After entering server settings, you can filter searches to identify users and map values between Workspace ONE user attributes and your directory attributes.

Procedure

  1. Navigate to Accounts > Administrators > Administrator Settings > Directory Services.
  2. Select the User tab. By default, only the Base DN information displays.
  3. Select the Fetch DN plus sign (+) next to the Base DN column.
    This plus sign displays a list of Base DNs from which you can select to populate this text box. If it does not, revisit the settings you entered on the Server tab before continuing.
  4. Enter data in the following settings.
    Setting Description
    User Object Class Enter the appropriate Object Class. In most cases, this value is "user."
    User Search Filter

    Enter the search parameter used to associate user accounts with Active Directory accounts. The suggested format is "<LDAPUserIdentifier>={EnrollmentUser}" where <LDAPUserIdentifier> is the parameter used on the directory services server to identify the specific user.

    • For AD servers, use "(&(objectCategory=person)(sAMAccountName={EnrollmentUser}))" exactly.
    • For other LDAP servers, use "CN={EnrollmentUser}" or "UID={EnrollmentUser}"
  5. Display more settings by selecting Show Advanced.
    Setting Description
    Auto Merge Enable setting to allow user group updates from your directory service to merge with the associated users and groups in Workspace ONE UEM automatically.
    Automatically Sync Enabled Or Disabled User Status

    Select Enabled to deactivate the associated user in Workspace ONE UEM when that user is disabled in your LDAP directory service (for example, Active Directory, Novell e-Directory, and so on).

    • Value For Disabled Status – Enter a numeric value and select the type of Lightweight Directory Access Protocol (LDAP) attribute used to represent a user’s status. Select “Flag Bit Match” if the user status is designated by a bitwise flag (which is the default for Active Directory).

      Select “Flag Bit Match” if the user status is designated by a bitwise flag (which is the default for Active Directory). When “Flag Bit Match” is selected, Directory Services will consider the user to be disabled if any bits from the property match the given value.

      Note: If you select this option and you disable users in your directory service, the corresponding user account in Workspace ONE UEM is marked inactive and those administrators and users are not able to log in. In addition, enrolled devices assigned to users who are set as inactive in your directory service are automatically unenrolled.
    Enable Custom Attributes Enable custom attributes. Custom Attributes is a section that appears under the main AttributeMapping Value table. You must scroll down to the bottom of the page to see the Custom Attributes.
    Attributes

    Review and edit the Mapping Values for the listed Attributes, if necessary. These columns show the mapping between Workspace ONE UEM user attributes (left) and your directory service attributes (right). By default these attributes are values most commonly used in Active Directory (AD). Update these mapping values to reflect the values used for your own or other directory service types.

    If you add or remove a custom attribute, you should initiate a manual sync afterward by selecting the Sync Attributes button.

    Sync Attributes button Manually sync the attributes mapped here to the user records in Workspace ONE UEM. Attributes sync automatically on the time schedule configured for the Workspace ONE UEM environment.
  6. Select Test Connection to verify connectivity.

    The server connection is tested for all the domains listed on the page, using the server name, bind user name, and the password provided by the administrator. You can rerun the test by clicking the Test Again button.

    From the User tab, you can perform the following actions:

    1. Select the Domain name from the drop-down menu.
    2. Enter the user's directory user name and select Check User. If the system finds a match, the user's information is auto-populated. The remaining settings in this section are only available after you have successfully located an active directory user with the Check User button.

    From the Group tab, you can perform the following actions:

    1. Select the External Type of the group you are adding.
      • Group – Refers to the group object class on which your user group is based. Customize this class by navigating to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services > Group.
      • Organizational Unit – Refers to the organizational unit object class on which your user group is based. Customize this class by navigating to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services > Group.
    2. Enter the directory user group name in the Search text.
    3. Directory Name is the pre-populated setting that identifies the Active Directory name.
    4. Select the Domain name from the drop-down menu.
    5. Group Base DN displays a list of Domain Names from which you can select.
    6. Select Check Group to verify the group information.