After entering server settings, you can filter searches to identify users and map values between AirWatch user attributes and your directory attributes.

Use the following instructions to configure user-related settings.

  1. Navigate to Accounts > Administrators > Administrator Settings > Directory Services.
  2. Select the User tab. By default, only the Base DN information displays.
  3. Base DN – Select the Fetch DN plus sign (+) next to the Base DN column. This plus sign displays a list of Base DNs from which you can select to populate this text box. If it does not, revisit the settings you entered on the Server tab before continuing.
  4. Enter data in the following settings.

    Setting Description
    User Object Class Enter the appropriate Object Class. In most cases, this value is "user."
    User Search Filter

    Enter the search parameter used to associate user accounts with Active Directory accounts. The suggested format is "<LDAPUserIdentifier>={EnrollmentUser}" where <LDAPUserIdentifier> is the parameter used on the directory services server to identify the specific user.

    • For AD servers, use "(&(objectCategory=person)(sAMAccountName={EnrollmentUser}))" exactly.

    • For other LDAP servers, use "CN={EnrollmentUser}" or "UID={EnrollmentUser}"

  5. Display more settings by selecting Show Advanced.

    Setting Description
    Auto Merge Enable setting to allow user group updates from your directory service to merge with the associated users and groups in AirWatch automatically.
    Automatically Set Disabled Users to Inactive

    Select Enable to deactivate the associated user in AirWatch when that user is disabled in your LDAP directory service (for example, Novell e-Directory).

    • Value For Disabled Status – Enter a numeric value and select the type of Lightweight Directory Access Protocol (LDAP) attribute used to represent a user’s status. Select “Flag Bit Match” if the user status is designated by a bitwise flag (which is the default for Active Directory).

      When “Flag Bit Match” is selected, if any bits from the property match the entered numeric value, then directory service considers the user to be disabled. This setting is only visible when the option Automatically Set Disabled Users to Inactive is checked.

      Note:

      If you select this option, then AirWatch administrators set as inactive in your directory service are not able to log in to the AirWatch Console. In addition, enrolled devices assigned to users who are set as inactive in your directory service are automatically unenrolled.

    Enable Custom Attributes Enable custom attributes. Custom Attributes is a section that appears under the main AttributeMapping Value table. You must scroll down to the bottom of the page to see the Custom Attributes.
    Attributes Review and edit the Mapping Values for the listed Attributes, if necessary. These columns show the mapping between AirWatch user attributes (left) and your directory service attributes (right). By default these attributes are values most commonly used in Active Directory (AD). Update these mapping values to reflect the values used for your own or other directory service types.
    Sync Attributes button Manually sync the attributes mapped here to the user records in AirWatch. Attributes sync automatically on the time schedule configured for the AirWatch environment.