The directory services settings page lets you configure your directory service integration with AirWatch. For more information about directory service integration, see Introduction to Directory Services.

In addition to manually configuring the settings below, you can also select Launch Setup Wizard from the bottom of the page.

  • Current Setting – Select whether to Inherit or Override the displayed settings. Inherit means use the settings of the current organization group's parent OG, while Override enables the settings for editing so you can modify the current OG's settings directly.

Server Tab

Setting Description
LDAP
Directory Type

Select the type of directory service that your organization uses.

Note:

AirWatch supports open source LDAP for directory services. For more information, see the following knowledgebase article: https://support.air-watch.com/resources/115001696028.

Enable DNS SRV

Allow the Domain Name System Service Record to decide which server in its prioritized list of servers can best support LDAP requests. This feature ensures continuity of services in a high availability environment. The default setting is Disabled.

With this option disabled, AirWatch uses your existing directory server, the address of which you enter in the Server setting.

Server Enter the address of your directory server. This setting is only available when Enable DNS SRV is Disabled.
Encryption Type Select the type of encryption to use for a directory services communication. The options available are None (unencrypted), SSL, and Start TLS.
Port

Enter the Transmission Control Protocol (TCP) port used to communicate with the domain controller. The default for unencrypted LDAP directory service communication is port 389. Only SaaS environments allow SSL encrypted traffic using port 636. To view a KnowledgeBase article that lists the most up-to-date AirWatch SaaS data center IP ranges, refer to https://support.air-watch.com/articles/115001662168.

  • When you change the Encryption Type setting to SSL, the Port setting automatically changes to 636.
  • When you select the Add Domain button, the Port setting automatically changes to 3268.
Verify SSL Certificate This setting only becomes visible when the Encryption Type is SSL or Start TLS. Receive SSL errors by selecting the SSL check box.
Protocol Version Select the version of the Lightweight Directory Access Protocol (LDAP) that is in use. Active Directory uses LDAP versions 2 or 3. If you are unsure of which Protocol Version to use, try the commonly used value of '3'.
Use Service Account Credentials Use the App pool credentials from the server on which the VMware Enterprise Systems Connector is installed for authenticating with the domain controller. Enabling this option hides the Bind user name and Bind Password settings.
Bind Authentication Type

Select the type of bind authentication to enable the AirWatch server to communicate with the domain controller.

You can select Anonymous, Basic, Digest, Kerberos, NTLM, or GSS-NEGOTIATE. If you are unsure of which Bind Authentication Type to use, try the commonly used GSS-NEGOTIATE. You will know if your selection is not correct when you click Test Connection.

Bind user name Enter the credentials used to authenticate with the domain controller. This account (which the entered user name identifies) allows a read-access permission on your directory server and binds the connection when authenticating users. Clear the bind password from the database by selecting the Clear Bind Password check box.
Domain /Server

Enter the default domain and server name for any directory-based user accounts. If only one domain is used for all directory user accounts, fill in the text box with the domain. This entry means that users are authenticated without explicitly stating their domain.

Note:

You can add more domains by selecting the Add Domain option. In this case, AirWatch automatically changes the port setting to 3268 for global catalog. You may choose to change the port setting to 3269 for SSL encrypted traffic, or override it completely by entering a separate port.

Is there a trust relationship between all domains?

This setting is available only when you have more than one domain added.

Select Yes if the binding account has permission to access other domains you have added. This added permission means that the binding account can successfully log in from more domains.

The following options are available after selecting the Advanced section drop-down.

Setting Description
Advanced
Search Subdomains

Enable subdomain searching to find nested users.

Leaving this option disabled can make searches faster and avoids network issues. However, users and groups located in subdomains under the base Domain Name (DN) are not identified.

Connection Timeout Enter the LDAP connection timeout value (in seconds).
Request Timeout Enter the LDAP query request timeout value (in seconds).
Search without base DN Enable this option when using a global catalog and when you do not want to require a base DN to search for users and groups.
Use Recursive OID at Enrollment Verify user group membership at the time of enrollment. As the system runs this feature at enrollment time, your performance may decrease with some directories.
Use Recursive OID For Group Sync Verify user group membership at the time of Group synchronization.
Object Identifier Data Type Select the unique identifier that never changes for a user or group. The options available are Binary and String. Typically, the Object Identifier is in a Binary format.
Sort Control Option to enable sorting. If this option is disabled, it can make searches faster and you can avoid sync timeouts.

Azure Active Directory

Select Enabled for Use Azure AD for Identity Services and follow the on-screen steps to setup integration with Azure Active Directory. For more information, see Enrollment Through Azure AD Integration.

SAML 2.0

The following Security Assertion Markup Language (SAML) options are available after selecting Use SAML for Authentication, and are only applicable if you are integrating with a SAML identity provider.

Setting Description
Enable SAML authentication for You have the choice of using SAML authentication for Admins, Users, or Both.
Use new SAML Authentication endpoint

A new SAML authentication endpoint has been created for end-user authentication (device enrollment and login to SSP). This authentication replaces the two dedicated enrollment and SSP endpoints with a single endpoint.

While you may choose to keep your existing settings, AirWatch suggests updating your SAML settings to take advantage of the new combined endpoint.

If you want to use the new endpoint, enable this setting and save the page. Then use the Export Service Provider Settings to export the new metadata file and upload it to your IdP. Doing so establishes trust between the new endpoint and your IdP.

SAML 2.0
Import Identity Provider Settings Upload a metadata file obtained from the identity provider. This file must be in Extensible Markup Language (XML) format.
Service Provider (AirWatch) ID Enter the Uniform Resource Identifier (URI) with which AirWatch identifies itself to the identity provider. This string must match the ID that has been established as trusted by the identity provider.
Identity Provider ID Enter the URI that the identity provider uses to identify itself. AirWatch checks authentication responses to verify that the identity matches the ID provided here.
REQUEST
Request Binding Type Select the binding types of the request. The options include Redirect, POST, and Artifact.
Identify Provider Single Sign On URL Enter the identity provider's Uniform Resource Locator (URL) that AirWatch uses to send requests.
NameID Format Enter the format in which the identity provider sends a NameID for an authenticated user. This value is not required as AirWatch obtains the user name from the FriendlyName “uid” required attribute.
Authentication Request Security Select from the dropdown whether or not the Service Provider (AirWatch) signs the authentication requests. You can select None, Sign Authentication Requests (SHA1), and Sign Authentication Requests (SHA256). Consider selecting Sign Authentication Requests (SHA256) for a more secure authentication.
RESPONSE
Response Binding Type Select the binding types of the response. The options include Redirect, POST, and Artifact.
Sp Assertion URL Enter the AirWatch URL that the identity provider configures to direct its authentication responses. “Assertions” regarding the authenticated user are included in success responses from the identity provider.
Authentication Response Security This value specifies whether the IdP signs the response. You can select between None, Validate Response Signatures, and Validate Assertions Signatures. Consider selecting Validate Response Signatures for a more secure authentication.
CERTIFICATE
Identity Provider Certificate Upload the identity provider certificate.
Service Provider (AirWatch) Certificate Upload the service provider certificate.
Export Service Provider Settings button Exports the metadata file for uploading to your Identity Provider (IdP). This setting establishes trust between the new SAML endpoint (for enrollment and SSP login) and your IdP.

User Tab

Setting Description
User Object Class Enter the appropriate Object Class. In most cases, this value is "user."
User Search Filter

Enter the search parameter used to associate user accounts with Active Directory accounts. The suggested format is "<LDAPUserIdentifier>={EnrollmentUser}" where <LDAPUserIdentifier> is the parameter used on the directory services server to identify the specific user.

  • For AD servers, use "(&(objectCategory=person)(sAMAccountName={EnrollmentUser}))" exactly.

  • For other LDAP servers, use "CN={EnrollmentUser}" or "UID={EnrollmentUser}"

Advanced

Setting Description
Auto Merge Enable setting to allow user group updates from your directory service to merge with the associated users and groups in AirWatch automatically.
Automatically Set Disabled Users to Inactive

Select Enable to deactivate the associated user in AirWatch when that user is disabled in your LDAP directory service (for example, Novell e-Directory).

  • Value For Disabled Status – Enter a numeric value and select the type of Lightweight Directory Access Protocol (LDAP) attribute used to represent a user’s status. Select “Flag Bit Match” if the user status is designated by a bitwise flag (which is the default for Active Directory).

    When “Flag Bit Match” is selected, if any bits from the property match the entered numeric value, then directory service considers the user to be disabled. This setting is only visible when the option Automatically Set Disabled Users to Inactive is checked.

    Note:

    If you select this option, then AirWatch administrators set as inactive in your directory service are not able to log in to the AirWatch Console. In addition, enrolled devices assigned to users who are set as inactive in your directory service are automatically unenrolled.

Enable Custom Attributes Enable custom attributes. Custom Attributes is a section that appears under the main AttributeMapping Value table. You must scroll down to the bottom of the page to see the Custom Attributes.
Attributes

Review and edit the Mapping Values for the listed Attributes, if necessary. These columns show the mapping between AirWatch user attributes (left) and your directory service attributes (right). By default these attributes are values most commonly used in Active Directory (AD). Update these mapping values to reflect the values used for your own or other directory service types.

If you add or remove a custom attribute, you should initiate a manual sync afterward by selecting the Sync Attributes button.

Sync Attributes button Manually sync the attributes mapped here to the user records in AirWatch. Attributes sync automatically on the time schedule configured for the AirWatch environment.

Group Tab

Setting Description
Group Object Class Enter the appropriate Object Class. In most cases this value should be group.
Organizational Unit Object Class Enter the appropriate Organizational User Object Class.

Show Advanced

Setting Description
Group Search Filter Enter the search parameter used to associate user groups with directory service accounts.
Auto Sync Default Select this checkbox to automatically add or remove users in AirWatch configured user groups based on their membership in your directory service.
Auto Merge Default Select this check box to automatically apply sync changes without administrative approval.
Maximum Allowable Changes

Enter the number of maximum allowable group membership changes to be merged into AirWatch. Any number of changes detected upon syncing with the directory service database under this number are automatically merged.

If the number of changes exceed this threshold, an administrator must manually approve the changes before they are applied. A single change is defined by a user either leaving or joining a group. A setting of 100 Maximum Allowable Changes means the Console does not need to sync with your directory service as much.

Conditional Group Sync Enable this option to sync group attributes only after changes occur in Active Directory. Disable this option to sync group attributes regularly, regardless of changes in Active Directory.
Auto-Update Friendly Name

When enabled, the friendly name is updated with group name changes made in active directory.

When disabled, the friendly name can be customized so admins can tell the difference between user groups with identical common names. This can be useful if your implementation includes organizational unit (OU)-based user groups with the same common name.

Attribute Review and edit the Mapping Value for the listed Attribute, if necessary. These columns show the mapping between AirWatch user attributes (left) and your directory service attributes (right). By default these attributes are values most commonly used in AD. Update these mapping values to reflect the values used for your own or other directory service types.
  • Child Permission – Select the available behavior of child organization groups that exist below the currently selected organization group. Inherit only means child OGs are only allowed to inherit these settings. Override only means they override the settings, and Inherit or Override means you can choose to inherit or override settings in child OGs that exist below the currently selected OG.
  • Test Connection – Click this button to test your connection with your directory service endpoint.
  • Launch Setup Wizard – Click this button to launch the directory service setup wizard, which walks you through configuring DS integration.

Limitations and Caveats

  • No AD passwords are stored in the AirWatch database with the exception of the Bind account password used to link directory services into your AirWatch environment. That password is stored in encrypted form in the database and is not accessible from the console.

    Unique session keys are used for each sync connection to the Active Directory server.
  • In some instances global catalogs are used to manage multiple domains or AD Forests. If you experience delays when searching for or authenticating users, this may be due to a complex directory structure. You can integrate directly with the global catalog to query multiple forests using one Lightweight Directory Access Protocol (LDAP) endpoint for better results.

    To do this, configure the following settings:
    • Encryption Type = None
    • Port = 3268
    • Verify that your firewall allows for this traffic on port 3268.