Integrating Workspace ONE UEM with your Directory Services

Workspace ONE UEM powered by AirWatch integrates with your existing directory service – such as Active Directory, Lotus Domino, and Novell e-Directory – to provide directory-based account access. This type of account access lets users authenticate with Workspace ONE UEM apps and enroll devices using their existing directory service credentials.

Integrating with directory services eliminates the need for basic user accounts in your organization. Such integration can also help simplify the enrollment process for end users by applying information they already know.

Ongoing LDAP synchronization detects any changes within the system. This synchronization performs necessary updates across all devices for affected users. In cases where administrative approval is required before changes occur, this synchronization obtains such approval.

You can also migrate Basic Users to LDAP Users, checking against existing directory users. For more information, see the KB article: Migrating Basic users to Directory (AD) users in

Integrating Workspace ONE UEM with your directory service provides many benefits.

  • Conduct enrollment for both users and administrators.
  • Map directory groups to Workspace ONE UEM user groups.
  • Control UEM console access.
  • Apply existing credentials for VMware Content Locker access.
  • Assign apps, profiles, and policies by user group.
  • Automatically retire end users when they go inactive.

The following sections explain how to integrate your Workspace ONE UEM environment with your directory service of choice. Also, how to add directory user accounts to Workspace ONE UEM and how to integrate user groups in Workspace ONE UEM.

Requirements, Setup, and User Integration

Workspace ONE UEM supports integration with Lightweight Directory Access Protocol (LDAP) based directory services.

  • Microsoft Active Directory Functional Level (2016, 2012, or 2008)
  • Lotus Domino
  • Novell e-Directory

The default port for an unencrypted LDAP communication is 389. Software as a Service (SaaS) environments can use SSL encrypted traffic using port 636.

  • Ensure the Directory Sync Service and the Scheduler Service are running on the same server, since they write to and read from the same queues.

You must designate an existing organization group (OG) as the primary root OG from which you manage devices and users.

Directory services (and VMware Enterprise Systems Connector when used) must be enabled in Workspace ONE UEM at the level of this root OG.

Directory User Group Integrations

If you have user groups in your active directory structure, you can make the same user groups in Workspace ONE UEM. Enable integrated updates so when you change your active directory user group assignments, those same changes get made in Workspace ONE UEM. For more information, see Managing Directory User Group Integration in Workspace ONE UEM.

FedRAMP Consideration

The NIST Special Publication 800-47 Rev.1: Managing the Security of Information Exchanges defines a system interconnection as the direct connection of two or more IT systems for the purpose of sharing data and other information resources.

Connecting IT systems with one another is a customer configured capability. Before you connect IT systems in Workspace ONE Unified Endpoint Management (UEM), discuss the risks of connecting non-FedRAMP accredited information systems with your Authorizing Official. Workspace ONE on AWS GovCloud (and by extension, Workspace ONE UEM itself) is a FedRAMP Moderate accredited information system. When you connect information systems to other systems with different security requirements and controls, carefully consider the risks.

Contact the Federal Support line (877-869-2730, OPTION 2) or submit a support request using My Workspace ONE for more details and to enable customer-controlled third party connections to other systems.

check-circle-line exclamation-circle-line close-line
Scroll to top icon