You can add directory service user groups into Workspace ONE UEM one at a time or use a batch import process. Adding directory user groups one at a time is ideal for when you have a limited number of groups to add. It is preferable to batch import directory user groups when you have multiple groups to add.

Using the batch import method means uploading a list of your existing directory service groups in a .csv (comma-separated values) template file. This method does not immediately create user accounts for each of your directory service accounts. However, it ensures Workspace ONE UEM recognizes them as belonging to a configured group. You can then use this recognition as a means of restricting who can enroll.

User groups in Workspace ONE UEM can be synced – automatically when configured with a scheduler – with your directory service groups to merge changes or add missing users.

  • Pros – You have the option of restricting an enrollment to only known groups, which lets you restrict on a user group level who can enroll. This method also keeps your existing directory service group infrastructure and allows you to assign profiles, policies, content, and apps based on these existing group setups.
  • Cons – Uploading directory service user groups does not automatically create Workspace ONE UEM user accounts. If you have restricted enrollment for known users, you must add those user accounts into the UEM console manually.

Add Individual Directory User Group to Workspace ONE UEM

If you have just a few user groups to add to Workspace ONE UEM, then take the following steps to add a directory service user group.
  1. Navigate to Accounts > User Groups > List View, select Add, then Add User Group.
  2. Complete the settings in the Add User Group screen as applicable, ensuring the user group Type is Directory.
    Setting Description
    Type

    Select the type of User Group.

    • Directory – Create a user group that is aligned with your existing active directory structure.
    • Custom – Create a user group outside of your organization's existing Active Directory structure. This user group type grants access to features and content for basic and directory users to customize user groups according to your deployment. Custom user groups can only be added at a customer level organization group.
    External Type

    Select the external type of group you are adding.

    • Group – Refers to the group object class on which your user group is based. Customize this class by navigating to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services > Group.
    • Organizational Unit – Refers to the organizational unit object class on which your user group is based. Customize this class by navigating to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services > Group.
    • Custom Query – You can also create a user group containing users you locate by running a custom query. Selecting this external type replaces the Search Text function but displays the Custom Query section.
    Search Text

    Identify the name of a user group in your directory by entering the search criteria and selecting Search to search for it. If a directory group contains your search text, a list of group names displays.

    This option is unavailable when External Type is set to Custom Query.

    Directory Name Read-only setting displaying the address of your directory services server.
    Domain and Group Base DN

    This information automatically populates based on the directory services server information you enter on the Directory Services page (Groups & Settings > System > Enterprise Integration > Directory Services).

    Select the Fetch DN plus sign (+) next to the Group Base DN setting, which displays a list of distinguished name elements from which you can select.

    Custom Object Class

    Identifies the object class under which your query runs. The default object class is 'person' but you can supply a custom object class to identify your users with a greater success and accuracy.

    This option is available only when Custom Query is selected as External Type.

    Group Name

    Select a Group Name from your Search Text results list. Selecting a group name automatically alters the value in the Distinguished Name setting.

    This option is available only after you have completed a successful search with the Search Text setting.

    Distinguished Name

    This read-only setting displays the full distinguished name of the group you are creating.

    This option is available only when Group or Organizational Unit is selected as External Type.

    Custom Base DN

    Identifies the base distinguished name which serves as the starting point of your query. The default base distinguished name is 'AirWatch' and 'sso'. However, if you want to run the query with a different starting point, you can supply a custom base distinguished name.

    This option is available only when Custom Query is selected as External Type.

    Organization Group Assignment

    This optional setting enables you to assign the user group you are creating to a specific organization group.

    This option is available only when Group or Organizational Unit is selected as External Type.

    User Group Settings

    Select between Apply default settings and Use Custom settings for this user group. See the Custom Settings section for additional setting descriptions. You can configure this option from the permission settings after the group is created.

    This option is available only when Group or Organizational Unit is selected as External Type.

    Custom Query - Query This setting displays the currently loaded query that runs when you select the Test Query button and when you select the Continue button. Changes you make to the Custom Logic setting or the Custom Object Class setting are reflected here.
    Custom Logic Add your custom query logic here, such as user name or admin name. For example, "cn=jsmith". You can include as much or as little of the distinguished name as you like. The Test Query button allows you to see if the syntax of your query is correct before selecting the Continue button.
    Custom Settings - Management Permissions You can allow or disallow all administrators to manage the user group you are creating.
    Default Role Select a default role for the user group from the drop-down menu.
    Default Enrollment Policy Select a default enrollment policy from the drop-down menu.
    Auto Sync with Directory

    This option enables the directory sync, which detects user membership from the directory server and stores it in a temporary table. Administrators approve changes to the console unless the Auto Merge option is selected.

    If you want to prevent user groups from automatically syncing during a scheduled sync, this setting must be disabled.

    Auto Merge Changes Enable this option to apply sync changes automatically from the database without administrative approval.
    Maximum Allowable Changes

    Use this setting to set a threshold for the number of automatic user group sync changes that can occur before approval must be given.

    Changes more than the threshold need admin approval and a notification is sent to this effect.

    This option is available only when Auto Merge Changes is enabled.

    Add Group Members Automatically

    Enable this setting to add users to the user group automatically.

    If you want to prevent user groups from automatically syncing during a scheduled sync, this setting must be disabled.

    Send Email to User when Adding Missing Users Enable to send an email to users when missing users are being added to the user group. Adding missing users means combining the temporary user group table with the Active Directory table.
    Message Template

    This option is available only when Send Email to User when Adding Missing Users is enabled.

    Select a message template to be used for the email notification during the addition of missing users to the user group.

    When adding active directory users new to the Workspace ONE UEM console, the message template availability depends upon the enrollment mode as configured in Groups & Settings > All Settings > Devices & Users > General > Enrollment selecting Authentication, and making a choice in the Devices Enrollment Mode option.

    When Open Enrollment is selected as the Devices Enrollment Mode, a User Activation email template is available in the Message Template drop-down. This email message enables the new AD user to enroll.

    When Registered Devices Only is selected as the Devices Enrollment Mode, a Device Activation email template is available in the Message Template drop-down. This email message enables the new AD user to enroll their devices. If Require Registration Token is enabled, the device can be registered with the token embedded in the message.

    For more information on Distinguished Name, search for Microsoft's TechNet article entitled "Object Naming" at https://technet.microsoft.com/.

  3. Select Save.

Add your Directory User Groups to Workspace ONE UEM using the Batch Import process

If you have many directory service user groups to add to Workspace ONE UEM you can save time by initiating a batch import process.

  1. Navigate to Accounts > User Groups > List View and select Add.
  2. Select Batch Import.
  3. Enter the basic information including Batch Name and Batch Description in the
  4. Workspace ONE UEM console.
  5. Under Batch File (.csv), select the Choose File button to locate and upload the completed CSV file.
    1. Alternately, select the link Download template for this batch type and save the comma-separated values (CSV) file and use it to prepare a new importation file.
    2. Open the CSV file, which has several columns corresponding to the settings that display on the Add User Group page.Columns with an asterisk are required and must be entered with data.
    3. Save the file.
    The last column heading in the CSV file template is labeled "GroupID/Manage(Edit and Delete)/Manage(Users and Enrollment)/UG assignment/Admin Inheritance." This column heading corresponds to the settings and abides by the logic of the Permissions tab of the Edit User Group page.
  6. Select Import.

Merge and Sync Changes Between Your Directory Service Groups and Groups in Workspace ONE

Note:

You can set options to auto merge and sync changes between your directory service groups and groups in Workspace ONE Express and Workspace ONE UEM powered by AirWatch.

AD passwords are not stored in the Workspace ONE UEM database except the Bind account password used to link directory services into your Workspace ONE UEM environment.

The Bind account password is stored in an encrypted form in the database and is not accessible from the console. Unique session keys are used for each sync connection to the Active Directory server. This AD password storage arrangement is the same for Workspace ONE Express.

In some instances, global catalogs are used to manage multiple domains or AD Forests. Delays while searching for or authenticating users can be due to a complex directory structure. You can integrate directly with the global catalog to query multiple forests using one Lightweight Directory Access Protocol (LDAP) endpoint for better results.

To integrate with the global catalog directly, configure the following settings:
  • Encryption Type = None
  • Port = 3268
  • Verify that your firewall allows for this traffic on port 3268.
Complete the following steps to auto merge and sync changes between your Directory Service Groups and Groups in the Workspace ONE UEM console.
  1. Navigate to Accounts > Administrators > Administrator Settings > Directory Services.
  2. If necessary, select 'Override' as the Current Setting so that changes can be made to this settings page.
  3. Ensure your organization's Directory Service is selected in the Directory Type.
  4. Select the Group tab. By default, only the Base DN information displays.
  5. For Base DN, select the Fetch DN plus sign (+) next to the B
  6. ase DN setting to display a list of Base DNs. Populate this text box by selecting from the list.
    1. If a list of Base DNs does not display, revisit the settings you entered on the Server tab before continuing.
  7. Enter data in the following settings.
    Setting Description
    Group Object Class Enter the appropriate Object Class. In most cases this value should be group.
    Organizational Unit Object Class Enter the appropriate Organizational User Object Class.
  8. To display more settings, select Advanced. Enter data in the following text boxes.
    Setting Description
    Group Search Filter Enter the search parameter used to associate user groups with directory service accounts.
    Auto Sync Default Select this checkbox to automatically add or remove users in Workspace ONE UEM configured user groups based on their membership in your directory service.
    Auto Merge Default Select this check box to automatically apply sync changes without administrative approval.
    Maximum Allowable Changes

    Enter the number of maximum allowable group membership changes to be merged into Workspace ONE UEM. Any number of changes detected upon syncing with the directory service database under this number are automatically merged.

    If the number of changes exceed this threshold, an administrator must manually approve the changes before they are applied. A single change is defined by a user either leaving or joining a group. A setting of 100 Maximum Allowable Changes means the Console does not need to sync with your directory service as much.

    Conditional Group Sync Enable this option to sync group attributes only after changes occur in Active Directory. Disable this option to sync group attributes regularly, regardless of changes in Active Directory.
    Auto-Update Friendly Name

    When enabled, the friendly name is updated with group name changes made in active directory.

    When disabled, the friendly name can be customized so admins can tell the difference between user groups with identical common names. This can be useful if your implementation includes organizational unit (OU)-based user groups with the same common name.

    Attribute Review and edit the Mapping Value for the listed Attribute, if necessary. These columns show the mapping between Workspace ONE UEM user attributes (left) and your directory service attributes (right). By default these attributes are values most commonly used in AD. Update these mapping values to reflect the values used for your own or other directory service types.
  9. Select Test Connection to verify connectivity.

    The server connection is tested for all the domains listed on the page, using the server name, bind user name, and the password provided by the administrator. You can rerun the test by clicking the Test Again button.

    From the User tab, you can perform the following actions:

    1. Select the Domain name from the drop-down menu.
    2. Enter the user's directory user name and select Check User. If the system finds a match, the user's information is auto-populated. The remaining settings in this section are only available after you have successfully located an active directory user with the Check User button.

    From the Group tab, you can perform the following actions:

    1. Select the External Type of the group you are adding.
      • Group – Refers to the group object class on which your user group is based. Customize this class by navigating to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services > Group.
      • Organizational Unit – Refers to the organizational unit object class on which your user group is based. Customize this class by navigating to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services > Group.
    2. Enter the directory user group name in the Search text.
    3. Directory Name is the pre-populated setting that identifies the Active Directory name.
    4. Select the Domain name from the drop-down menu.
    5. Group Base DN displays a list of Domain Names from which you can select.
    6. Select Check Group to verify the group information.

Edit Your User Group Permissions

Fine-tuning user group permissions allows you to reconsider who inside your organization can edit certain groups. For example, if your organization has a user group for company executives, you might not want lower-level administrators to have management permissions for that user group.Use the Permissions page to control who can manage certain user groups and who can assign profiles, compliance policies, and applications to user groups.
  1. Navigate to Accounts > User Groups > List View.
  2. Select the Edit icon of an existing user group row.
  3. Select the Permissions tab, then select Add.
  4. Select the Organization Group you want to define permissions for.You must select an organization group (OG) that is within the root OG hierarchy of the user group.
  5. Select the Permissions you want to enable.
    • Manage Group (Edit/Delete) – Activate the ability to edit and delete user groups.
    • Manage Users Within Group and Allow Enrollment – Manage users within the user group and to allow a device enrollment in the OG. This setting can only be enabled when Manage Group (Edit/Delete) is also enabled. If Manage Group (Edit/Delete) is disabled, then this setting is also disabled.
    • Use Group For Assignment – Use the group to assign security policies and enterprise resources to devices. This setting can only be changed if Manage Group (Edit/Delete) is disabled. If Manage Group (Edit/Delete) is enabled, then this setting becomes locked and uneditable.
      • This setting is disabled when the user group is managed by a parent OG and you want to assign the group from one of its children OGs.
  6. Select the Scope of these permissions, that is, which groups of administrators are allowed to manage or use this user group. Only one of the following options may be active.
    • Administrator Only – The permissions affect only those administrators at the parent OG.
    • All Administrators at or below this Organization Group – The permissions affect the administrators in the OG and all administrators in all child OGs underneath.
  7. Select Save.