You can enable Workspace ONE UEM to detect when a user account is disabled in your directory service and automatically set its associated Workspace ONE UEM user account to inactive.


  1. Navigate to Accounts > Users Settings > Directory Services.
  2. Select the User tab.
  3. See advanced configuration options by selecting the Advanced hyperlink.
  4. Enable the Automatically Sync Enabled Or Disabled User Status slider.
    1. For Value For Disabled Status, enter a numeric value and select the type of Lightweight Directory Access Protocol (LDAP) attribute used to represent a user’s status.
    2. Select “Flag Bit Match” if the user status is designated by a bitwise flag (which is the default for Active Directory).
      If any bits from the property match the value you enter, then the directory service considers the user to be disabled. But only when Flag Bit Match is selected.
    If you select this option, then Workspace ONE UEM administrators set as inactive in your directory service may not log in to the UEM console. In addition, enrolled devices assigned to users who are set as inactive in your directory service are automatically unenrolled.