After entering server settings, you can filter searches to identify user groups. You can also set options to auto merge and sync changes between your AirWatch groups and directory service groups.

Use the following instructions to configure user group-related settings.

  1. Navigate to Accounts > Administrators > Administrator Settings > Directory Services.
  2. Select the Group tab. By default, only the Base DN information displays.
  3. Base DN – Select the Fetch DN plus sign (+) next to the Base DN setting to display a list of Base DNs. Populate this text box by selecting from the list. If a list of Base DNs does not display, revisit the settings you entered on the Server tab before continuing.
  4. Enter data in the following settings.

    Setting Description
    Group Object Class Enter the appropriate Object Class. In most cases this value should be group.
    Organizational Unit Object Class Enter the appropriate Organizational User Object Class.
  5. To display more settings, select Advanced. Enter data in the following text boxes.

    Setting Description
    Group Search Filter Enter the search parameter used to associate user groups with directory service accounts.
    Auto Sync Default Select this checkbox to automatically add or remove users in AirWatch configured user groups based on their membership in your directory service.
    Auto Merge Default Select this check box to automatically apply sync changes without administrative approval.
    Maximum Allowable Changes

    Enter the number of maximum allowable group membership changes to be merged into AirWatch. Any number of changes detected upon syncing with the directory service database under this number are automatically merged.

    If the number of changes exceed this threshold, an administrator must manually approve the changes before they are applied. A single change is defined by a user either leaving or joining a group. A setting of 100 Maximum Allowable Changes means the Console does not need to sync with your directory service as much.

    Conditional Group Sync Enable this option to sync group attributes only after changes occur in Active Directory. Disable this option to sync group attributes regularly, regardless of changes in Active Directory.
    Auto-Update Friendly Name

    When enabled, the friendly name is updated with group name changes made in active directory.

    When disabled, the friendly name can be customized so admins can tell the difference between user groups with identical common names. This can be useful if your implementation includes organizational unit (OU)-based user groups with the same common name.

    Attribute Review and edit the Mapping Value for the listed Attribute, if necessary. These columns show the mapping between AirWatch user attributes (left) and your directory service attributes (right). By default these attributes are values most commonly used in AD. Update these mapping values to reflect the values used for your own or other directory service types.

No AD passwords are stored in the AirWatch database except the Bind account password used to link directory services into your AirWatch environment. The Bind account password is stored in an encrypted form in the database and is not accessible from the console.

Unique session keys are used for each sync connection to the Active Directory server.


In some instances, global catalogs are used to manage multiple domains or AD Forests. Delays while searching for or authenticating users may be due to a complex directory structure. You can integrate directly with the global catalog to query multiple forests using one Lightweight Directory Access Protocol (LDAP) endpoint for better results.

To integrate with the global catalog directly, configure the following settings:

  • Encryption Type = None
  • Port = 3268
  • Verify that your firewall allows for this traffic on port 3268.