You can control how Workspace ONE UEM reacts when user accounts are removed or disabled in your directory service by using auto sync in the User tab of Directory Services. Auto sync monitors user statuses in Directory Services and when a user is removed from Directory Services, they are also removed from the associated AirWatch user group and unenrolled from the UEM console.

If you want to deactivate a user in AirWatch manually, regardless of what happens to their status in Directory Services, you can delete their UEM console user account. Do this by navigating to Accounts > Users > List View then locate the account you want to delete, select the account by clicking the check box to the left of its entry, select the More Actions button, select Delete, and then select Save at the Bulk Action Message screen, which serves as a delete confirmation.

Conversely, users that have been deactivated and then reactivated in your directory service are reactivated in the UEM console automatically.

Automatically Reactivating Workspace ONE EUM Users Upon Reactivation in Directory Service

When users deactivated in your directory service are later reactivated, Workspace ONE automatically reactivates their UEM console account. This feature is always on and requires no console setting. Also, the event log captures this event which can be referred to for troubleshooting purposes.

Perform Automatic Enterprise Wipe for Users That Do Not Belong to a User Group

You can automatically perform an enterprise wipe when users are removed from user groups. This check occurs at the same frequency as the Sync LDAP Groups scheduler task.
Note:

You can automatically perform an enterprise wipe when users are removed from user groups. This check occurs at the same frequency as the Sync LDAP Groups scheduler task.

The Restrict Enrollment To Configured Groups option means that enrollment is limited in the following ways.
  • Enrollment is limited to users belonging to any user group (All Groups).
  • Enrollment is limited to users belonging to a particular user group (Selected Groups).

For more information, refer to the Enabling Directory Service-Based Enrollment section of theVMware AirWatch Mobile Device Management Guide, available on docs.vmware.com.

  1. Navigate to Groups & Settings > All Settings > Devices & Users > General > Enrollment and select the Restrictions tab.
  2. Select the Restrict Enrollment to the Configured Groups option.
  3. If you want to enterprise wipe all devices not part of any user group automatically, then take the following steps.
    1. Select All Groups.
    2. Enable the Enterprise Wipe devices of users not belonging to the configured groups option.
  4. If you want to enterprise wipe all devices not part of only selected user groups automatically, then take the following steps.
    1. Choose Selected Groups and include the user group names.
    2. Enable the Enterprise Wipe devices of users not belonging to the configured groups option.
  5. Select Save.

Set all your Disabled Users accounts to Inactive

You can enable Workspace ONE UEM to detect when a user account is disabled in your directory service and automatically set its associated Workspace ONE UEM user account to inactive.

  1. Navigate to Accounts > Users Settings > Directory Services.
  2. Select the User tab.
  3. See advanced configuration options by selecting the Advanced hyperlink.
  4. Enable the Automatically Sync Enabled Or Disabled User Status slider.
    1. For Value For Disabled Status, enter a numeric value and select the type of Lightweight Directory Access Protocol (LDAP) attribute used to represent a user’s status.
    2. Select “Flag Bit Match” if the user status is designated by a bitwise flag (which is the default for Active Directory).If any bits from the property match the value you enter, then the directory service considers the user to be disabled. But only when Flag Bit Match is selected.
    If you select this option, then Workspace ONE UEM administrators set as inactive in your directory service may not log in to the UEM console. In addition, enrolled devices assigned to users who are set as inactive in your directory service are automatically unenrolled.

Remove Users From User Groups Based on the Directory Service Group Membership

You can enable Workspace ONE UEM and Workspace ONE Express to detect when a directory service user account is removed and automatically remove its associated user account from the associated group.

  1. Navigate to Accounts > User Groups > Settings > Directory Services.
  2. Select the Group tab.
  3. See advanced configuration options by selecting the Advanced drop-down.
  4. Select the Auto Sync Default check box to add and remove users in user groups automatically based on membership in directory service.