Mapping your User Groups for Enrollment and Console Access

After you add your directory service groups to Workspace ONE UEM, you can use the resulting user groups for enrollment and role-based access. In terms of a device enrollment, you can map user groups to existing organization groups and automatically select a Group ID based on a user group. In terms of console access, you can restrict the level of UEM console access users have (roles) based on their user group membership.

For more information about how the enrollment OG is configured, see User Enrollment OG Precedence Order.

You can configure settings to select a Group ID automatically based on a user group or allow users to select a Group ID from a list.

  1. Navigate to Groups & Settings > All Settings > Devices & Users > General > Enrollment and select the Grouping tab.

  2. Select Automatically Select Based on User Group as the Group ID Assignment Mode.

    This screenshot displays a small portion of the system settings enrollment panel, Group ID Assignment Mode and its three possible options.

    This option works only when your existing directory service is already replete with user group assignments independent from Workspace ONE UEM.

    Enabling this option ensures that users are assigned to organization groups automatically based on their directory service group assignments. Once selected, the Group Assignment Settings section displays all the organization groups (OG) for the environment and their associated directory service user groups.

    When the Apply mapping on enrollment only setting is enabled, the user group assignment applies at enrollment time only. You can move devices to another OG manually after enrollment. However, if the Apply mapping on enrollment only check box is enabled, the device does not honor any new user group mapping. The event log captures the identity of the admin requesting this mapping at enrollment time.

    For more information about the Event Log, see Event Logs.

  3. Modify the organization group/user group associations and set the rank of precedence for each group by selecting Edit Group Assignment. Select Save when you are finished.

    If a user belongs to multiple user groups, the rank determines which user group takes precedence. The user is associated to the OG of the highest-ranked user group to which they belong.

  4. Similar to user group mapping to an OG assignment, map roles, or console permissions, based on user groups. Enable the editing of role-based access levels by selecting Enable Directory Group-Based Mapping in the User Role Mapping section. To edit roles and rank user groups, similar to the method used in step 3, select Edit Assignment.

    For each user group, set the rank of precedence and associated role each group has. If a user belongs to multiple user groups, the rank determines which user group, and therefore role, takes precedence. The user receives permissions for the highest-ranked user group to which they belong. Select Save when you are finished.

    Access the Roles page and define new or edit existing Roles by navigating to Accounts > Roles.

  5. Select Save when you are done mapping user groups to enrollment organization groups and roles.

You can restrict an enrollment to only known users or configured groups. For more information, see Additional Enrollment Restrictions.

Parent topic: Managing Directory User Group Integration in Workspace ONE UEM

check-circle-line exclamation-circle-line close-line
Scroll to top icon