The type of authentication in Workspace ONE Express you select depends on the amount of administrator setup work and the number of login steps by the end user at enrollment.

If you want the enrollment process to be as simple as possible for the end user, the administrator must do more work to set it up. Likewise, a lighter workload for the administrator means that there is more setup to do by the end user.

Basic User Accounts

You can use Basic Authentication to identify users in the Workspace ONE Express architecture but this method offers no integration to existing corporate user accounts.

Pros

  • Basic users require no enterprise infrastructure.
  • Requires no technical integration.

Cons

  • Offers no federated security and no single sign-on.
  • Credentials for basic users only exist in Workspace ONE Express and do not necessarily match existing corporate credentials.
  • Basic user names and passwords are stored in Workspace ONE Express.

Directory User Accounts

Active Directory (AD)/Lightweight Directory Access Protocol (LDAP) authentication is used to integrate user and admin accounts of Workspace ONE Express with existing corporate accounts.

Pros

  • Directory users authenticate with existing corporate credentials.
  • Secure method of integrating with LDAP/AD.
  • Standard integration practice.

Cons

  • Requires an active directory or other LDAP server.

Create Basic User Account

After you decide which Authentication Type you want to use, you can create users in the Workspace ONE Express console. If your authentication type is Basic, then consider creating Basic User Accounts.

  1. Navigate to Accounts > Users > List View, select Add then Add User. The Add / Edit User page displays.
  2. In the General tab, complete the following settings to add a basic user.
    Setting Description
    Security Type Select Basic and add a basic user.
    User name Enter a user name with which the new user is identified.
    Password Enter a password that the user can use to log in.
    Confirm Password. Confirm the password.
    Full Name Complete the First Name, Middle Name, and Last Name of the user.
    Display Name Represent the user in the console by entering a name.
    Email Address Enter or edit the user's email address.
    Email user name Enter or edit the user's email user name.
    Domain Select the email domain from the drop-down setting.
    Phone Number Enter the user's phone number including plus sign, country code, and area code.
    Enrollment Organization Group Pre-populated setting reflects the existing organization group.
    Allow the user to enroll into additional Organization Groups.

    If you Enable this option but leave Additional Organization Groups blank, then any child OG created under the Enrollment Organization Group can be used as a point of enrollment.

    Workspace ONE Express customers have a single organization group to enroll into. Contact Support to inquire about upgrading to benefit from having multiple organization groups.
    Additional Organization Groups

    This setting only appears when the option to allow the user to enroll into additional OGs is Enabled.

    This setting allows you to add additional organization groups from which your basic user can enroll.
    User Role Select the role for the user you are adding from this drop-down setting.
    Message Type Select the type of message you want to send to the user, Email or None.
    Message Template

    The basic user activates their account with this notification. For security reasons, this notification does not include the user's password. Instead, a password reset link is included in the notification. The basic user selects this link to define another password. This password reset link expires in 24 hours automatically.

    Select the template for email messages by selecting one from this drop-down setting. Optionally, select Message Preview to preview the template and select the Configure Message Template to create a template.
  3. (Optional) Select the Advanced tab and complete the following settings.
    Setting Description
    Email Password Enter the email password of the user you are adding.
    Confirm Email Password. Confirm the email password of the user you are adding.
    User Principal Name Enter the principal name of the basic user. This setting is optional.
    Category Select the User Category for the user being added.
    Department Enter the user's department for administrative purposes.
    Employee ID Enter the user's employee ID for administrative purposes.
    Cost Center Enter the user's cost center for administrative purposes.
    Use S/MIME.

    Enable or Deactivate Secure Multipurpose Internet Mail Extensions (S/MIME).

    If enabled, you must have an S/MIME-enabled profile and you must upload an S/MIME certificate by selecting Upload.
    Separate Encryption Certificate

    Enable or Deactivate encryption certificate.

    If enabled, you must upload an encryption certificate using Upload. Generally, the same S/MIME certificate is used for signing and encryption, unless a different certificate is expressly being used.
    Old Encryption Certificate

    Enable or deactivate a legacy version encryption certificate.

    If enabled, you must Upload an encryption certificate.
    Enable Device Staging.

    Enable or deactivate the staging of devices.

    If enabled, you must select between Single User Devices and Multi User Devices. If Single User Devices, you must select between Standard, where users themselves log in and Advanced, where a device is enrolled on behalf of another user.
  4. Select Save and save only the new user or select Save and Add Device to save the new user and proceed to the Add Device page.

Create Directory User Account

After you decide which Authentication Type you want to use, you can create users in the Workspace ONE Express console. If your authentication type is based on your existing active directory structure, then consider creating Directory User Accounts.

  1. Navigate to Accounts > Users > List View and select Add and then Add User.

    The Add / Edit User page displays.

  2. In the General tab, complete the following settings to add a directory user.
    Setting Description
    Security Type Add an Active Directory user by selecting Directory as the Security Type.
    Directory Name This pre-populated setting identifies the Active Directory name.
    Domain Select the domain name from the drop-down menu.
    User name Enter the user's directory user name and select Check User. If the system finds a match, the user's information is auto-populated. The remaining settings in this section are only available after you have successfully located an active directory user with the Check User button.
    Full Name

    Use Edit Attributes to allow any option that syncs a blank value from the directory to be edited. Edit Attributes also enables you to populate the matching user's information automatically.

    If a setting syncs an actual value from the directory, then that setting must be edited in the directory itself. The change takes effect on the next directory sync. Complete any blank option returned from the directory in Full Name and select Edit Attributes to save the addition.
    Display Name Enter the name that displays in the admin console.
    Email Address Enter or edit the user's email address.
    Email user name Enter or edit the user's email user name.
    Domain (email) Select the email domain from the drop-down menu.
    Phone Number Enter the user's phone number including plus sign, country code, and area code.
    Enrollment Organization Group For Workspace ONE Express customers, this setting is pre-populated and reflects the existing organization group.
    Allow the user to enroll into additional Organization Groups. Workspace ONE Express customers have a single organization group to enroll into. If you want to inquire about upgrading to benefit from having multiple organization groups, contact Support.
    User Role Select the role for the user you are adding from this drop-down menu.
    Message Type Select the type of message you can send to the user, Email or None.
    Message Template Select the template for email messages from this drop-down setting. Optionally, select the Message Preview to preview the template and select the Configure Message Templates link to create a template.
  3. (Optional) Select the Advanced tab and complete the following settings.
    Setting Description
    Email Password Enter the email password of the user you are adding.
    Confirm Email Password. Confirm the email password of the user you are adding.
    Distinguished Name For directory users recognized by Workspace ONE Express, this text box is pre-populated with the distinguished name of the user. Distinguished Name is a string representing the user name and all authorization codes associated with an Active Directory user.
    Manager Distinguished Name Enter the distinguished name of the user's manager. This text box is optional.
    Category Select the user category for the user being added.
    Department Enter the user's department for your company's administrative purposes.
    Employee ID Enter the user's employee ID for your company's administrative purposes.
    Cost Center Enter the user's cost center for your company's administrative purposes.
    Enable Device Staging.

    Enable or deactivate the staging of devices.

    If enabled, you must select between Single User Devices and Multi User Devices.

    If Single User Devices, you must select between Standard, where users themselves log in and Advanced, where a device is enrolled on behalf of another user.
  4. Select Save and save only the new user or select Save and Add Device to save the new user and proceed to the Add Device page.