The authentication proxy delivers directory services integration across the cloud or across hardened internal networks. In this model, the Workspace ONE UEM server communicates with a publicly facing Web server or an Exchange ActiveSync Server. This arrangement authenticates users against the domain controller.


  • Offers a secure method to proxy integration with AD/LDAP across the cloud.
  • End users can authenticate with existing corporate credentials.
  • Lightweight module that requires minimal configuration.


  • Requires a public facing Web server or an Exchange ActiveSync server which ties into an AD/LDAP server.
  • Only feasible for specific architecture layouts.
  • Much less robust solution than VMware Enterprise Systems Connector.
  • Cannot be used for Workspace ONE Direct Enrollment.

This diagram shows a reverse proxy server as the go-between of directory services and Workspace ONE SaaS model.

  1. Device connects to Workspace ONE UEM to enroll device. User enters their directory services user name and password.
    • User name and password are encrypted during transport.
    • Workspace ONE UEM does not store the user's directory services password.
  2. Workspace ONE UEM relays the user name and password to a configured Authentication Proxy endpoint that requires authentication (for example, Basic Authentication).
  3. The user's credentials are validated against the corporate directory services.
  4. If the user credentials are valid, the Workspace ONE UEM server allows the device to complete a device enrollment.