RSS
 

Deactivate and Reactivate your Users Automatically

You can control how Workspace ONE UEM reacts when user accounts are removed or deactivated in your directory service by using auto sync in the User tab of Directory Services. Auto sync monitors user statuses in Directory Services and when a user is removed from Directory Services, they are also removed from the associated UEM user group and unenrolled from the UEM console.

If you want to deactivate a user in UEM manually, regardless of what happens to their status in Directory Services, you can delete their UEM console user account. Navigate to Accounts > Users > List View then locate the account you want to delete, select the account by clicking the check box to the left of its entry, select the More Actions button, select Delete, and then select Save at the Bulk Action Message screen, which serves as a delete confirmation.

Conversely, users that are deactivated and then reactivated in your directory service reactivate in the UEM console automatically.

Automatically Reactivating Workspace ONE UEM Users Upon Reactivation in Directory Service

When users deactivated in your directory service are later reactivated, Workspace ONE automatically reactivates their UEM console account. This feature is always on and requires no console setting. Also, the event log captures this event which you can use for troubleshooting purposes.

Perform Automatic Enterprise Wipe for Users That Do Not Belong to a User Group

You can automatically perform an enterprise wipe when users are removed from user groups. This check occurs at the same frequency as the Sync LDAP Groups scheduler task.

Note:

You can automatically perform an enterprise wipe when users are removed from user groups. This check occurs at the same frequency as the Sync LDAP Groups scheduler task.

The Restrict Enrollment To Configured Groups option means that enrollment is limited in the following ways.

  • Limited enrollment to users belonging to any user group (All Groups).
  • Limited enrollment to users belonging to a particular user group (Selected Groups).

For more information, refer to the Enabling Directory Service-Based Enrollment section of the VMware AirWatch Mobile Device Management Guide, available on docs.vmware.com.

  1. Navigate to Groups & Settings > All Settings > Devices & Users > General > Enrollment and select the Restrictions tab.
  2. Select Restrict Enrollment in the Configured Groups option.
  3. If you want to enterprise wipe all devices not part of any user group automatically, then take the following steps.
    1. Select All Groups.
    2. Enable the Enterprise Wipe devices of users not belonging to the configured groups option.
  4. If you want to enterprise wipe all devices not part of only selected user groups automatically, then take the following steps.
    1. Select Selected Groups and include the user group names.
    2. Enable the Enterprise Wipe devices of users not belonging to the configured groups option.
  5. Select Save.

Set all your Deactivated Users accounts to Inactive

You can enable Workspace ONE UEM to detect when a user account is deactivated in your directory service and automatically set its associated Workspace ONE UEM user account to inactive.

  1. Navigate to Accounts > Users Settings > Directory Services.
  2. Select the User tab.
  3. See advanced configuration options by selecting the Advanced hyperlink.

  4. Enable the Automatically Sync Enabled Or Deactivated User Status slider.

    1. For Value For Deactivated Status, enter a numeric value and select the type of Lightweight Directory Access Protocol (LDAP) attribute used to represent a user’s status.
    2. Select “Flag Bit Match” if the user status is designated by a bitwise flag (which is the default for Active Directory). If any bits from the property match the value you enter, then the directory service considers the user to be deactivated but only when Flag Bit Match is selected.

If you select this option, then Workspace ONE UEM administrators set as inactive in your directory service cannot log in to the UEM console. In addition, enrolled devices assigned to users who are set as inactive in your directory service are unenrolled automatically.

Remove Users From User Groups Based on the Directory Service Group Membership

You can enable Workspace ONE UEM and Workspace ONE Express to detect when a directory service user account is removed and automatically remove its associated user account from the associated group.

  1. Navigate to Accounts > User Groups > Settings > Directory Services.
  2. Select the Group tab.
  3. See advanced configuration options by selecting the Advanced drop-down.
  4. Select the Auto Sync Default check box to add and remove users in user groups automatically based on membership in directory service.

Parent topic: Managing Directory User Group Integration in Workspace ONE UEM

check-circle-line exclamation-circle-line close-line
Scroll to top icon