Every directory user you want to manage through Workspace ONE UEM must have a corresponding user account in the UEM console. You can directly add your existing directory services users to Workspace ONE UEM

To directly add your existing directory services users to Workspace ONE UEM, you can choose one of the following methods.

  • Batch upload a file containing all your directory services users. The act of batch importing automatically creates a user account.
  • Create user accounts one at a time by entering the directory user name and selecting Check User to auto-populate remaining details.
  • Do not import in bulk nor manually create user accounts and instead allow all directory users to self-enroll at enrollment time.

A fourth option, applying Workspace ONE UEM user groups linked to directory service groups, is explained in the next section. This option can be used with these methods or by itself.

Note: For information about how these methods affect various directory services enrollment options, refer to the VMware AirWatch Mobile Device Management Guide, available on docs.vmware.com.

There are other considerations.

  • Pros – Requires the least amount of effort while still supporting the ability to sync changes to user attributes that are made in your directory service. Self-enrollment also creates a Workspace ONE UEM user account.

  • Cons – Does not allow you to restrict the enrollment to specific users or user groups. This lack of restriction means that any directory user with a valid email address can enroll a device.

Managing Directory Service Users in Workspace ONE UEM

If you choose to use directory services in Workspace ONE UEM, note the following.

  • Directory users can only be created at the same level as the organization group (OG) where directory services settings are enabled. You can see users at the organization group level where they have a device enrolled. However, users can only be managed at the same level as the directory service settings.
  • To delete or edit a user account, you must be at the same level as the directory services settings.
  • To add a device to an existing Workspace ONE UEM user account, you must be at a lower level than the root OG where directory services are enabled.

Adding your Directory Users Into Workspace ONE UEM

You can add directory users into Workspace ONE UEM one at a time or use a batch import process. Adding individual directory users one at a time is ideal for when you have a few users to add. It is preferable to batch import directory users when you have multiple users to add.

Using the batch import method means uploading a list of directory services users in a CSV (comma-separated values) template file, which has specific columns. To make converting your existing directory service user data easier, consider mapping the text boxes Workspace ONE UEM requires to existing attributes in your database. You can then use custom queries to create a spreadsheet which you can copy and paste.

  • Pros – This option creates Workspace ONE UEM user accounts, which enable you to use enrollment options that require user accounts, such as registration tokens. If you have users not included in Mobile Device Management (MDM), you can omit them from the CSV file. Such omission restricts an enrollment to only known users.
  • Cons – Back-end configuration is required to automate the creation of a CSV batch file that can be used to upload users. The alternative is to enter each user manually. Manual entry means that user assignment to organization groups must be thought out beforehand to ensure proper profile, policy, content, and app assignments.

Add Individual Directory Users to Workspace ONE UEM

Workspace ONE UEM enables you to add directory users in small numbers or if you have a 'one-off' addition to make.

  1. Navigate to Accounts > Users > List View and select Add and then Add User. The Add / Edit User page displays.
  2. In the General tab, complete the following settings to add a directory user.
    Setting Description
    Security Type Add an Active Directory user by choosing Directory as the Security Type.
    Directory Name This pre-populated setting identifies the Active Directory name.
    Domain Choose the domain name from the drop-down menu.
    User name Enter the user's directory user name and select Check User. If the system finds a match, the user's information is automatically populated. The remaining settings in this section are only available after you have successfully located an active directory user with the Check User button.
    Full Name

    Use Edit Attributes to allow any option that syncs a blank value from the directory to be edited. Edit Attributes also enables you to populate matching user's information automatically.

    If a setting syncs an actual value from the directory, then that setting must be edited in the directory itself. The change takes effect on the next directory sync. Complete any blank option returned from the directory in Full Name and select Edit Attributes to save the addition.

    Display Name Enter the name that displays in the admin console.
    Email Address Enter or edit the user's email address.
    Email user name Enter or edit the user's email user name.
    Domain (email) Select the email domain from the drop-down menu.
    Phone Number Enter the user's phone number including plus sign, country code, and area code. If you intend to use SMS to send notifications, the phone number is required.
    Enrollment Organization Group Select the organization group into which the user enrolls.
    Allow the user to enroll into additional Organization Groups Choose whether or not to allow the user to enroll into more than one organization group. If you select Enabled, then complete the Additional Organization Groups.
    User Role Select the role for the user you are adding from this drop-down menu.
    Message Type Choose the type of message you may send to the user, Email, SMS, or None. Selecting SMS requires a valid entry in the Phone Number text box.
    Message Template Choose the template for email or SMS messages from this drop-down setting. Optionally, select the Message Preview to preview the template and select the Configure Message Templates link to create a template.
  3. (Optional) Select the Advanced tab and complete the following settings.
    Setting Description
    Email Password Enter the email password of the user you are adding.
    Confirm Email Password Confirm the email password of the user you are adding.
    Distinguished Name For directory users recognized by Workspace ONE UEM, this text box is pre-populated with the distinguished name of the user. Distinguished Name is a string representing the user name and all authorization codes associated with an Active Directory user.
    Manager Distinguished Name Enter the distinguished name of the user's manager. This text box is optional.
    Category Choose the user category for the user being added.
    Department Enter the user's department for your company's administrative purposes.
    Employee ID Enter the user's employee ID for your company's administrative purposes.
    Cost Center Enter the user's cost center for your company's administrative purposes.
    Custom Attribute 1–5 (for Directory users only)

    Enter your previously configured custom attributes, where applicable. You may define these custom attributes by navigating to Groups & Settings > All Settings > Devices & Users > Advanced > Custom Attributes.

    Note:
    Custom attributes can be configured only at Customer organization groups.
    Use S/MIME Enable or disable the use of Secure/Multipurpose Internet Mail Extensions (S/MIME). If enabled, you must have an S/MIME-enabled profile and you must upload an S/MIME certificate by selecting Upload.
    Separate Encryption Certificate Enable or disable the use of a separate encryption certificate. If enabled, you must upload an encryption certificate using Upload. Generally, the same S/MIME certificate is used for signing and encryption, unless a different certificate is expressly being used.
    Old Encryption Certificate Enable or disable a legacy version encryption certificate. If enabled, you must Upload an encryption certificate.
    Enable Device Staging

    Enable or disable the staging of devices.

    If enabled, you must choose between Single User Devices and Multi User Devices.

    If Single User Devices, you must select between Standard, where users themselves log in and Advanced, where a device is enrolled on behalf of another user.

  4. Select Save to save only the new user or select Save and Add Device to save the new user and proceed to the Add Device page.

Batch Import your Directory Users

If you have many directory users to add to Workspace ONE UEM , you can save time by initiating a batch import process.

  1. Navigate to Accounts > Users > Batch Status or Devices > Lifecycle > Enrollment Status > Add and select Batch Import.
  2. Enter the basic information including a Batch Name and Batch Description.
  3. Select the applicable batch type from the Batch Type drop-down menu.
  4. Select and download the template that best matches the kind of batch import you are making.
    • Blacklisted Devices

      Import a list of known, non-compliant devices by IMEI, Serial Number, or UDID. Blacklisted devices are not allowed to enroll. If a blacklisted device attempts to enroll, it is automatically blocked.

    • Whitelisted Devices

      Import pre-approved devices by IMEI, Serial Number, or UDID. Use this template to import a list of known, trusted devices. The ownership and group ID associated to this device is automatically applied during enrollment.

    • User and/or Device

      Select between a Simple and an Advanced CSV template. The simple template features only the most often-used options while the advanced template features the full, unabridged compliment of import options.

    • Change Organization Group

      Move users to a different organization group.

  5. Open the CSV file. Confirm whether or not users are part of the enrollment organization group (OG).The CSV file features several columns corresponding to the options on the Add / Edit User page. When you open the CSV template, notice that sample data has been added to each column in the template. The sample data is presented to inform you what kind of data is required and what format it must be in. Do not stray from the format presented by the sample data.
    Note:
    A CSV file (comma-separated values) is simply a text file whose extension has been changed from "TXT" to "CSV". It stores tabular data (text and numbers) in plain text. Each line of the file is a data record. Each record consists of one or more fields, separated by commas. It can be opened and edited with any text editor. It can also be opened and edited with Microsoft Excel.
    1. Navigate to Groups & Settings > All Settings > Devices & Users > General > Enrollment and select the Grouping tab.For a directory-based enrollment, the Security Type for each user must be Directory.If the Group ID Assignment Mode is set to Default, your users are part of the enrollment OG.
  6. Enter data for your organization's users, including device information (if applicable) and save the file.
  7. Return to the Batch Import page and select Choose File to locate and upload the CSV file that you had previously downloaded and filled out.
  8. Select Save.

Filter Your Searches to Map the Directory Services User Information

After entering server settings, you can filter searches to identify users and map values between Workspace ONE user attributes and your directory attributes.
  1. Navigate to Accounts > Administrators > Administrator Settings > Directory Services.
  2. Select the User tab. By default, only the Base DN information displays.
  3. Select the Fetch DN plus sign (+) next to the Base DN column.This plus sign displays a list of Base DNs from which you can select to populate this text box. If it does not, revisit the settings you entered on the Server tab before continuing.
  4. Enter data in the following settings.
    Setting Description
    User Object Class Enter the appropriate Object Class. In most cases, this value is "user."
    User Search Filter

    Enter the search parameter used to associate user accounts with Active Directory accounts. The suggested format is "<LDAPUserIdentifier>={EnrollmentUser}" where <LDAPUserIdentifier> is the parameter used on the directory services server to identify the specific user.

    • For AD servers, use "(&(objectCategory=person)(sAMAccountName={EnrollmentUser}))" exactly.
    • For other LDAP servers, use "CN={EnrollmentUser}" or "UID={EnrollmentUser}"
  5. Display more settings by selecting Show Advanced.
    Setting Description
    Auto Merge Enable setting to allow user group updates from your directory service to merge with the associated users and groups in Workspace ONE UEM automatically.
    Automatically Sync Enabled Or Disabled User Status

    Select Enabled to deactivate the associated user in Workspace ONE UEM when that user is disabled in your LDAP directory service (for example, Active Directory, Novell e-Directory, and so on).

    • Value For Disabled Status – Enter a numeric value and select the type of Lightweight Directory Access Protocol (LDAP) attribute used to represent a user’s status. Select “Flag Bit Match” if the user status is designated by a bitwise flag (which is the default for Active Directory).

      Select “Flag Bit Match” if the user status is designated by a bitwise flag (which is the default for Active Directory). When “Flag Bit Match” is selected, Directory Services will consider the user to be disabled if any bits from the property match the given value.

      Note: If you select this option and you disable users in your directory service, the corresponding user account in Workspace ONE UEM is marked inactive and those administrators and users are not able to log in. In addition, enrolled devices assigned to users who are set as inactive in your directory service are automatically unenrolled.
    Enable Custom Attributes Enable custom attributes. Custom Attributes is a section that appears under the main AttributeMapping Value table. You must scroll down to the bottom of the page to see the Custom Attributes.
    Attributes

    Review and edit the Mapping Values for the listed Attributes, if necessary. These columns show the mapping between

    Workspace ONE UEM user attributes (left) and your directory service attributes (right). By default these attributes are values most commonly used in Active Directory (AD). Update these mapping values to reflect the values used for your own or other directory service types.

    If you add or remove a custom attribute, you should initiate a manual sync afterward by selecting the Sync Attributes button.

    Sync Attributes button Manually sync the attributes mapped here to the user records in Workspace ONE UEM. Attributes sync automatically on the time schedule configured for the Workspace ONE UEM environment.
  6. Select Test Connection to verify connectivity.

    The server connection is tested for all the domains listed on the page, using the server name, bind user name, and the password provided by the administrator. You can rerun the test by clicking the Test Again button.

    From the User tab, you can perform the following actions:

    1. Select the Domain name from the drop-down menu.
    2. Enter the user's directory user name and select Check User. If the system finds a match, the user's information is auto-populated. The remaining settings in this section are only available after you have successfully located an active directory user with the Check User button.

    From the Group tab, you can perform the following actions:

    1. Select the External Type of the group you are adding.
      • Group – Refers to the group object class on which your user group is based. Customize this class by navigating to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services > Group.
      • Organizational Unit – Refers to the organizational unit object class on which your user group is based. Customize this class by navigating to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services > Group.
    2. Enter the directory user group name in the Search text.
    3. Directory Name is the pre-populated setting that identifies the Active Directory name.
    4. Select the Domain name from the drop-down menu.
    5. Group Base DN displays a list of Domain Names from which you can select.
    6. Select Check Group to verify the group information.

Directory Service User Self-Enrollment

User Self-Enrollment applies your existing directory service environment to auto discover users based on their email.

You can enable all your directory users to enroll themselves based on their email addresses. This option requires the least amount of effort while retaining the ability to sync user attributes. However, you are unable to restrict the enrollment to specific users or user groups.

  1. Navigate to Groups & Settings > All Settings > Devices & Users > General > Enrollment and select the Restrictions tab.
  2. Scroll to the Enrollment Restrictions section of this page. Ensure that Restrict Enrollment To Known Users and Restrict Enrollment To Configured Groups check boxes are both deselected.

    When deselected, all directory users and user groups members (as configured in the directory services settings page) are allowed to enroll with a valid email address.

Note: For additional information about enrolling with directory services integration, refer to "Device Enrollment" in the VMware AirWatch Mobile Device Management Guide, available on docs.vmware.com.