Workspace ONE UEM uses organization groups (OG) to identify users and establish permissions. When Workspace ONE UEM is integrated with Workspace ONE Access, the admin and enrollment user REST API keys are configured at the Workspace ONE UEM organization group type called Customer.
When users sign into the Workspace ONE Intelligent Hub app from a device, a device registration event is triggered within Workspace ONE Access. A request is sent to Workspace ONE UEM to pull any applications that the user and device combination is entitled to. The request is sent using the REST API to locate the user within Workspace ONE UEM and to place the device in the appropriate organization group.
To manage organization groups, two options can be configured in Workspace ONE Access.
- Enable Workspace ONE UEM auto discovery.
- Map Workspace ONE UEM organization groups to domains in the Workspace ONE Access service.
If neither of these two options are configured, the Workspace ONE Intelligent Hub app attempts to locate the user at the organization group where the REST API key is created. That group is the Customer group.
Using Workspace ONE UEM Auto Discovery
Set up Auto Discovery when a single directory is configured at a child group to the Customer Organization Group, or when multiple directories are configured below the Customer group with unique email domains. See Set Up Auto Discovery in Workspace ONE Access.
In example 1, the email domain of the organization is registered for auto discovery. Users enter only their email address in the Workspace ONE Intelligent Hub sign-in page.
In this example, when users in the NorthAmerica domain sign into the Workspace ONE Intelligent Hub app, they enter the complete email address as email@example.com. The application looks for the domain and verifies that the user exists or can be created with a directory call in the NorthAmerica organization group. The device can be registered.
Using Workspace ONE UEM Organization Group Mapping to Workspace ONE Access Domains
Configure the Workspace ONE Access service to the Workspace ONE UEM organization group mapping when multiple directories are configured with the same email domain. You enable Map Domains to Multiple Organization Groups in the Integrations > UEM Integration page in the Workspace ONE Access console.
When the Map Domains to Multiple Organization Groups option is enabled, domains configured in Workspace ONE Access can be mapped to the Workspace ONE UEM organization group IDs. The admin REST API key is also required.
In example 2, two domains are mapped to different organization groups. An admin REST API key is required. The same admin REST API key is used for both organization group IDs.
In the UEM Integration configuration page in the Workspace ONE Access console, configure a specific Workspace ONE UEM organization group ID for each domain.
With this configuration, when users logs into the Workspace ONE Intelligent Hub app from their device, the device registration request attempts to locate users from Domain3 in the organization group Europe and users from Domain4 in organization group AsiaPacific.
In example 3, one domain is mapped to multiple Workspace ONE UEM organization groups. Both directories share the email domain. The domain points to the same Workspace ONE UEM organization group.
In this configuration, when users sign into the Workspace ONE Intelligent Hub app, the application prompts the users to select which group they want to register into. In this example, users can select either Engineering or Accounting.
Placing Devices in the Correct Organization Group
When a user record is successfully located, the device is added to the appropriate organization group. The Workspace ONE UEM enrollment setting Group ID Assignment Mode determines the organization group to place the device. This setting is in the System Settings > Device & Users > General > Enrollment > Grouping page in the Workspace ONE UEM console.
In example 4, all users are at the Corporate organization group level.
Device placement depends on the selected configuration for the Group ID Assignment Mode at the Corporate organization group.
- If Default is selected, the device is placed into the same group where the user is located. For example 4, the device is placed into the Corporate group.
- If Prompt User to Select Group ID is selected, users are prompted to select which group to register their device into. For example 4, users see a drop-down menu within the Workspace ONE Intelligent Hub app with Engineering and Accounting as options.
- If Automatically Selected Based on User Group is selected, devices are placed into either Engineering or Accounting based on their user group assignment and corresponding mapping in the Workspace ONE UEM console.
Understanding the Concept of a Hidden Group
In example 4, when users are prompted to select an organization group from which to register, users also can enter a group ID value that is not in the list presented from the Workspace ONE Intelligent Hub app. This is the concept of a hidden group.
In example 5, in the Corporate organization group structure, North America, and Beta are configured as groups under Corporate.
In example 5, users enter their email address into the Workspace ONE Intelligent Hub app. After authentication, users are shown a list that displays Engineering and Accounting from which to select. Beta is not an option that is displayed. If users know the organization group ID, they can manually enter Beta into the group selection text box and successfully register their device into Beta.