AirWatch uses organization groups (OG) to identify users and establish permissions. When AirWatch is integrated with VMware Identity Manager, the admin and enrollment user REST API keys are configured at the AirWatch organization group type called Customer.
When users sign in to Workspace ONE from a device, a device registration event is triggered within VMware Identity Manager. A request is sent to AirWatch to pull any applications that the user and device combination is entitled to. The request is sent using the REST API to locate the user within AirWatch and to place the device in the appropriate organization group.
To manage organization groups, two options can be configured in VMware Identity Manager.
Enable AirWatch auto discovery.
Map AirWatch organization groups to domains in the VMware Identity Manager service.
If neither of these two options are configured, Workspace ONE attempts to locate the user at the organization group where the REST API key is created. That is the Customer group.
Using AirWatch Auto Discovery
Set up Auto Discovery when a single directory is configured at a child group to the Customer Organization Group, or when multiple directories are configured below the Customer group with unique email domains.
In example 1, the email domain of the organization is registered for auto discovery. Users enter only their email address in the Workspace ONE sign-in page.
In this example, when users in the NorthAmerica domain sign in to Workspace ONE, they enter the complete email address as firstname.lastname@example.org. The application looks for the domain and verifies that the user exists or can be created with a directory call in the NorthAmerica organization group. The device can be registered.
Using AirWatch Organization Group Mapping to VMware Identity Manager Domains
Configure VMware Identity Manager to AirWatch organization group mapping when multiple directories are configured with the same email domain. You enable Map Domains to Multiple Organization Groups in the AirWatch configuration page in the VMware Identity Manager admin console.
When the Map Domains to Multiple Organization Groups option is enabled, domains configured in VMware Identity Manager can be mapped to AirWatch organization group IDs. The admin REST API key is also required.
In example 2, two domains are mapped to different organization groups. An admin REST API key is required. The same admin REST API key is used for both organization group IDs.
In the AirWatch configuration page in the VMware Identity Manager admin console, configure a specific AirWatch organization group ID for each domain.
With this configuration, when users logs in to Workspace ONE from their device, the device registration request attempts to locate users from Domain3 in the organization group Europe and users from Domain4 in organization group AsiaPacific.
In example 3, one domain is mapped to multiple AirWatch organization groups. Both directories share the email domain. The domain points to the same AirWatch organization group.
In this configuration, when users sign in to Workspace ONE, the application prompts the users to select which group they want to register into. In this example, users can select either Engineering or Accounting.
Placing Devices in the Correct Organization Group
When a user record is successfully located, the device is added to the appropriate organization group. The AirWatch enrollment setting Group ID Assignment Mode determines the organization group to place the device. This setting is in the System Settings > Device & Users > General > Enrollment > Grouping page.
In example 4, all users are at the Corporate organization group level.
Device placement depends on the selected configuration for the Group ID Assignment Mode at the Corporate organization group.
If Default is selected, the device is placed in to the same group where the user is located. For example 4, the device is placed into the Corporate group.
If Prompt User to Select Group ID is selected, users are prompted to select which group to register their device into. For example 4, users see a drop-down menu within the Workspace ONE app with Engineering and Accounting as options.
If Automatically Selected Based on User Group is selected, devices are placed into either Engineering or Accounting based on their user group assignment and corresponding mapping in the AirWatch admin console.
Understanding the Concept of a Hidden Group
In example 4, when users are prompted to select an organization group from which to register, users also can enter a group ID value that is not in the list presented from the Workspace ONE app. This is the concept of a hidden group.
In example 5, in the Corporate organization group structure, North America and Beta are configured as groups under Corporate.
In example 5, users enter their email address into Workspace ONE. After authentication, users are shown a list that displays Engineering and Accounting from which to choose. Beta is not an option that is displayed. If users know the organization group ID, they can manually enter Beta in to the group selection text box and successfully register their device into Beta.