Workspace ONE UEM powered by AirWatch integrates with your organization's existing directory service – such as Active Directory, Lotus Domino, and Novell e-Directory – to provide directory-based account access. This type of account access lets users authenticate with Workspace ONE UEM apps and enroll devices using their existing directory service credentials.

Integrating with directory services eliminates the need to create basic user accounts in your organization. Such integration can also help simplify the enrollment process for end users by applying information they already know.

Ongoing LDAP synchronization detects any changes within the system. This synchronization performs necessary updates across all devices for affected users. In cases where administrative approval is required before changes occur, this synchronization obtains such approval.

You may also migrate Basic Users to LDAP Users, checking against existing directory users. For more information, please see the KB article: Migrating Basic users to Directory (AD) users.

Integrating Workspace ONE UEM with your directory service provides many benefits.

  • Conduct enrollment for both users and administrators.
  • Map directory groups to Workspace ONE UEM user groups.
  • Control UEM console access.
  • Apply existing credentials for VMware Content Locker access.
  • Assign apps, profiles, and policies by user group.
  • Automatically retire end users when they go inactive.

The following sections explain how to integrate your Workspace ONE UEM environment with your directory service of choice. Also, how to add directory user accounts to Workspace ONE UEM and how to integrate user groups in Workspace ONE UEM.

Requirements, Setup, and User Integration

Workspace ONE UEM supports integration with Lightweight Directory Access Protocol (LDAP)-based directory services.

  • Microsoft Active Directory Functional Level (2016, 2012, or 2008)
  • Lotus Domino
  • Novell e-Directory

The default port for an unencrypted LDAP communication is 389. Software as a Service (SaaS) environments can use SSL encrypted traffic using port 636.

  • Ensure the Directory Sync Service and the Scheduler Service are running on the same server, since they write to and read from the same queues.

You must designate an existing organization group (OG) as the primary root OG from which you manage devices and users.

Directory services (and VMware Enterprise Systems Connector when used) must be enabled in Workspace ONE UEM at the level of this root OG.

Directory User Group Integrations

If you have user groups in your active directory structure, you can make the same user groups in Workspace ONE UEM. Enable integrated updates so when you change your active directory user group assignments, those same changes get made in Workspace ONE UEM. For more information, see Directory User Group Integration.