After you add your directory service groups to AirWatch, you can use the resulting AirWatch user groups for enrollment and role-based access.

  • In terms of a device enrollment, you can map user groups to existing organization groups and automatically select a Group ID based on a user group.
  • In terms of console access, you can restrict the level of AirWatch Console access users have (roles) based on their user group membership.

You can configure settings to select a Group ID automatically based on a user group or allow users to select a Group ID from a list.

  1. Navigate to Groups & Settings > All Settings > Devices & Users > General > Enrollment and select the Grouping tab.
  2. Choose Automatically Select Based on User Group as the Group ID Assignment Mode.

    Enrollment Group ID Assignment

    This option works only when your existing directory service is already replete with user group assignments independent from AirWatch.

    Enabling this option ensures that users are automatically assigned to organization groups based on their directory service group assignments. Once selected, the Group Assignment Settings section displays all the organization groups (OG) for the environment and their associated directory service user groups.

    When the Apply mapping on enrollment only setting is enabled, the user group assignment applies at enrollment time only. After enrollment, devices can be manually moved to another organization group. However, if the Apply mapping on enrollment only check box is still enabled, the device does not honor any new user group mapping. The event log captures the identity of the admin requesting this mapping at enrollment time.

    For more information about the Event Log, See Reports & Analytics.

  3. Modify the organization group/user group associations and set the rank of precedence for each group by selecting Edit Group Assignment. If a user belongs to multiple user groups, the rank determines which user group takes precedence. The user is associated to the OG of the highest-ranked user group to which they belong. Select Save when you are finished.

  4. Similar to user group mapping to an OG assignment, you can also map roles, or console permissions, based on user groups. Enable the editing of role-based access levels by selecting Enable Directory Group-Based Mapping in the User Role Mapping section. To edit roles and rank user groups, similar to the method used in step 3, select Edit Assignment.

    For each user group, set the rank of precedence and associated role each group has. Just as in step 3, if a user belongs to multiple user groups, the rank determines which user group, and therefore role, takes precedence. The user receives permissions for the highest-ranked user group to which they belong. Select Save when you are finished.

    Access the Roles page and define new or edit existing Roles by navigating to Accounts > Roles.

  5. Select Save when you are done mapping user groups to enrollment organization groups and roles.

You can restrict an enrollment to only known users or configured groups. For more information, See Configure Enrollment Restrictions.