Directory Service Integration and Enrollment Restrictions

When directory service integration is configured on AirWatch, directory service accounts inherit enrollment settings from the organization group from which the directory service is configured. Basic accounts, however, abide by local settings including overrides.

DirSvcIntegration_EnrollmentRestriction

For example, if the enrollment restriction option Enterprise Wipe devices of users that are removed from configured groups is enabled on the Customer organization group (OG), directory enrollment users in Sales01 who leave a configured group see their devices wiped despite the override configured in that OG. This is true even if those accounts have devices enrolled on a different OG because enrollment settings are user-centric, not device centric.

However, in this same scenario, devices belonging to basic enrollment users of Sales01 OG who leave a configured group are not wiped. This is because basic enrollment users in Sales01 are not a part of the directory service-integrated OG and therefore recognize and abide by the overridden enrollment restriction.