Managing Directory Service Users in Workspace ONE UEM

by | Apr 16, 2022 | MDM, VMware Workspace ONE

Home » MDM » VMware Workspace ONE » Managing Directory Service Users in Workspace ONE UEM

A corresponding user account must be present in the UEM console for every directory user the admin wants to manage through Workspace ONE UEM. To Workspace ONE UEM, directly add the existing directory services users.

The admin can choose one of the following methods to directly add the existing directory services users to Workspace ONE UEM.

  • A file containing all the directory services users can be batch uploaded. Automatically creates a user account bt the act of batch importing.
  • By entering the directory user name, create user accounts one at a time and select Check User to auto-populate remaining details.
  • Neither manually create user accounts nor import in bulk and instead allow all directory users to self-enroll at enrollment time.

Applying Workspace ONE UEM user groups connected to directory service groups is the fourth option and is explained in the next section. This option can be utilized with these methods or by itself.

There are some other considerations.

Pros – While still supporting the ability to sync changes to user attributes, it requires the least amount of effort that is made in the directory service. Also, create a Workspace ONE UEM user account with Self-enrollment.

Cons – The enrollment to specific users or user groups is not allowed to restrict. With a valid email address, dny directory user due to lack of this restriction means they can use onboard a device.

Note the following if the admin chooses to use directory services in Workspace ONE UEM.

  • At the exact same level as the organization group (OG), Directory users can only be created where directory services settings are enabled. The admin can view users at the organization group level where they have a device enrolled. However, at the same level as the directory service settings, users can only be managed.
  • The admin must be at the same level as the directory services settings to delete or edit a user account,
  • The admin must be at a lower level than the root OG where directory services are enabled to add a device to an existing Workspace ONE UEM user account,

Adding the Directory Users Into Workspace ONE UEM

The admin can add directory users into Workspace ONE UEM using a batch import process or one at a time. When the admin has a few users to add, adding individual directory users one at a time is ideal. When the admin has multiple users to add, it is preferable to batch import directory users.

Uploading a list of directory services users is meant by using the batch import method in a CSV (comma-separated values) template file, having specific columns. Try mapping the text boxes Workspace ONE UEM to make converting the existing directory service user data easier, which is required for existing attributes in the database. To create a spreadsheet, the admin can then use custom queries which they can copy and paste.

Pros – This option enables the admin to use enrollment options by creating Workspace ONE UEM user accounts that require user accounts, such as registration tokens. The admin can omit them from the CSV file if they have users not included in Mobile Device Management (MDM). Only to known users, such omission restricts an enrollment.

Cons – To automate the creation of a CSV batch file, a back-end configuration is required that can be used to upload users. Alternatively, enter each user manually. To ensure policy, proper profile, content, and app assignments, manual entry requires that user assignment to organization groups must be thought out beforehand.


Adding Individual Directory Users to Workspace ONE UEM

The admin is enabled to add directory users in small numbers in Workspace ONE UEM or if they have a ‘one-off’ addition to make.

  1. Go to Accounts, navigate to Users, go to List View, select Add, and click on Add User. The Add / Edit User page is displayed.
  2. The General tab completes the following settings to add a directory user.
  • Security Type: By choosing Directory as the Security Type, add an Active Directory user.
  • Directory Name: By using this pre-populated setting, the Active Directory name is identified.
  • Domain: From the drop-down menu, choose the domain name.
  • User name: Provide the user’s directory user name and click on Check User. The user’s information is automatically populated if the system finds a match. After the admin has successfully located an active directory user with the Check User button, the remaining settings within this section are only available then.
  • Full Name: To allow an option that syncs a blank value, uses Edit Attributes from the Directory to be edited. The admin is enabled to populate matching user’s information with Edit Attributes automatically.

The setting must be edited in the Directory itself if a setting syncs an actual value from the Directory. On the next directory sync. The change takes effect. In Full Name and select Edit Attributes, complete any blank option returned from the Directory to save the addition.

  • Display Name: Provide the name that is displayed in the admin console.
  • Email Address: Provide or edit the user’s email address.
  • Email user name: Provide or edit the user’s email user name.
  • Domain (email): from the drop-down menu, select the email domain.
  • Phone Number: Including country code, plus sign, and area code, provide the user’s phone number. The phone number is required if the admin intends to use SMS to send notifications.
  • Enrollment Organization Group: Choose the organization group(OG) into which the user enrolls.
  • Enable the user to enroll into additional Organization Groups: Decide whether to allow or prohibit the user from enrolling into more than one organization group. Complete the Additional Organization Groups if the admin selects Enabled.
  • User Role: From this drop-down menu, select the role for the user you are adding.
  • Message Type: From Email, SMS, or None, choose the type of message the admin may send to the user. In the Phone Number text box, selecting SMS requires a valid entry.
  • Message Template: Choose the template for email or SMS messages from this drop-down setting. To review the template and select the Configure Message Templates link, optionally, select the Message Preview to create a template.


  1. (Optional): Complete the following settings after selecting the Advanced tab.
  • Email Password: Provide the user’s email password the admin is adding.
  • Confirm Email Password: Provide and Confirm the user’s email password the admin is adding.
  • Distinguished Name: This text box is pre-populated for directory users recognized by Workspace ONE UEM, with the user’s distinguished name. A distinguished name is a string representing all authorization codes associated with an Active Directory user and the user name.
  • Manager Distinguished Name: Provide the distinguished name of the user’s manager. This text box is optional.
  • Category: For the user being added, choose the user category.
  • Department: For the company’s administrative purposes, provide the user’s department.
  • Employee ID: For the company’s administrative purposes, enter the user’s employee ID.
  • Cost Center: For the company’s administrative purposes, enter the user’s cost center.
  • Custom Attribute 1–5 (for Directory users only): Where applicable, provide the previously configured custom attributes. By navigating to Groups & Settings, the admin may define these custom attributes, go to All Settings, click on Devices & Users, select Advanced, and click on Custom Attributes.

Note: Only at Customer organization groups, custom attributes can be configured.

  • Use S/MIME: the use of Secure/Multipurpose Internet Mail Extensions (S/MIME) can be enabled or disabled. If enabled, you must upload a S/MIME certificate and a S/MIME for an enabled profile by selecting Upload.
  • Separate Encryption Certificate: the use of a separate encryption certificate can be enabled or disabled. The admin must upload an encryption certificate, if enabled, using Upload. Generally, the same S/MIME certificate is used for signing and encryption unless a different certificate is expressly being used.
  • Old Encryption Certificate: a legacy version encryption certificate can be enabled or disabled. The admin must Upload an encryption certificate if enabled.
  • Enable Device Staging: The staging of devices can be enabled or disabled.

The admin must choose between Single User Devices and Multi-User Devices if enabled.

The admin must select between Standard, for Single User Devices, where users themselves sign in, and where a device is onboarded on behalf of another user, select Advanced.

  1. Click on Save and Add device to save the new user or select Save to save only the new user and proceed to the Add Device page.

Batch Import the Directory Users

The admin can save time by initiating a batch import process if they have many directory users to add to Workspace ONE UEM.

  1. Go to Accounts, click on Users, go to Batch Status or Devices, select Lifecycle, go to Enrollment Status, click on Add, and select Batch Import.
  2. Including a Batch Name and Batch Description, provide the basic information.
  3. From the Batch Type drop-down menu, select the applicable batch type.
  4. The template that is the best fit for the kind of batch import the admin is making is selected and downloaded.
  • Blacklisted Devices: Import a list of non-compliant devices by IMEI, known, Serial Number, or UDID. Blacklisted devices are prohibited from enrolling. The blacklisted device is automatically blocked if a blacklisted device attempts to enroll.
  • Whitelisted Devices: Import pre-approved devices by Serial Number, IMEI, or UDID. Use this template to import a list of known and trusted devices. This device’s ownership and group ID are automatically updated and applied during enrollment.
  • User and/or Device: Choose between a Simple and an Advanced CSV template. The simple template features only the most often-used options, while the advanced template features the full, unabridged compliment of import options.
  • Change Organization Group: Users are moved to a different organization group.
  1. The CSV file is moved. For the enrollment organization group (OG), confirm whether or not users are apart. Corresponding to the options, the CSV file features several columns on the Add / Edit User page. Notice that sample data has been provided to each column when the admin opens the CSV template in the template. The sample data is presented to inform the admin what kind of data is required and what format it must be in. The admin should not stray from the format represented by the sample data.

Note: A text file whose extension has been changed is simply a CSV file (comma-separated values) from “TXT” to “CSV.” In plain text, it stores tabular data (text and numbers). The data record is represented by each line of the file. Separated by commas, each record consists of one or more fields. With any text editor, it can be opened and edited using Microsoft Excel, and it can also be opened and edited.

  1. Go to Groups & Settings, navigate to All Settings, go to Devices & Users, click on General, select Enrollment, and then select the Grouping tab. The Security Type for every user must be a Directory for a directory-based enrollment. The users are part of the enrollment OG if the Group ID Assignment Mode is set to default.
  2. Including device information (if applicable), enter data for the organization’s users, and save the file.
  3. To locate and upload the CSV file, select Choose File after returning to the Batch Import page and that the admin had previously downloaded and filled out.
  4. Select Save.



Filter the Searches to Map the Directory Services User Information

After entering server settings, the admin can filter searches to identify users and map values between Workspace ONE user attributes and the directory attributes.

  1. Go to Accounts, navigate to Administrators, go to Administrator Settings, and select Directory Services.
  2. The User tab is selected. Only the Base DN information, by default, is displayed.
  3. Next to the Base DN column, select the Fetch DN plus sign (+). A list of base DNS is displayed by this plus sign from which the admin can select to populate this text box. Revisit the settings the admin entered on the Server tab, if it does not, before continuing.
  4. Provide data in the following settings.
  • User Object Class: The appropriate Object Class is provided. This value is “user” in most cases,
  • User Search Filter: To associate user accounts with Active Directory accounts, provide the search parameter used. The suggested format is <LDAPUserIdentifier> is the parameter used on the directory services server in “<LDAPUserIdentifier>={EnrollmentUser}” to identify the specific user.
  • Use (&(objectCategory=person)(sAMAccountName={EnrollmentUser}))” for AD servers, exactly.
    • Use “CN={EnrollmentUser}” or “UID={EnrollmentUser}” for other LDAP servers
  1. By selecting Show Advanced, display more settings.
  • Auto Merge: to merge with the associated users and groups, Enable setting to automatically allow user group updates from the directory service in Workspace ONE UEM.
  • Automatically Sync Enabled Or Disabled User Status: When that user is disabled in the LDAP directory service to deactivate the associated user, select Enabled in Workspace ONE UEM (for example, Active Directory, Novell e-Directory, and so on).

Value For Disabled Status – Select the type of Lightweight Directory Access Protocol (LDAP) attribute and enter a numeric value used to represent a user’s status. If the user status is chosen by a bitwise flag, select “Flag Bit Match” (which is the default for Active Directory).

If the user status is chosen by a bitwise flag, select “Flag Bit Match” (which is the default for Active Directory). Directory Services will regard the user to be disabled when “Flag Bit Match” is selected if any bits from the property are equivalent to the given value.

Note: If the admin disables users in your directory service and selects this option, the related user account in Workspace ONE UEM is flagged as inactive, and those administrators and users are not able to sign in. In addition, enrolled devices that are set as inactive in the directory service and assigned to users are automatically unenrolled.

  • Enable Custom Attributes: Custom attributes are enabled. Under the main Attribute, Custom Attributes is a section that appears – Mapping Value table. To see the Custom Attributes, the admin must scroll down to the bottom of the page.
  • Attributes: For the listed Attributes, review and edit the Mapping Values, if necessary. These columns show the mapping between Workspace ONE UEM user attributes (left) and the directory service attributes (right). By default, these attributes are values most commonly used in Active Directory (AD). To reflect the values used, update these mapping values for own or other directory service types.

The admin should initiate manual sync afterward if they add or remove a custom attribute by selecting the Sync Attributes button.

  • Sync Attributes button: To the user records in Workspace ONE UEM, manually sync the attributes mapped here. For the Workspace ONE UEM environment, attributes sync automatically on the time schedule configured.
  1. To verify connectivity, select Test Connection.

For each of the domains listed on the page, the server connection is tested, using the bind user name, server name, and the password provided by the administrator. By clicking the Test Again button, the admin can rerun the test.

  • The admin can perform the following actions from the User tab:

From the drop-down menu, select the Domain name.

Provide the user’s directory user name and select Check User. The user’s information is auto-populated if the system finds a match. After the admin has successfully located an active directory user, the remaining settings in this section are only available with then, with the Check User button.

  • The admin can perform the following actions from the Group tab:

Choose the External Type of the Group the admin is adding.

Group – To know on which user group is based, refer to the group object class.

Configure this class by navigating to Groups & Settings, go to All Settings, navigate to the system, click on Enterprise Integration, select Directory Services and click on Group.

Organizational Unit – To know on which user group is based, refer to the organizational unit object class. Configure this class by navigating to Groups & Settings, go to All Settings, navigate to the system, go to Enterprise Integration, select Directory Services, and then click on Group.
In the Search text, Enter the directory user group name.

The Active Directory name is identified by Directory Name, which is the pre-populated setting.

From the drop-down menu, choose the Domain name.

A list of Domain Names is displayed by Group Base DN from which the admin can select.

To verify the group information, select Check Group.

Directory Service User Self-Enrollment

User Self-Enrollment applies to the existing directory service environment to auto-discover users based on their email.

Based on their email addresses, the admin can enable all your directory users to enroll themselves. While reserving the ability to sync user attributes, this option requires the least amount of effort. To specific users or user groups, however, the admin is unable to restrict the enrollment.

  1. Go to Groups & Settings, navigate to All Settings, go to Devices & Users, select General, click on Enrollment and select the Restrictions tab.
  2. Scroll and locate the Enrollment Restrictions section under this page. Ensure that Restrict Enrollment To Configured Groups and Restrict Enrollment To Known Users checkboxes are both deselected.
  3. All directory user groups members and users(as configured in the directory services settings page), when deselected, are allowed to enroll with a valid email address.


Submit a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.