Making user groups with directory integration fosters an aligned approach to device management: device enrollment plus subsequent updates, administrative overview, and user management are each in lockstep with your existing directory service structure.

Before proceeding, ensure that the user group Type is Directory.

  1. Navigate to Accounts > User Groups > List View, select Add then Add User Group.

    Setting Description
    Type

    Select the type of User Group.

    • Directory – Create a user group that is aligned with your existing active directory structure. For more information, see User Groups with Directory Integration.
    • Custom – Create a user group outside of your organization's existing Active Directory structure. This user group type grants access to features and content for basic and directory users to customize user groups according to your deployment. Custom user groups can only be added at a customer level organization group.
    External Type

    Select the external type of group you are adding.

    • Group – Refers to the group object class on which your user group is based. Customize this class by navigating to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services > Group .
    • Organizational Unit – Refers to the organizational unit object class on which your user group is based. Customize this class by navigating to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services > Group .
    • Custom Query – You can also create a user group containing users you locate by running a custom query. Selecting this external type replaces the Search Text function but displays the Custom Query section.
    Search Text

    Identify the name of a user group in your directory by entering the search criteria and selecting Search to search for it. If a directory group contains your search text, a list of group names displays.

    This option is unavailable when External Type is set to Custom Query.

    Directory Name Read-only setting displaying the address of your directory services server.

    Domain and Group Base DN

    This information automatically populates based on the directory services server information you enter on the Directory Services page ( Groups & Settings > System > Enterprise Integration > Directory Services).

    Select the Fetch DN plus sign (+) next to the Group Base DN setting, which displays a list of distinguished name elements from which you can select.

    Custom Object Class

    Identifies the object class under which your query runs. The default object class is 'person' but you can supply a custom object class to identify your users with a greater success and accuracy.

    This option is available only when Custom Query is selected as External Type.

    Group Name

    Select a Group Name from your Search Text results list. Selecting a group name automatically alters the value in the Distinguished Name setting.

    This option is available only after you have completed a successful search with the Search Text setting.

    Distinguished Name

    This read-only setting displays the full distinguished name of the group you are creating.

    This option is available only when Group or Organizational Unit is selected as External Type.

    Custom Base DN

    Identifies the base distinguished name which serves as the starting point of your query. The default base distinguished name is 'AirWatch' and 'sso'. However, if you want to run the query with a different starting point, you can supply a custom base distinguished name.

    This option is available only when Custom Query is selected as External Type.

    Organization Group Assignment

    This optional setting enables you to assign the user group you are creating to a specific organization group.

    This option is available only when Group or Organizational Unit is selected as External Type.

    User Group Settings

    Choose between Apply default settings and Use Custom settings for this user group. See the Custom Settings section for additional setting descriptions. You can configure this option from the permission settings after the group is created.

    This option is available only when Group or Organizational Unit is selected as External Type.

    Custom Query
    Query This setting displays the currently loaded query that runs when you select the Test Query button and when you select the Continue button. Changes you make to the Custom Logic setting or the Custom Object Class setting are reflected here.
    Custom Logic Add your custom query logic here, such as user name or admin name. For example, "cn=jsmith". You can include as much or as little of the distinguished name as you like. The Test Query button allows you to see if the syntax of your query is correct before selecting the Continue button.
    Custom Settings
    Management Permissions You can allow or disallow all administrators to manage the user group you are creating.
    Default Role Choose a default role for the user group from the drop-down menu.
    Default Enrollment Policy Choose a default enrollment policy from the drop-down menu.
    Auto Sync with Directory

    This option enables the directory sync, which detects user membership from the directory server and stores it in a temporary table. Administrators approve changes to the console unless the Auto Merge option is checked.

    If you want to prevent user groups from automatically syncing during a scheduled sync, this setting must be disabled.

    Auto Merge Changes Enable this option to apply sync changes automatically from the database without administrative approval.
    Maximum Allowable Changes

    Use this setting to set a threshold for the number of automatic user group sync changes that are allowed to occur before approval must be given.

    Changes more than the threshold are in need of admin approval and a notification is sent to this effect. For more information, see AirWatch Console Notifications.

    This option is available only when Auto Merge Changes is enabled.

    Add Group Members Automatically

    Enable this setting to add users to the user group automatically.

    If you want to prevent user groups from automatically syncing during a scheduled sync, this setting must be disabled.

    Send Email to User when Adding Missing Users You can send an email to users while adding missing users. Adding missing users means combining the temporary user group table with the Active Directory table.
    Message Template

    Choose a message template to be used for the email notification during the addition of missing users to the user group.

    This option is available only when Send Email to User when Adding Missing Users is enabled.

    For more information on Distinguished Name, search for Microsoft's TechNet article entitled "Object Naming" at https://technet.microsoft.com.

  2. Select Save.