The Grouping tab allows you to view and specify basic information regarding organization groups and Group IDs for end users. Enable Group ID Assignment Mode to select how the Workspace ONE UEM powered by AirWatch environment assigns Group IDs to users.

The Grouping tab can be found by navigating to Devices > Device Settings > Devices & Users > General > Enrollment.

Setting Description
Group ID Assignment Mode

Workspace ONE Direct Enrollment supports all assignment modes.

  • Default - Select this option if users are provided with Group IDs for enrollment. The Group ID used determines what organization group the user is assigned to.
  • Prompt User to Select Group ID - Enable this option to allow directory service users to select a Group ID from a list upon enrollment. The Group ID Assignment section lists available organization groups and their associated Group IDs. This listing does not require you to perform group assignment mapping, but does mean users have the potential to select an incorrect Group ID.
  • Automatically Select Based on User Group - This option only applies if you are integrating with user groups. Enable this option to ensure that users are automatically assigned to organization groups based on their directory service group assignments.

    The Group Assignment Settings section lists all the organization groups for the environment and their associated directory service user groups.

    Select the Edit Group Assignment button to modify the organization group/user group associations and set the rank of precedence each group has.

    For example, you have three groups, Executive, Sales, and Global, which are ranked in order of job role. Everyone is a member of Global, so if you were to rank that user group first, it puts all your users into a single organization group.

    Instead, if you rank Executives first, you ensure the small number of people belonging to that group are placed in their own organization group. Then rank Sales second, and you ensure that all Sales employees are placed in an organization group specific to sales. Rank Global last and anyone not already assigned to a group is placed in a separate organization group.

Table 1. Default
Setting Description
Default Device Ownership

Select the default Device Ownership of devices enrollment into the current organization group.

Workspace ONE Direct Enrollment supports setting a default device ownership.

Default Role

Select the default roles assigned to users at the current organization group, which can affect access to the Self-Service Portal.

  1. Full Access - Grants users with access to higher SSP functions such as install/remove profiles and apps, reset passcodes, send device messages, and write-access to content.
  2. Basic Access - Grants users with a low impact access. They can register their own device, view-only (but not install) profiles and apps, view their own account, and query and find their own device.
  3. External Access - Users with External Access have all the abilities as basic access users but they also have read-only access to content on the SSP that is explicitly shared with them.

Workspace ONE Direct Enrollment supports setting a default role.

Default Action for Inactive Users

Select the default action that impacts Active Directory users if their devices become inactive.

Processing of accounts is always user-centric over device-centric. This fact means the processing behavior applied to devices is based upon settings for the OG where the user is managed, not the device.

Workspace ONE Direct Enrollment supports setting a default action for inactive users.

Table 2. User Group Sync
Setting Description
Sync User Groups in Real Time for Workspace ONE

Workspace ONE can sync user groups for a given user as they register with the UEM console.

Enabled by default, this feature is most effective when user groups are being used with great frequency for app assignment, profile assignment, policy assignment, or user mapping.

This feature is CPU-intensive so unless your use case is similar to the above, disable this setting for improved performance and to prevent latency issues while launching the Workspace ONE application.

Table 3. User Role Mapping
Setting Description
Enable Directory Group-Based Mapping

Select this box to enable ranked assignments that link a directory user group to a specific Workspace ONE UEM role. Users belonging to a particular group are assigned the associated roles. If they belong to more than one group, they take the highest ranked pairing.

You can edit the order in which role-infused user groups are ranked by selecting the Edit assignment button.

Workspace ONE Direct Enrollment supports directory group-based mapping.