As an admin, you can configure your directory service integration with Workspace ONE UEM. Integrating with directory services eliminates the need to create basic user accounts in your organization. Such integration can also help simplify the enrollment process for end users by applying information they already know.
What can you do with the Directory Services Settings Page?
The path to the settings page on the UEM console is
.Integrating Workspace ONE UEM with your directory service provides many benefits.
- Conduct enrollment for both users and administrators.
- Map directory groups to Workspace ONE UEM user groups.
- Control UEM console access.
- Apply existing credentials for VMware Content Locker access.
- Assign apps, profiles, and policies by user group.
- Automatically retire end users when they go inactive.
Determine your Organization group hierarchy
- Current Setting - Select whether to Inherit or Override the displayed settings. Inherit means use the settings of the current organization group's parent OG, while Override enables the settings for editing so you can modify the current OG's settings directly.
Server Tab
Setting | Description |
---|---|
Directory Type | Select the type of directory service that your organization uses. Workspace ONE UEM supports open source LDAP for directory services. |
DNS SRV | Allow the Domain Name System Service Record to decide which server in its prioritized list of servers can best support LDAP requests. This feature ensures continuity of services in a high availability environment. The default setting is Disabled. With this option turned off, Workspace ONE UEM uses your existing directory server, the address of which you enter in the Server setting. Supported DNS servers:
|
Server | Enter the address of your directory server. This setting is only available when Enable DNS SRV is Disabled. |
Encryption Type | Select the type of encryption to use for a directory services communication. The options available are None (unencrypted), SSL, and Start TLS. |
Port | Enter the Transmission Control Protocol (TCP) port used to communicate with the domain controller. The default for unencrypted LDAP directory service communication is port 389. To view a KnowledgeBase article that lists the most up-to-date Workspace ONE UEM SaaS data center IP ranges, refer to https://support.air-watch.com/articles/115001662168.
|
Protocol Version | Select the version of the Lightweight Directory Access Protocol (LDAP) that is in use. Active Directory uses LDAP versions 2 or 3. If you are unsure of which Protocol Version to use, try the commonly used value of '3'. |
Use Service Account Credentials | Use the App pool credentials from the server on which the VMware Enterprise Systems Connector is installed for authenticating with the domain controller. Enabling this option hides the Bind user name and Bind Password settings. |
Bind Authentication Type | Select the type of bind authentication to enable the AirWatch server to communicate with the domain controller. You can select Anonymous, Basic, Digest, Kerberos, NTLM, or GSS-NEGOTIATE. If you are unsure of which Bind Authentication Type to use,. If unsure start by setting the bind authentication type to Basic. You will know if your selection is not correct when you click Test Connection. |
Bind User Name | Enter the credentials used to authenticate with the domain controller. This account (which the entered user name identifies) allows a read-access permission on your directory server and binds the connection when authenticating users. If you are unsure of which Bind Authentication Type to use, try the commonly used GSS-NEGOTIATE. You will know if your selection is not correct when you click Test Connection. |
Clear Bind Password | Select the Clear Bind Password check box to clear the bind password from the database. |
Bind Password | Enter the password for the bind user name to authenticate with the directory server. |
Domain /Server | Enter the default domain and server name for any directory-based user accounts. If only one domain is used for all directory user accounts, fill in the text box with the domain. This entry means that users are authenticated without explicitly stating their domain. You can add more domains by selecting the Add Domain option. Make sure that all the domains are in the same forest. In this case, Workspace ONE UEM automatically changes the port setting to 3268 for global catalog. You may choose to change the port setting to 3269 for SSL encrypted traffic, or override it completely by entering a separate port. |
Is there a trust relationship between all domains? | This setting is available only when you have more than one domain added. Select Yes if the binding account has permission to access other domains you have added. This added permission means that the binding account can successfully log in from more domains. |
The following options are available after selecting the Advanced section drop-down.
Setting | Description |
---|---|
Search Subdomains | Enable subdomain searching to find nested users. Leaving this option turned off can make searches faster and avoids network issues. However, users and groups located in subdomains under the base Domain Name (DN) are not identified. |
Connection Timeout | Enter the LDAP connection timeout value (in seconds). |
Request Timeout | Enter the LDAP query request timeout value (in seconds). |
Search without base DN | Enable this option when using a global catalog and when you do not want to require a base DN to search for users and groups. |
Use Recursive OID at Enrollment | Verify user group membership at the time of enrollment. As the system runs this feature at enrollment time, your performance may decrease with some directories. |
Use Recursive OID For Group Sync | Verify user group membership at the time of Group synchronization. |
Object Identifier Data Type | Select the unique identifier that never changes for a user or group. The options available are Binary and String. Typically, the Object Identifier is in a Binary format. |
Sort Control | Option to enable sorting. If this option is turned off, it can make searches faster and you can avoid sync timeouts. |
Azure Active Directory
Select Enabled for Use Azure AD for Identity Services and follow the on-screen steps to setup integration with Azure Active Directory. For more information, search for the topic Enrollment Through Azure AD Integration in docs.vmware.com.
SAML 2.0
The following Security Assertion Markup Language (SAML) options are available after selecting Use SAML for Authentication, and are only applicable if you are integrating with a SAML identity provider.
Setting | Description |
---|---|
Enable SAML authentication For | You have the choice of using SAML authentication for Admin, Enrollment, or Self Service Portal. UEM console administrators can select all three, or any combination of two, or select any one of the three components. |
Use new SAML Authentication endpoint | A new SAML authentication endpoint has been created for end-user authentication (device enrollment and login to SSP). This authentication replaces the two dedicated enrollment and SSP endpoints with a single endpoint. While you may choose to keep your existing settings, Workspace ONE UEM suggests updating your SAML settings to take advantage of the new combined endpoint. If you want to use the new endpoint, enable this setting and save the page. Then use the Export Service Provider Settings to export the new metadata file and upload it to your IdP. Doing so establishes trust between the new endpoint and your IdP. |
What UEM Requires of Third-Party Identity Providers (IDP)
The following is universal for any Identity Provider (IDP).
- All supported versions
- The third party IDP is required to send the following SAML attributes to Workspace ONE UEM:
SAML Attribute Name SAML Attribute Format SAML Attribute value NameID unspecified TransientID uid or sAMAccountName unspecified Username attribute from UEM - To retrieve the Username attribute used by Workspace ONE UEM, take the following steps.
- Navigate to .
- Select the Users tab, then Advanced and look for the attribute named Username.
- The Mapping Value is the attribute required by Workspace ONE UEM. This could be uid or sAMAccountName, depending on the IDP.
- The third party IDP is required to send the following SAML attributes to Workspace ONE UEM:
- Addendum for version 1904 and later (based on KB: https://kb.vmware.com/s/article/2961194)
- Replace the above table with the following table.
SAML Attribute Name SAML Attribute Format SAML Attribute Value NameID unspecified TransientID uid or sAMAccountName unspecified Username attribute from UEM objectGUID unspecified Object Identifier attribute from UEM
- Replace the above table with the following table.
User Tab
Setting | Description |
---|---|
User Object Class | Enter the appropriate Object Class. In most cases, this value is "user." |
User Search Filter | Enter the search parameter used to associate user accounts with Active Directory accounts. The suggested format is "<LDAPUserIdentifier>={EnrollmentUser}" where <LDAPUserIdentifier> is the parameter used on the directory services server to identify the specific user.
|
Advanced
Setting | Description |
---|---|
Auto Merge | Enable setting to allow user group updates from your directory service to merge with the associated users and groups in Workspace ONE UEM automatically. |
Automatically Sync Enabled Or Deactivated User Status | Select Enabled to deactivate the associated user in Workspace ONE UEM when that user is deactivated in your LDAP directory service (for example, Active Directory, Novell e-Directory, and so on).
|
Enable Custom Attributes | Enable custom attributes. Custom Attributes is a section that appears under the main Attribute – Mapping Value table. You must scroll down to the bottom of the page to see the Custom Attributes. |
Attributes | Review and edit the Mapping Values for the listed Attributes, if necessary. These columns show the mapping between Workspace ONE UEM user attributes (left) and your directory service attributes (right). By default these attributes are values most commonly used in Active Directory (AD). Update these mapping values to reflect the values used for your own or other directory service types. If you add or remove a custom attribute, you should initiate a manual sync afterward by selecting the Sync Attributes button. |
Sync Attributes button | Manually sync the attributes mapped here to the user records in Workspace ONE UEM. Attributes sync automatically on the time schedule configured for the Workspace ONE UEM environment. |
Group Tab
Setting | Description |
---|---|
Group Object Class | Enter the appropriate Object Class. In most cases this value should be group. |
Organizational Unit Object Class | Enter the appropriate Organizational User Object Class. |
Show Advanced
Setting | Description |
---|---|
Group Search Filter | Enter the search parameter used to associate user groups with directory service accounts. |
Auto Sync Default | Select this checkbox to automatically add or remove users in Workspace ONE UEM configured user groups based on their membership in your directory service. |
Auto Merge Default | Select this check box to automatically apply sync changes without administrative approval. |
Maximum Allowable Changes | Enter the number of maximum allowable group membership changes to be merged into Workspace ONE UEM. Any number of changes detected upon syncing with the directory service database under this number are automatically merged. If the number of changes exceed this threshold, an administrator must manually approve the changes before they are applied. A single change is defined by a user either leaving or joining a group. A setting of 100 Maximum Allowable Changes means the Console does not need to sync with your directory service as much. |
Conditional Group Sync | Enable this option to sync group attributes only after changes occur in Active Directory. Deactivate this option to sync group attributes regularly, regardless of changes in Active Directory. |
Auto-Update Friendly Name | When enabled, the friendly name is updated with group name changes made in active directory. When deactivated, the friendly name can be customized so admins can tell the difference between user groups with identical common names. This can be useful if your implementation includes organizational unit (OU)-based user groups with the same common name. |
Attribute | Review and edit the Mapping Value for the listed Attribute, if necessary. These columns show the mapping between Workspace ONE UEM user attributes (left) and your directory service attributes (right). By default these attributes are values most commonly used in AD. Update these mapping values to reflect the values used for your own or other directory service types. |
- Test Connection – Click this button to test your connection with your directory service endpoint.
Limitations and Caveats
- No AD passwords are stored in the Workspace ONE UEM database with the exception of the Bind account password used to link directory services into your Workspace ONE UEM environment. That password is stored in encrypted form in the database and is not accessible from the console. Unique session keys are used for each sync connection to the Active Directory server.
- In some instances global catalogs are used to manage multiple domains or AD Forests. If you experience delays when searching for or authenticating users, this may be due to a complex directory structure. You can integrate directly with the global catalog to query multiple forests using one Lightweight Directory Access Protocol (LDAP) endpoint for better results. To do this, configure the following settings:
- Encryption Type = None
- Port = 3268
- Verify that your firewall allows for this traffic on port 3268.
- Child Permission – Select the available behavior of child organization groups that exist below the currently selected organization group. Inherit only means child OGs are only allowed to inherit these settings. Override only means they override the settings, and Inherit or Override means you can choose to inherit or override settings in child OGs that exist below the currently selected OG.