Introduction

Including attribute mapping for user groups and users, the Directory services setup requires the admin to integrate the Workspace ONE UEM environment with the directory service. Currently, multi-domain single forest integration is supported by Workspace One. Multi-domain multi-forest integration works, however, if using LDAP – Active Directory when there is a two-way transitive trust is available at the Forest level. To configure the settings, use the Directory Services page that lets the admin integrate the Workspace ONE UEM server with the domain controller (the server hosting your directory services).

Also, configure Security Assertion Markup Language (SAML) settings on this page. The admin can filter searches after entering server settings to identify users and groups. The admin can set options between the directory service groups and Workspace ONE UEM configured groups to auto-merge and sync. The admin can also map attribute values between Workspace ONE UEM user attributes and the directory attributes.

Note: directory services integration requires the admin to install the VMware Enterprise Systems Connector for Software as a Service (SaaS) customers.

Set up Directory Services with a Wizard

To help streamline the directory services setup process, the Workspace ONE UEM console provides a simplified wizard. To integrate either Lightweight Directory Access Protocol (LDAP), or Security Assertion Markup Language (SAML), or both, this setup is useful.

The delivery of Workspace ONE UEM applications to VMware Identity Manager is automated by the wizard, greatly simplifying the process.

Note: If SAML or LDAP settings are already configured on the directory services server, the UEM console detects it automatically.

1. From two places, the directory services setup wizard can be accessed.

• Getting Started Wizard on the main UEM console.
• Go to Groups & Settings, navigate to All Settings, click on system, select Enterprise Integration, go to Directory Services and click on Start Setup Wizard.

2. Select Configure upon launching the wizard to follow the steps.

Alternately, configure manually and Skip wizard and configure settings on their own.

Manually Setup Directory Services

To get started with Workspace ONE UEM Powered by AirWatch or Workspace ONE Express, the admin can skip the wizard If they want to customize the directory service settings and configure settings manually.

To manually configure the User, Server, and Group settings, go to Accounts, navigate to Administrators, click on Administrator Settings, and select Directory Services for the Directory service.

1. Go to Accounts, click on Administrators, select Administrator Settings, click on Directory Services, select server and configure LDAP settings.

• Directory Type: The type of directory service the organisation uses is selected. Open-source LDAP for directory services is supported by Workspace ONE UEM and Workspace ONE Express.
• DNS SRV: The Domain Name System Service Record is enabled to determine which server in its prioritized list of servers can best provide support to LDAP requests. In a high availability environment, this feature ensures continuity of services. By default, the setting is Disabled.

Workspace ONE UEM uses the existing directory server with this option disabled, the address of which the admin enters in the Server setting.

Supported DNS servers:

• Microsoft DNS servers which are Active Directory-integrated
• Microsoft DNS Standalone servers

Some Info related to DNS Config:

• Server: Provide the address of the directory server. When Enable DNS SRV is Disabled, this setting is only available then.
• Encryption Type: For a directory services communication, select the type of encryption to use. The options available are SSL, None (unencrypted), and Start TLS.
• Port: The Transmission Control Protocol (TCP) port is provided, which is used to connect and communicate with the domain controller.

For the unencrypted LDAP directory service communication, the default port is 389. The Port setting automatically converts to 636 when the admin changes the Encryption Type setting to SSL.

The Port setting automatically changes to 3268 when the admin selects the Add Domain button.

• Verify SSL Certificate: when the Encryption Type is SSL or Start TLS, this setting is only available. By selecting the SSL check box, receive SSL errors.
• Protocol Version: The Lightweight Directory Access Protocol (LDAP) version is chosen that is in use. Active Directory utilizes LDAP versions 2 or 3. Try the commonly used value of ‘3’ if the admin is unsure which Protocol Version to use.
• Use Service Account Credentials: To authenticate with the server’s domain controller, use the App pool credentials on which the VMware Enterprise Systems Connector is installed. The Bind user name and Bind Password settings are hidden by enabling this option.
• Bind Authentication Type: To enable the AirWatch server to communicate with the domain controller, choose the type of bind authentication.

The admin can select Basic, Digest, Anonymous, Kerberos, NTLM, or GSS-NEGOTIATE. Begin by configuring the bind authentication type to Basic if the admin is unsure of which Bind Authentication Type to use. When the admin clicks Test Connection, know if the selection is not correct.

• Bind User Name: The credentials are provided to authenticate with the domain controller. For instance, the admin can enter either “Domain\username or Username.” Read-access permission on the directory server is enabled by this account (which the entered user name identifies) allows and binds the connection when authorizing the users. Try the commonly used GSS-NEGOTIATE if the admin is unsure of which Bind Authentication Type to use. When the Test Connection button is clicked, know if the selection is not correct. By clicking the Clear Bind Password check box, clear the bind password from the database.
• Bind Password: To authenticate with the directory server, provide the password for the bind user name.
• Domain /Server: Provide the default domain and server name for any directory-based user accounts. The text box provides the domain if only one domain is used for all directory user accounts. Without explicitly stating their domain, this entry means that users are authenticated.
• By selecting the Add Domain option, the admin can add more domains. Ensure that all the domains are in the same forest. In this case, the port setting is automatically changed to 3268 for the Workspace ONE UEM global catalog. For SSL encrypted traffic, the admin can change the port setting to 3269 or override it completely by entering a separate port.
• Is there a trust relationship between all domains?: only when the admin has more than one domain added this setting is available.
• If the binding account has authority to access other domains, select Yes the admin added. The binding account can successfully sign in from more domains with this added permission.

2. After selecting the Advanced section drop-down, complete the following available options.

• Search Subdomains: To find nested users, enable subdomain searching.
• Make searches faster and avoid network issues by leaving this option disabled. However, under the base Domain Name (DN), users and groups located in subdomains are not identified.
• Connection Timeout: Provide the LDAP connection timeout value (in seconds).
• Request Timeout: Provide the LDAP query request timeout value (in seconds).
• Search without base DN: When using a global catalog, enable this option, and when the admin does not want to require a base DN to search for users and groups.
• Use Recursive OID at Enrollment: Verify the user group membership at the time of enrollment. Performance can decrease with some directories ss. The system runs this attribute at enrollment time.
• Use Recursive OID For Group Sync: Verify the user group membership at Group synchronisation.
• Object Identifier Data Type: Choose the unique identifier that never changes for a User or Group. The options available are String and Binary. The Object Identifier is provided in a Binary format, typically.
• Sort Control: Allow this option to enable sorting. It can make searches faster if this option is disabled and avoid sync timeouts.

3. For Identity Services, Configure Azure AD(Optional).

Only if enabling Use Azure AD for Identity Services and the following settings are available and are only applicable if the admin is integrating with Azure Active Directory.

At the tenant where Active Directory (such as LDAP) is configured, Azure AD integration with Workspace ONE UEM must be configured.

• MDM Enrollment URL: Provide the URL address used to enroll devices.
• MDM Terms of Use URL: Provide the URL address of the terms of use agreement. Exactly where in the Workspace ONE UEM in the Azure AD config panel, a helpful link displays where these MDM URLs belong. This link is titled, “Where in AAD do I paste this info?”
• Directory ID: Provide the identification number used to authorize the Azure AD license.
  In the Azure AD Directory Instance URL, the Azure Directory ID is found. For instance, only the last section (0a12bc34-56d7-93f1-g2h3-i4-jk56lm78n) is the Directory ID if the URL is acme.com/WS/ADExt/Dir/0a12bc34-56d7-93f1-g2h3-i4-jk56lm78n,.

• Tenant Name: Provide the tenant name of the Azure AD instance. Learn how to obtain the tenant info from the AAD Directory Instance, and there is a helpful link that displays exactly. This link is titled “How To Obtain Tenant Info.”
• Immutable ID-Mapping Attribute: In Active Directory, the Immutable ID-Mapping Attribute points to the source anchor field that is mapped to Azure AD. This setting allows Workspace ONE UEM to match the correct local active directory attribute to the Azure AD immutable ID.
• Mapping Attribute Data Type: The mapping attribute is selected of the data type used by Workspace ONE UEM as the source anchor for Azure AD of the field. Binary is the default type.
• When wiping devices, automatically revoke user tokens: To revoke Microsoft Azure AD user tokens, enable this option when a device or enterprise wipe is run. It is not a suggested practice to disable this functionality as it might reduce the security posture of the Configuration. A device can still contain a valid AAD authentication token even if a wiped device is lost.

4. For Authentication, Configure SAML (Optional).

After enabling Use SAML for Authentication, the following Security Assertion Markup Language (SAML) options are available.

If the admin integrates with a SAML identity provider, these options are only applicable then.

• Enable SAML authentication For, For Admin, Enrollment, or Self Service Portal, the admin has the choice of using SAML authentication. UEM console administrators can select any combination of two, all three, or any one of the three components.
• Use new SAML Authentication endpoint: A new SAML authentication endpoint has been created for end-user Authentication (device enrollment and login to SSP). The SSP endpoints and two dedicated enrollments with a single endpoint are replaced with this Authentication.

To make the most of the new combined endpoint, Workspace ONE UEM suggests updating the SAML settings while the admin may choose to keep the existing settings.

Enable this setting if the admin wants to use the new endpoint and save the page. To export the new metadata file, use the Export Service Provider Settings and upload it to your IdP. Trust is established between the new endpoint and the IdP.

SAML 2.0

• Import Identity Provider Settings: A metadata file is uploaded obtained from the identity provider. This file must be in the format of Extensible Markup Language (XML) format.
• Service Provider (Workspace ONE UEM) ID: The Uniform Resource Identifier (URI) is provided with which Workspace ONE UEM recognizes itself to the identity provider. As trusted by the identity provider, this string must match the ID that has been established.
• Identity Provider ID: The URI is provided that the identity provider utilizes to identify itself. To make sure that the identity matches the ID provided here, Workspace ONE UEM reviews authentication responses.

Response

• Response Binding Type: The binding types are selected for the response. The options include POST, Redirect, and Artifact.
• Sp Assertion URL: To direct its authentication responses, provide the Workspace ONE UEM URL that the identity provider configures. In success responses from the identity provider, “Assertions” regarding the authenticated user are included.
• Authentication Response Security: Whether the IdP signs the response is specified by this value. The admin can select between Validate Response Signatures, None, and Validate Assertions Signatures. For a more secure authentication, consider selecting Validate Response Signatures.

Certificate

• Identity Provider Certificate: The identity provider certificate is uploaded.
• Service Provider (AirWatch) Certificate: The service provider certificate is uploaded.
  Note: Currently, Workspace One only supports SHA256 based algorithms.
• Export Service Provider Settings button: The metadata file for uploading is exported to the Identity Provider (IdP). Trust is established by this setting between the new SAML endpoint (for enrollment and SSP login) and the IdP.

5. Go to Accounts, navigate to Administrators, click on Administrator Settings, select Directory Services, click on User and configure the User settings.

• User Object Class: Provide the appropriate Object Class. this value is “user.” in most cases.
• User Search Filter: The search parameter is provided to associate user accounts with Active Directory accounts. The suggested format is <LDAPUserIdentifier> is the parameter in “<LDAPUserIdentifier>={EnrollmentUser}” used on the directory services server to identify the specific user.
  Use “(&(objectCategory=person)(sAMAccountName={EnrollmentUser}))” for AD servers, exactly.
  Use “CN={EnrollmentUser}” or “UID={EnrollmentUser}” for other LDAP servers,

Advanced

• Auto Merge: This setting is enabled from the directory service to allow user group updates to merge with groups in Workspace ONE UEM and the associated users automatically.
• Automatically Sync Enabled Or Disabled User Status: When that user is disabled in the LDAP directory service (for instance, Novell e-Directory, Active Directory, and so on) to deactivate the associated user, Select Enabled in Workspace ONE UEM.
• Value For Disabled Status – Select the type of Lightweight Directory Access Protocol (LDAP) attribute and enter a numeric value used to represent a user’s status. If the user status is selected by a bitwise flag, select “Flag Bit Match” (the default for Active Directory).

If the user status is selected by a bitwise flag, select “Flag Bit Match” (the default for Active Directory). Directory Services will assume the user to be disabled when “Flag Bit Match” is selected if any property’s bits match the given value.

Note: If the admin disables users in your directory service and selects this option, in Workspace ONE UEM, the corresponding user account is marked inactive, and the users and administrators are not able to sign in. In addition, in the directory service, enrolled devices assigned to users who are set as inactive are automatically unenrolled.

• Enable Custom Attributes: Custom attributes can be enabled. Under the main Attribute, Custom Attributes is a section that appears – Mapping Value table. To see the Custom Attributes, the admin must scroll down to the bottom of the page.
• Attributes: For the listed Attributes, review and edit the Mapping Values, if necessary. These columns show the mapping in the middle of Workspace ONE UEM user attributes (left) and the directory service attributes (right). These attributes are values most commonly used, by default in Active Directory (AD). To reflect the values used, update these mapping values for own or other directory service types.

The admin should initiate manual sync afterwards if they add or remove a custom attribute by selecting the Sync Attributes button.

Sync Attributes button: In Workspace ONE UEM, manually sync the attributes mapped here to the user records. For the Workspace ONE UEM environment, attributes sync automatically on the time schedule configured.

6. Go to Accounts, navigate to Administrators, go to Administrator Settings, click on Directory Services, select Group and configure Group settings.

• Group Object Class: Provide the appropriate Object Class. this value should be Group in most cases.
• Organizational Unit Object Class: Provide the appropriate Organizational User Object Class.

Advanced

• Group Search Filter: The search parameter is provided to associate user groups with directory service accounts.
• Auto Sync Default: This checkbox is selected to automatically add or delete users in Workspace ONE UEM configured user groups based on their membership in the directory service.
• Auto Merge Default: This check box is selected to automatically apply sync changes without administrative approval.
• Maximum Allowable Changes: The number of maximum allowable group membership changes are provided, which are to be merged into Workspace ONE UEM. Upon syncing with the directory service database, any number of changes detected under this number are automatically merged.

An administrator must manually approve the changes if the number of changes exceeds this threshold before they are applied. A single change is defined by a user either joining or leaving a group. The Console does not require to sync with your directory service as much for a setting of 100 Maximum Allowable Changes.

• Conditional Group Sync: This option is enabled only after changes occur in Active Directory to sync group attributes. To sync group attributes regularly, disable this option, regardless of changes in Active Directory.
• Auto-Update Friendly Name: The friendly name is updated when enabled, with group name changes made in the Active Directory.

The friendly name can be customized when disabled, so admins can tell the difference between user groups with identical common names. If the implementation includes organizational unit (OU)-based user groups, this can be useful for the same common name.

• Attribute: if necessary, review and edit the Mapping Value for the listed attribute. These columns show the mapping between Workspace ONE UEM user attributes (left) and your directory service attributes (right). These attributes are values by default most commonly used in AD. To reflect the values used, update these mapping values for own or other directory service types.

7. By selecting the Test Connection button, verify that the enterprise has established proper connectivity.

For each of the domains listed on the page, The server connection is tested using the bind user name, server name, and the password provided by the administrator. By clicking the Test Again button, the admin can rerun the test.

8. Click on Save.

You can learn about Best Practices for Customizing Open Source LDAP Directory Service Type here.