If you want to customize your directory service settings, you can skip the wizard and configure your settings manually.

  1. Navigate to Accounts > Administrators > Administrator Settings > Directory Services and select the Server tab.
  2. Enter your server information.

    Setting Description
    Directory Type

    Select the type of directory service that your organization uses.


    Allow the Domain Name System Service Record to decide which server in its prioritized list of servers can best support LDAP requests. This feature ensures continuity of services in a high availability environment. The default setting is Disabled.

    With this option disabled, Workspace ONE UEM uses your existing directory server, the address of which you enter in the Server setting.

    Supported DNS servers:

    • Active Directory integrated Microsoft DNS servers
    • Standalone Microsoft DNS servers
    Server Enter the address of your directory server. This setting is only available when Enable DNS SRV is Disabled.
    Encryption Type Select the type of encryption to use for a directory services communication. The options available are None (unencrypted), SSL, and Start TLS.

    Enter the Transmission Control Protocol (TCP) port used to communicate with the domain controller.

    The default for unencrypted LDAP directory service communication is port 389. To view a KnowledgeBase article that lists the most up-to-date Workspace ONE UEM SaaS data center IP ranges, refer to https://support.air-watch.com/articles/115001662168.

    • When you change the Encryption Type setting to SSL, the Port setting automatically changes to 636.
    • When you select the Add Domain button, the Port setting automatically changes to 3268.
    Verify SSL Certificate This setting is only available when the Encryption Type is SSL or Start TLS. Receive SSL errors by selecting the SSL check box.
    Protocol Version Select the version of the Lightweight Directory Access Protocol (LDAP) that is in use. Active Directory uses LDAP versions 2 or 3. If you are unsure of which Protocol Version to use, try the commonly used value of '3'.
    Use Service Account Credentials Use the App pool credentials from the server on which the VMware Enterprise Systems Connector is installed for authenticating with the domain controller. Enabling this option hides the Bind user name and Bind Password settings.
    Bind Authentication Type

    Select the type of bind authentication to enable the AirWatch server to communicate with the domain controller.

    You can select Anonymous, Basic, Digest, Kerberos, NTLM, or GSS-NEGOTIATE. If you are unsure of which Bind Authentication Type to use, try the commonly used GSS-NEGOTIATE. You will know if your selection is not correct when you click Test Connection.

    Bind User Name Enter the credentials used to authenticate with the domain controller. This account (which the entered user name identifies) allows a read-access permission on your directory server and binds the connection when authenticating users. Clear the bind password from the database by selecting the Clear Bind Password check box.
    Bind Password Enter the password for the bind user name to authenticate with the directory server.
    Domain /Server

    Enter the default domain and server name for any directory-based user accounts. If only one domain is used for all directory user accounts, fill in the text box with the domain. This entry means that users are authenticated without explicitly stating their domain.

    You can add more domains by selecting the Add Domain option. Make sure that all the domains are in the same forest. In this case, Workspace ONE UEM automatically changes the port setting to 3268 for global catalog. You may choose to change the port setting to 3269 for SSL encrypted traffic, or override it completely by entering a separate port.

    Is there a trust relationship between all domains?

    This setting is available only when you have more than one domain added.

    Select Yes if the binding account has permission to access other domains you have added. This added permission means that the binding account can successfully log in from more domains.

    The following options are available after selecting the Advanced section drop-down.

    Setting Description
    Search Subdomains

    Enable subdomain searching to find nested users.

    Leaving this option disabled can make searches faster and avoids network issues. However, users and groups located in subdomains under the base Domain Name (DN) are not identified.

    Connection Timeout Enter the LDAP connection timeout value (in seconds).
    Request Timeout Enter the LDAP query request timeout value (in seconds).
    Search without base DN Enable this option when using a global catalog and when you do not want to require a base DN to search for users and groups.
    Use Recursive OID at Enrollment Verify user group membership at the time of enrollment. As the system runs this feature at enrollment time, your performance may decrease with some directories.
    Use Recursive OID For Group Sync Verify user group membership at the time of Group synchronization.
    Object Identifier Data Type Select the unique identifier that never changes for a user or group. The options available are Binary and String. Typically, the Object Identifier is in a Binary format.
    Sort Control Option to enable sorting. If this option is disabled, it can make searches faster and you can avoid sync timeouts.
  3. The following settings are available after enabling Use Azure AD for Identity Services and are only applicable if you are integrating with Azure Active Directory.

    Azure AD integration with Workspace ONE UEM must be configured at the tenant where Active Directory (such as LDAP) is configured.

    Setting Description
    MDM Enrollment URL Enter the URL address used to enroll devices.
    MDM Terms of Use URL

    Enter the URL address of your terms of use agreement.

    There is a helpful link that displays exactly where in the Workspace ONE UEM in Azure AD config panel these MDM URLs belong. This link is labeled, "Where in AAD do I paste this info?"

    Directory ID

    Enter the identification number used to authenticate your Azure AD license.

    The Azure Directory ID is found in your Azure AD Directory Instance URL. For example, if your URL is acme.com/WS/ADExt/Dir/0a12bc34-56d7-93f1-g2h3-i4-jk56lm78n, only the last section (0a12bc34-56d7-93f1-g2h3-i4-jk56lm78n) is your Directory ID.

    Tenant Name

    Enter the tenant name of your Azure AD instance.

    There is a helpful link that displays exactly how to obtain the tenant info from your AAD Directory Instance. This link is labeled, "How To Obtain Tenant Info"

    Immutable ID Mapping Attribute

    The Immutable ID Mapping Attribute points to the sourceAnchor field in Active Directory that is mapped to Azure AD. This enables Workspace ONE UEM to match the Azure AD immutable ID to the correct local active directory attribute.

    Mapping Attribute Data Type Choose the mapping attribute data type of the field used by Workspace ONE UEM as the sourceAnchor for Azure AD. The default type is Binary.
    Automatically revoke user tokens when wiping devices

    Enable this option to revoke Microsoft Azure AD user tokens when a device or enterprise wipe is executed. It is not a best practice to disable this functionality as it may reduce the security posture of your configuration. If a wiped device is lost, it may still contain a valid AAD authentication token.

  4. The following Security Assertion Markup Language (SAML) options are available after enabling Use SAML for Authentication. These options are only applicable if you are integrating with a SAML identity provider.

    Setting Description
    Enable SAML authentication For

    You have the choice of using SAML authentication for Admin, Enrollment, or Self Service Portal.

    UEM console administrators can select all three, or any combination of two, or select any one of the three components.

    Use new SAML Authentication endpoint

    A new SAML authentication endpoint has been created for end-user authentication (device enrollment and login to SSP). This authentication replaces the two dedicated enrollment and SSP endpoints with a single endpoint.

    While you may choose to keep your existing settings, Workspace ONE UEM suggests updating your SAML settings to take advantage of the new combined endpoint.

    If you want to use the new endpoint, enable this setting and save the page. Then use the Export Service Provider Settings to export the new metadata file and upload it to your IdP. Doing so establishes trust between the new endpoint and your IdP.

    SAML 2.0
    Import Identity Provider Settings Upload a metadata file obtained from the identity provider. This file must be in Extensible Markup Language (XML) format.
    Service Provider (Workspace ONE UEM) ID Enter the Uniform Resource Identifier (URI) with which Workspace ONE UEM identifies itself to the identity provider. This string must match the ID that has been established as trusted by the identity provider.
    Identity Provider ID Enter the URI that the identity provider uses to identify itself. Workspace ONE UEM checks authentication responses to verify that the identity matches the ID provided here.
    Request Binding Type Select the binding types of the request. The options include Redirect, POST, and Artifact.
    Identify Provider Single Sign On URL Enter the identity provider's Uniform Resource Locator (URL) that Workspace ONE UEM uses to send requests.
    NameID Format Enter the format in which the identity provider sends a NameID for an authenticated user. This value is not required as Workspace ONE UEM obtains the user name from the FriendlyName “uid” required attribute.
    Authentication Request Security Select from the dropdown whether or not the Service Provider (Workspace ONE UEM) signs the authentication requests. You can select None, Sign Authentication Requests (SHA1), and Sign Authentication Requests (SHA256). Consider selecting Sign Authentication Requests (SHA256) for a more secure authentication.
    Response Binding Type Select the binding types of the response. The options include Redirect, POST, and Artifact.
    Sp Assertion URL Enter the Workspace ONE UEM URL that the identity provider configures to direct its authentication responses. “Assertions” regarding the authenticated user are included in success responses from the identity provider.
    Authentication Response Security This value specifies whether the IdP signs the response. You can select between None, Validate Response Signatures, and Validate Assertions Signatures. Consider selecting Validate Response Signatures for a more secure authentication.
    Identity Provider Certificate Upload the identity provider certificate.
    Service Provider (AirWatch) Certificate Upload the service provider certificate.
    Export Service Provider Settings button Exports the metadata file for uploading to your Identity Provider (IdP). This setting establishes trust between the new SAML endpoint (for enrollment and SSP login) and your IdP.
  5. Verify that you have established proper connectivity by selecting the Test Connection button.
  6. Select Save.