.
- Custom Query – Query: The currently loaded query is displayed by this setting that runs when the admin selects the Test Query button and when the Continue button is selected. Changes the admin makes to the Custom Object Class setting, or the Custom Logic setting are reflected here.
- Custom Logic: Add the custom query logic here, for instance, user name or admin name. For example, “cn=jdmith”. The admin may include details or as little of the distinguished name as they like. If the syntax of the query is correct before selecting the Continue button is verified by the Test Query button.
- Custom Settings – Management Permissions: To manage the user group the admin is creating, they can allow or disallow all administrators.
- Default Role: From the drop-down menu, select a default role for the user group.
- Default Enrollment Policy: From the drop-down menu, select a default enrollment policy.
- Auto Sync with Directory: This option allows the directory sync from the directory server, which detects user membership and saves it in a temporary table. Unless the Auto Merge option is selected, administrators approve changes to the Console. This setting must be disabled if the admin wants to prevent user groups from automatically syncing during scheduled sync.
- Auto Merge Changes: to apply sync changes automatically, enable this option from the database without administrative approval.
- Maximum Allowable Changes: to set a threshold for the number of automatic user group sync changes, use this setting that can occur before approval must be given. Admin approval is required for changes more than the threshold, and a notification is sent to this effect. Only when Auto Merge Changes are enabled, this option is available.
- Add Group Members Automatically: To add users to the user group automatically, enable this setting. This setting must be disabled if the admin wants to prevent user groups from automatically syncing during scheduled sync.
- When Adding Missing Users, Send Email to User: To send an email to users, enable this setting when missing users are being added to the user group. The temporary user group table is combined with the Active Directory table when Adding missing users is selected.
- Message Template: Only when Send Email to User, this option is available when Adding Missing Users is enabled.
- Induration of the addition of missing users to the user group, select a message template to be used for the email notification.
- The message template availability is based upon the enrollment mode as configured in Groups & Settings, navigate to All Settings, go to Devices & Users, go to General, select Enrollment. Click on Authentication, and make a choice in the Devices Enrollment Mode option when affixing active directory users new within the Workspace ONE UEM console.
- A User Activation email template is available when Open Enrollment is selected as the Devices Enrollment Mode in the Message Template drop-down. This email message allows the new AD user to enroll.
- A Device Activation email template is available when Registered Devices Only is selected as the Devices Enrollment Mode in the Message Template drop-down. The new AD users are enabled to enroll their devices with this email message. The device may be registered with the token embedded if Require Registration Token is enabled in the message.
- Save the settings.
Using the Batch Import process add the Directory User Groups to Workspace ONE UEM
The admin can save time by initiating a batch import process if they have many directory service user groups to affix to Workspace ONE UEM.
- Go to Accounts, navigate to User Groups, select List View, and click on Add.
- Batch Import is selected.
- In the Workspace ONE UEM console, the basic information is provided, including Batch Name and Batch Description.
- Select the Choose File button under Batch File (.csv) to locate and upload the completed CSV file.
- For this batch type, alternately, select the link Download template and save the comma-separated values (CSV) file and utilize it to prepare a new importation file.
- The CSV file is opened, corresponding to the settings that display on the Add User Group page, and are shown with several columns. Columns with an asterisk are compulsory and must be provided with data.
- The file is saved. The last column heading within the CSV file template is titled “Manage(Edit and Delete)/GroupID/UG assignment/Manage(Users and Enrollment)/Admin Inheritance.” This column heading corresponds to the logic of the Permissions tab of the Edit User Group page and to the settings.
- Import is selected.
Merge and Sync Changes Between the Directory Service Groups and Groups in Workspace ONE
Note: To auto-merge and sync changes, the admin can set options between the groups in Workspace ONE Express, directory service groups, and Workspace ONE UEM Powered by AirWatch.
Except for the Bind account password, AD passwords are not saved in the Workspace ONE UEM database utilized to link directory services into the Workspace ONE UEM environment.
The Bind account password is not accessible from the Console and is saved in an encrypted form in the database. For each sync connection, unique session keys are used to the Active Directory server. For Workspace ONE Express, this AD password storage arrangement is the same.
Global catalogs are used, in some instances, to manage multiple domains or AD Forests. Delays while authenticating users or searching for can be due to a complex directory structure. To query multiple forests using one Lightweight, the admin can integrate directly with the global catalog Directory Access Protocol (LDAP) endpoint for preferable results.
Configure the following settings to integrate with the global catalog directly:
Encryption Type = None
Verify that the firewall allows for this traffic on port 3268
Port = 3268
Complete the following steps between your Directory Service Groups and Groups in the Workspace ONE UEM console to auto merge and sync changes.
- Go to Accounts, navigate to Administrators, go to Administrator Settings, and click on Directory Services.
- Select ‘Override’ as the Current Setting, if necessary, to make changes to this settings page.
- In the Directory Type, ensure your organization’s Directory Service is selected.
- The Group tab is selected. Only the Base DN information is displayed by default.
- Select the Fetch DN plus sign (+) for base DN, next to the B
- To display a list of Base DNS, use the DN setting. By selecting from the list, populate this text box. Revisit the settings the admin entered on the Server tab if a list of base DNS does not display before continuing.
- Data is entered in the following settings.
- Group Object Class: The appropriate Object Class is provided. This value should be grouped in most cases.
- Organizational Unit Object Class: The appropriate Organizational User Object Class is provided.
- Select Advanced to display more settings. Provide data in the following text boxes.
- Group Search Filter: The search parameter is provided used to associate user groups with directory service accounts.
- Auto Sync Default: In Workspace ONE UEM configured user groups, this checkbox is selected to automatically add or remove users based on their membership in the directory service.
- Auto Merge Default: Select this check box without administrative approval to automatically apply sync changes.
- Maximum Allowable Changes: The number of maximum allowable group membership changes are provided, which are to be merged into Workspace ONE UEM. Upon syncing with the directory service database, any number of changes detected under this number are automatically merged.
An administrator must manually approve the changes if the number of changes exceeds this threshold before they are applied. A user either joining or leaving a group defines a single change. The Console does not require sync with the directory service as much is meant by a setting of 100 Maximum Allowable Changes.
- Conditional Group Sync: To sync group attributes, enable this option only after changes occur in Active Directory. To sync group attributes regularly, disable this option, regardless of changes in Active Directory.
- Auto-Update Friendly Name: The friendly name is updated when enabled, with group name changes made in the Active Directory.
The friendly name can be customized when disabled, so admins can tell the difference between user groups with identical common names. If the implementation includes organizational unit (OU)-based user groups, this can be useful, with the same common name.
- Attribute: For the listed attribute, review and edit the Mapping Value, if necessary. These columns show the mapping between the directory service attributes (right) and Workspace ONE UEM user attributes (left). These attributes are values most commonly used, by default, in AD. To reflect the values used for own or other directory service types, update these mapping values.
- To verify connectivity, select Test Connection. For every domain listed on the page, the server connection is tested, using the bind user name, server name, and the password provided by the administrator. By clicking the Test Again button, the admin can rerun the test.
The admin can perform the following actions from the User tab:
- Using the drop-down menu, choose the Domain name.
- The user’s directory user name is provided, and select Check User. The user’s information is auto-populated if the system finds a match. Only after the admin has successfully located an active directory user, the remaining settings in this section are available, using the Check User button.
The admin can perform the following actions from the Group tab:
- The External Type is selected of the Group the admin is adding.
- Group – On which the user group is based is referred by the group object class. By navigating to Groups & Settings, customize this class, go to All Settings, click on system, select Enterprise Integration, click on Directory Services, and select Group.
- Organizational Unit – The organizational unit object class is referred to on which the user group is based. By navigating to Groups & Settings, customize this class, go to All Settings, click on system, go to Enterprise Integration, click on Directory Services, and select Group.
- The directory user group name is provided in the Search text.
- The Active Directory name is identified by Directory Name, which is the pre-populated setting.
- Using the drop-down menu, choose the Domain name.
- A list of Domain Names is displayed by Group Base DN from which the admin can select.
- Check Group is selected to verify the group information.
Edit the User Group Permissions
The admin can reconsider who inside the organization can edit certain groups with fine-tuning user group permissions. For example, The admin might not want lower-level administrators to have management permissions for that user group if the organization has a user group for company executives. To authenticate who can manage certain user groups, use the Permissions page and who can assign compliance policies, profiles, and applications to user groups.
- Go to Accounts, navigate to User Groups, and click on ListView.
- The Edit icon is selected for an existing user group row.
- The Permissions tab is selected and then click on Add.
- The Organization Group is selected for which the admin wants to define permissions. Within the root OG hierarchy in the user group, the admin must select an organization group (OG).
- The Permissions are selected the admin wants to enable.
- Manage Group (Edit/Delete) – The ability to edit and delete user groups is activated.
- Allow Enrollment and Manage Users Within Group – Within the user group, manage users to allow a device enrollment in the OG. Only when Manage Group (Edit/Delete) is also enabled, this setting can only be enabled. This setting is also disabled if Manage Group (Edit/Delete) is disabled.
- Use Group For Assignment – to assign security policies and enterprise resources to devices, use the Group. If Manage Group (Edit/Delete) is disabled, this setting can only be changed then. This setting becomes locked and uneditable if Manage Group (Edit/Delete) is enabled.
In case the user group is managed by a parent OG, this setting is disabled, and the admin wants to assign the Group from one of its children’s OGs.
- Which groups of administrators are enabled to manage or use this user group are defined by selecting the Scope of these permissions. Only a single of these options may be active.
- Administrator Only – At the parent OG, the permissions affect only those administrators.
- All Administrators below or at this Organization Group – The permissions affect all administrators in all child OGs underneath and the administrators in the OG.
- Click on Save.
Mapping the User Groups for Enrollment and Console Access
The admin can use the resulting user groups for enrollment and role-based access after adding the directory service groups to Workspace ONE UEM. The admin can map user groups to existing organization groups in terms of device enrollment and automatically select a Group ID depending on a user group. The admin can restrict the level of UEM console access users have (roles) in terms of console access based on their user group membership.
The admin can configure settings to allow users to select a Group ID from a list or select a Group ID automatically based on a user group.
- Go to Groups & Settings, navigate to All Settings, go to Devices & Users, click on General, then click on Enrollment and select the Grouping tab.
- Based on User Group, choose Automatically Select as the Group ID Assignment Mode.
Independent from Workspace ONE UEM, only when the existing directory service is already replete with user group assignments, this option only works then.
Users are automatically assigned to organization groups is ensured by enabling this option based on their directory service group assignments. The Group Assignment Settings section shows all the organization groups (OG), once selected, for the environment and their associated directory service user groups.
The user group assignment is applicable at enrollment time only when the Apply mapping on enrollment only setting is enabled. Devices can be manually moved after enrollment to another organization group. However, the device does not honor any new user group mapping if the Apply mapping on the enrollment-only check box is still enabled. The identity of the admin is captured by the event log requesting this mapping at enrollment time.
- The rank of precedence is set for each Group and modify the organization group/user group associations by selecting Edit Group Assignment. Click on Save when finished.
The rank decides which user group takes precedence if a user belongs to multiple user groups. The user is linked to the OG of the highest-ranked user group to which they belong.
- Like user group mapping to an assignment, map roles, OG, or Console permissions are based on user groups. Enable Directory Group-Based Mapping enables editing of role-based access levels in the User Role Mapping section. Select Edit Assignment similar to the method used in step 3 to edit roles and user groups.
Set the rank of precedence and each Group’s associated role for each user group. In case a user belongs to multiple user groups, just as in step 3, the rank decides which user group, and therefore role, takes precedence. For the highest-ranked user group, the user receives permissions to which they belong. Select Save when finished.
Define new or edit existing Roles and Access the Roles page and by navigating to Accounts and then clicking on Roles.
- Select Save when finished mapping user groups to enrollment organization groups and roles.
Deploying Policies, Apps, and Profiles by User Group
The admin can use directory groups as more criteria after they import the directory groups into Workspace ONE UEM when assigning compliance policies, profiles, apps, and content. The user group acts as an extra filter. If the admin assigns a profile, policy, or application to both an Organization Group (OG) and a user group. This extra filter assigns settings or content by Workspace ONE UEM. In the Group, Workspace ONE UEM is only assigned to users even if the admin selects an OG with many users, with a device that is in the assigned OG. The administrator can use both organization groups and user groups to configure more advanced settings.
There may be a variety of OGs set up for countries, as a good example, with different privacy policies. Make sure only the devices that belong to the suitable OG, if any of the user groups include users from various countries, receive the setting or content. The admin can ensure that only the members in both groups receive the setting or content by selecting the appropriate Organization Group together with the user group.
User Groups and Smart Groups
To configure security authentication groups and business roles, use user groups when configuring the enterprise Mobile Device Management environment within the organization. User groups offer a simple one-to-one relationship to which they belong between your users and the groups.
However, to push settings and content, Smart Groups offer a flexible solution. In addition to OGs and user groups, this solution targets selected devices by model, operating system, and device tags. Smart Groups can also target individual users across multiple organisation groups and user groups.
Deactivate and Reactivate the Users Automatically
When user accounts are deleted or disabled in the directory service, the admin can control how Workspace ONE UEM reacts by using auto-sync in the User tab of Directory Services. In Directory Services, Auto-sync monitors user statuses, and when a user is removed from Directory Services, they are also removed from the linked AirWatch user group and unenrolled from the UEM console.
In any case of what happens to their status in Directory Services, if the admin wants to deactivate a user in AirWatch manually, they can delete their UEM console user account. Do this by going to Accounts, navigating to Users, going to List View, then locating the account the admin wants to delete, select the account by selecting the check box to the left of its entry, clicking on the More Actions button, then click on Delete, and then click on Save at the Bulk Action Message screen, which serves as a delete confirmation.
Users that have been deactivated, conversely, and then reactivated in the directory service are reactivated within the UEM console innately.
Upon Reactivation in Directory Service, Automatically Reactivating Workspace ONE EUM Users
Workspace ONE automatically reactivates a user’s UEM console account when users deactivated in the directory service are later reactivated. This feature requires no console setting and is always on. Also, the event log records this event which can be referred to for troubleshooting.
For Users That Don’t Belong to the User Group, Perform Automatic Enterprise Wipe
The admin can automatically perform an enterprise wipe when users are removed from user groups. The Sync LDAP Groups scheduler task has the same frequency as this check.
enrollment is limited in the following way by the Restrict Enrollment To Configured Groups option:
- Enrollment is limited to users belonging to any user group (All Groups).
- Enrollment is limited for users belonging to a particular user group (Selected Groups).
- Go to Groups & Settings, navigate to All Settings, go to Devices & Users, select General, then click on Enrollment and select the Restrictions tab.
- Toggle the Restrict Enrollment to the Configured Groups option.
- If the admin wants to enterprise wipe all devices not part of any user group automatically, take the following steps.
- All Groups are selected.
- The Enterprise Wipe devices of users are enabled that do not belong to the configured groups option.
- If the admin wants to enterprise wipe all devices not part of only selected user groups automatically, take the following steps.
- Selected Groups are chosen and include the user group names.
- The Enterprise Wipe devices of users are enabled that do not belong to configured groups option.
- Click on Save.
Configure all your Disabled Users accounts to Inactive
When a user account is disabled in the directory service, the admin can enable Workspace ONE UEM to detect and automatically set its linked Workspace ONE UEM user account to inactive.
- Go to Accounts, navigate to Users Settings, and click on Directory Services.
- The User tab is selected.
- By selecting the Advanced hyperlink, see advanced configuration options.
- Toggle the Automatically Sync Enabled Or Disabled User Status slider.
- Select the kind of Lightweight Directory Access Protocol (LDAP) attribute and enter a numeric value and for Value For Disabled Status, used to represent a user’s status.
- If the user status is chosen by a bitwise flag, select “Flag Bit Match” (which is the default for Active Directory). The directory service appraises the user to be disabled if any bits from the property match the value the admin enters. But only in case when Flag Bit Match is selected.
Workspace ONE UEM administrators are set as inactive in the directory service if the admin selects this option and may not be able to log in to the UEM console. In addition, In the directory service, enrolled devices assigned to users who are set as inactive are unenrolled automatically.
Based on the Directory Service Group Membership, Remove Users From User Groups
To auto-detect when a directory service user account is deleted, the admin can enable Workspace ONE UEM and Workspace ONE Express and automatically remove its associated user account from the associated Group.
- Go to Accounts, navigate to User Groups, click on Settings, and select Directory Services.
- The Group tab is selected.
- By selecting the Advanced drop-down, see advanced configuration options.
- To automatically add and delete users in user groups, select the Auto Sync Default check box based on membership in the directory service.