Managing Directory User Group Integration In Workspace ONE UEM

Without active directory integration, an alternative to custom user groups is through user group integration that applies to the existing active directory structure, providing many benefits.

The admin can perform the following actions once they import existing directory service user groups as Workspace ONE UEM user groups:

  • User Management: align user management in Workspace ONE UEM with the existing organizational systems and reference the existing directory service groups (security groups or distribution lists).
  • Profiles and Policies: Across the Workspace ONE UEM deployment, assign profiles, applications, and policies to groups of users.
  • Integrated Updates: based on group membership changes, automatically update user group assignments.
  • Management Permissions: To allow only approved administrators, set management permissions to change policy and profile assignments for certain user groups.
  • Enrollment: Automatically assign an organization group and allow users to enroll with existing credentials.

Monitor the performance of the Directory Services

Workspace ONE UEM ensures that device management and syncing continue even during rare lapses in connectivity. By making sure that the server maximizes available resources, the admin can improve the performance of Directory Services.

Skipping a Tenant After Three Sync Timeouts

Workspace ONE UEM skips that tenant if a tenant’s directory sync times out three times in a row and proceeds to synchronize the next tenant, as applicable. If a device does not respond for 15 minutes, a sync times out. Before the next tenant sync attempt, this timing means that the maximum delay is 45 minutes.

A console event log is generated after the third sync timeout with the following properties.

  • Name of event – EnterpriseIntegrationLDAPSyncError.
  • Event data – error description, OG name (Sync failed three times in a row. sync skipped.).
  • Event severity level – Error.


After VMware Enterprise Systems Connector Connection Error, Skipping a Tenant

Also, if the test connection fails or if the link to the VMware Enterprise Systems Connector is not working, then the sync fails to begin. In accordance with the Lightweight Directory Access Protocol (LDAP) customization, the next tenant sync commences.

After a VMware Enterprise Systems Connector connection error, the console event log is created with the following properties.

  • Name of event – EnterpriseIntegrationACCConnectionFailed.
  • Event data – OG name and reason.
  • Event severity level – Error.

Troubleshooting Synchronization Errors

Since they read from and write to the same queues, ensure the Scheduler Service and the Directory Sync Service are running on the same server,

  • Organization Groups vs. User Groups

The primary ways of performing the following tasks are still organization groups (OG) in Workspace ONE UEM. In Workspace ONE UEM, user groups don’t restore organization groups; rather, they are used to present security groups and business roles.

  • Add the Directory Service User Groups to Workspace ONE UEM

One at a time or utilize a batch import process to add directory service user groups into Workspace ONE UEM. For when the admin has a limited number of groups to add, adding directory user groups one at a time is ideal. When the admin has multiple groups to add, it is preferable to batch import directory, and user groups.

  • Mapping the User Groups for Console Access and Enrollment

The admin can use the resulting user groups for enrollment and role-based access after they add the directory service groups to Workspace ONE UEM. The admin can map user groups to existing organization groups in terms of device enrollment and automatically choose a Group ID based on a user group. The admin can restrict the level of UEM console access users have (roles) in terms of console access based on their user group membership.

  • Deploying Policies, Apps, and Profiles by User Group

When assigning compliance policies, profiles, apps, and content, after the admin imports the directory groups into Workspace ONE UEM, they can use them as more criteria. The user group acts as an extra filter if the admin assigns a policy, profile, or application to both a user group and an Organization Group (OG). To assign settings or content, Workspace ONE UEM uses this extra filter. Workspace ONE UEM only designates to users in the Group even if they select an OG with many users, with a device that is in the assigned OG. The administrator can use both organization groups and user groups to configure more advanced settings.

  • Deactivate and Reactivate the Users Automatically

When user accounts are deleted or disabled in the directory service, the admin can control how Workspace ONE UEM reacts by using auto-sync in the User tab of Directory Services. In Directory Services, Auto-sync monitors user statuses, and when a user is removed from Directory Services, they are also unenrolled from the UEM console and removed from the associated AirWatch user group.


  • Barry Allen

    A Full Stack Developer with 10+ years of experience in different domain including SAP, Blockchain, AI and Web Development.

    View all posts


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.