Directory Service Integration and Enrollment Restrictions

When directory service integration is configured on Workspace ONE ™ UEM, directory service accounts inherit enrollment settings from the organization group (OG) from which the directory service is configured. Basic accounts, however, abide by local settings including overrides.


For example, assume the option Enterprise Wipe devices of users that are removed from configured groups is enabled on the Customer OG. Given this scenario, directory enrollment users in Sales01 who leave a configured group see their devices wiped despite the override configured in that OG. This is true even if those accounts have devices enrolled on a different OG because enrollment settings are user-centric, not device centric.

However, in this same scenario, devices belonging to basic enrollment users of Sales01 OG who leave a configured group are not wiped. This is because basic enrollment users in Sales01 are not a part of the directory service-integrated OG and therefore recognize and abide by the overridden enrollment restriction.