When considering end-user enrollment, in addition to the existing pros and cons of Basic vs Directory users, consider also the following questions.
For the pros & cons of basic users vs directory users, see Basic vs. Directory Services Enrollment.
Consideration #1: Who Can Enroll?
In answering this question, consider the following.
Is the intent of your MDM deployment to manage devices for all your organization's users at or below the base DN * you configured? If so, the easiest way to achieve this arrangement is to allow all users to enroll by ensuring the Restrict Enrollment check boxes are deselected.
You can allow all users to enroll during the initial deployment rollout and then afterward, restrict the enrollment to prevent unknown users from enrolling. As your organization adds new employees or members to existing user groups, these changes are synced and merged.
- Are there certain users or groups who are not to be included in MDM? If so, you must either add users one at a time or batch import a CSV (comma-separated value) file of only eligible users.
If you want to restrict certain users and groups, see Configure Enrollment Restrictions.
Consideration #2: Where Will Users Be Assigned?
Another consideration to make when integrating your Workspace ONE ™ UEM environment with directory services is how you assign directory users to organization groups during an enrollment. In answering this question, consider the following.
- Have you created an organization group structure that logically maps to your directory service groups? You must complete this task before you can edit user group assignments.
- If your users are enrolling their own devices, the option to select a Group ID from a list is simple. Human error is a factor in this simplicity and can lead to incorrect group assignments.
You can automatically select a Group ID based on a user group or allow users to select a Group ID from a list. These Group ID Assignment Mode options are available by navigating to Devices > Device Settings > Devices & Users > General > Enrollment and selecting the Grouping tab.
If you want to configure Group ID options, see Configure Enrollment Options on Grouping Tab.
* The base DN, or distinguished name, is the point from which a server searches for users. A distinguished name is a name that uniquely identifies an entry in the directory. Every entry in the directory has a DN.