As an admin, you can configure your directory service integration with Workspace ONE UEM. Integrating with directory services eliminates the need to create basic user accounts in your organization. Such integration can also help simplify the enrollment process for end users by applying information they already know.

Note: Before you are able to make changes to the Directory Services settings, you must ensure that the Directory check box is enabled (checked) in the Authentication Mode(s) option found in the Device & Users > General > Enrollmentpage. See Device and User Enrollment Settings. Override the Current Setting for the above-linked page if necessary.

The following system settings are presented in an agnostic way. In other words, not all sections and subsections displayed will apply to your environment. However, all options you see in your environment are represented somewhere here.

What can you do with the Directory Services Settings Page?

The path to the settings page on the UEM console is Groups & Settings > All Settings > System > Enterprise Integration > Directory Services.

Integrating Workspace ONE UEM with your directory service provides many benefits.

  • Conduct enrollment for both users and administrators.
  • Map directory groups to Workspace ONE UEM user groups.
  • Control UEM console access.
  • Apply existing credentials for VMware Content Locker access.
  • Assign apps, profiles, and policies by user group.
  • Automatically retire end users when they go inactive.

Determine your Organization group hierarchy

Before you review and modify the settings, understand the two types of inheritance/override options for the organization group hierarchy available at the top and bottom of the settings page and determine your choice. For more information about these settings, see Override Versus Inherit Setting for Organization Groups.
  • Current Setting - Select whether to Inherit or Override the displayed settings. Inherit means use the settings of the current organization group's parent OG, while Override enables the settings for editing so you can modify the current OG's settings directly.

.

.

Note: Technical Preview: Workspace ONE UEM offers integration with Workspace ONE Broker as a technical preview. Technical preview features are not fully tested and some functionality might not work as expected. However, these previews help Workspace ONE UEM improve current functionality and develop future enhancements. To use a technical preview feature, contact your VMware representative.

Server Tab

Setting Description
Directory Type

Select the type of directory service that your organization uses. The option you select here dictates all other available options for directory service configuration.

Workspace ONE UEM supports multiple types of LDAP offerings including open source LDAP. It also supports a directory type of none.

Technical Preview: If you are using Workspace ONE Broker to manage users and user groups across multiple VMware products, then you can select “VMware Identity Services” and proceed to the setup for User Provisioning and Identity Federation.

DNS SRV

Allow the Domain Name System Service Record to decide which server in its prioritized list of servers can best support LDAP requests. This feature ensures continuity of services in a high availability environment. The default setting is deactivated.

With this option turned off, Workspace ONE UEM uses your existing directory server, the address of which you enter in the Server setting.

Supported DNS servers:

  • Active Directory integrated Microsoft DNS servers
  • Standalone Microsoft DNS servers
Server Enter the address of your directory server. This setting is only available when Enable DNS SRV is deactivated.
Encryption Type Select the type of encryption to use for a directory services communication. The options available are None (unencrypted), SSL, and Start TLS.
Port

Enter the Transmission Control Protocol (TCP) port used to communicate with the domain controller.

The default for unencrypted LDAP directory service communication is port 389. To view a KnowledgeBase article that lists the most up-to-date Workspace ONE UEM SaaS data center IP ranges, refer to https://support.air-watch.com/articles/115001662168.

  • When you change the Encryption Type setting to SSL, the Port setting automatically changes to 636.
  • When you select the Add Domain button, the Port setting automatically changes to 3268.
Protocol Version Select the version of the Lightweight Directory Access Protocol (LDAP) that is in use. Active Directory uses LDAP versions 2 or 3. If you are unsure of which Protocol Version to use, try the commonly used value of '3'.
Use Service Account Credentials Use the App pool credentials from the server on which the VMware Enterprise Systems Connector is installed for authenticating with the domain controller. Enabling this option hides the Bind user name and Bind Password settings.
Bind Authentication Type

Select the type of bind authentication to enable the AirWatch server to communicate with the domain controller.

You can select Anonymous, Basic, Digest, Kerberos, NTLM, or GSS-NEGOTIATE. If you are unsure of which Bind Authentication Type to use,. If unsure start by setting the bind authentication type to Basic. You will know if your selection is not correct when you click Test Connection.

Bind User Name Enter the credentials used to authenticate with the domain controller. This account (which the entered user name identifies) allows a read-access permission on your directory server and binds the connection when authenticating users. If you are unsure of which Bind Authentication Type to use, try the commonly used GSS-NEGOTIATE. You will know if your selection is not correct when you click Test Connection.
Clear Bind Password Select the Clear Bind Password check box to clear the bind password from the database.
Bind Password Enter the password for the bind user name to authenticate with the directory server.
Domain /Server

Enter the default domain and server name for any directory-based user accounts. If only one domain is used for all directory user accounts, fill in the text box with the domain. This entry means that users are authenticated without explicitly stating their domain.

You can add more domains by selecting the Add Domain option. Make sure that all the domains are in the same forest. In this case, Workspace ONE UEM automatically changes the port setting to 3268 for global catalog. You may choose to change the port setting to 3269 for SSL encrypted traffic, or override it completely by entering a separate port.

Is there a trust relationship between all domains?

This setting is available only when you have more than one domain added.

Select Yes if the binding account has permission to access other domains you have added. This added permission means that the binding account can successfully log in from more domains.

The following options are available after selecting the Advanced section drop-down.

Setting Description
Search Subdomains

Enable subdomain searching to find nested users.

Leaving this option turned off can make searches faster and avoids network issues. However, users and groups located in subdomains under the base Domain Name (DN) are not identified.

Connection Timeout Enter the LDAP connection timeout value (in seconds).
Request Timeout Enter the LDAP query request timeout value (in seconds).
Search without base DN Enable this option when using a global catalog and when you do not want to require a base DN to search for users and groups.
Use Recursive OID at Enrollment Verify user group membership at the time of enrollment. As the system runs this feature at enrollment time, your performance may decrease with some directories.
Use Recursive OID For Group Sync Verify user group membership at the time of Group synchronization.
Object Identifier Data Type Select the unique identifier that never changes for a user or group. The options available are Binary and String. Typically, the Object Identifier is in a Binary format.
Sort Control Option to enable sorting. If this option is turned off, it can make searches faster and you can avoid sync timeouts.

Azure Active Directory

Select Enabled for Use Azure AD for Identity Services and follow the on-screen steps to setup integration with Azure Active Directory.

Azure AD integration with Workspace ONE UEM must be configured at the tenant where Active Directory (such as LDAP) is configured.

Setting Description
MDM Enrollment URL Enter the URL address used to enroll devices.
MDM Terms of Use URL

Enter the URL address of your terms of use agreement.

There is a helpful link that displays exactly where in the Workspace ONE UEM in the Azure AD config panel these MDM URLs belong. This link is labeled, "Where in AAD do I paste this info?"

Directory ID

Enter the identification number used to authenticate your Azure AD license.

The Azure Directory ID is found in your Azure AD Directory Instance URL. For example, if your URL is acme.com/WS/ADExt/Dir/0a12bc34-56d7-93f1-g2h3-i4-jk56lm78n, only the last section (0a12bc34-56d7-93f1-g2h3-i4-jk56lm78n) is your Directory ID.

Tenant Name

Enter the tenant name of your Azure AD instance.

There is a helpful link that displays exactly how to obtain the tenant info from your AAD Directory Instance. This link is labeled, "How To Obtain Tenant Info"

Immutable ID-Mapping Attribute The Immutable ID-Mapping Attribute points to the sourceAnchor field in Active Directory that is mapped to Azure AD. This setting enables Workspace ONE UEM to match the Azure AD immutable ID to the correct local active directory attribute.
Mapping Attribute Data Type Select the mapping attribute data type of the field used by Workspace ONE UEM as the sourceAnchor for Azure AD. The default type is Binary.
Automatically revoke user tokens when wiping devices Enable this option to revoke Microsoft Azure AD user tokens when a device or enterprise wipe is run. It is not a best practice to deactivate this functionality as it might reduce the security posture of your configuration. If a wiped device is lost, it can still contain a valid AAD authentication token.

SAML

The following Security Assertion Markup Language (SAML) options are available after selecting Use SAML for Authentication, and are only applicable if you are integrating with a SAML identity provider.

These options are only applicable if you are integrating with a SAML identity provider.
Note: Technical Preview: SAML fields are deactivated for customers who integrate Workspace ONE UEM with Workspace ONE Broker.
Setting Description
Enable SAML authentication For

You have the choice of using SAML authentication for Admin, Enrollment, or Self Service Portal.

UEM console administrators can select all three, or any combination of two, or select any one of the three components.

Use new SAML Authentication endpoint

A new SAML authentication endpoint has been created for end-user authentication (device enrollment and login to SSP). This authentication replaces the two dedicated enrollment and SSP endpoints with a single endpoint.

While you may choose to keep your existing settings, Workspace ONE UEM suggests updating your SAML settings to take advantage of the new combined endpoint.

If you want to use the new endpoint, enable this setting and save the page. Then use the Export Service Provider Settings to export the new metadata file and upload it to your IdP. Doing so establishes trust between the new endpoint and your IdP.

SAML 2.0

Note: Technical Preview: SAML fields are deactivated for customers who integrate Workspace ONE UEM with Workspace ONE Broker.
Setting Description
Import Identity Provider Settings Upload a metadata file obtained from the identity provider. This file must be in Extensible Markup Language (XML) format.
Service Provider (Workspace ONE UEM) ID Enter the Uniform Resource Identifier (URI) with which Workspace ONE UEM identifies itself to the identity provider. This string must match the ID that has been established as trusted by the identity provider.
Identity Provider ID Enter the URI that the identity provider uses to identify itself. Workspace ONE UEM reviews authentication responses to verify that the identity matches the ID provided here.

What UEM Requires of Third-Party Identity Providers (IDP)

The following is universal for any Identity Provider (IDP).

  • The third party IDP is required to send the following SAML attributes to Workspace ONE UEM (based on KB: https://kb.vmware.com/s/article/2961194):
    SAML Attribute Name SAML Attribute Format SAML Attribute Value
    NameID unspecified TransientID
    uid or sAMAccountName unspecified Username attribute from UEM
    objectGUID unspecified Object Identifier attribute from UEM
  • To retrieve the Username attribute used by Workspace ONE UEM, take the following steps.

    1. Navigate to System > Enterprise Integration > Directory Services.
    2. Select the Users tab, then Advanced and look for the attribute named Username.
    3. The Mapping Value is the attribute required by Workspace ONE UEM. This could be uid or sAMAccountName, depending on the IDP.

Request

Setting Description
Request Binding Type Select the binding types of the request. The options include Redirect, POST, and Artifact.
Identity Provider Single Sign-On URL Enter the URL that the identity provider configures as the source of truth for its SSO.
NameID Format Enter the format NameID expects to be for authentication requests. This option is required.

Select from Transient Identifier, Persistent Identifier, Entity Identifier, Email Address, X509 Subject Name, Kerberos, Windows Domain Qualified Name, and Unspecified.

Authenticated Request Security This value specifies whether the IdP signs the request. You can select between None, Sign Authentication Requests (SHA1), and Sign Authentication Requests (SHA256). Consider selecting the SHA1 or SHA256 options for a more secure authentication.

Response

Setting Description
Response Binding Type Select the binding types of the response. The options include Redirect, POST, and Artifact.
Sp Assertion URL Enter the Workspace ONE UEM URL that the identity provider configures to direct its authentication responses. “Assertions” regarding the authenticated user are included in success responses from the identity provider.
Authentication Response Security This value specifies whether the IdP signs the response. You can select between None, Validate Response Signatures, and Validate Assertions Signatures. Consider selecting Validate Response Signatures for a more secure authentication.

Certificate

Setting Description
Identity Provider Certificate Upload the identity provider certificate.
Service Provider (AirWatch) Certificate Upload the service provider certificate. Note:Currently we only support SHA256 based algorithms. For more information on all the providers that support SHA256, see https://docs.microsoft.com/en-us/windows/desktop/SecCertEnroll/cryptoapi-cryptographic-service-providers.
Export Service Provider Settings button Exports the metadata file for uploading to your Identity Provider (IdP). This setting establishes trust between the new SAML endpoint (for enrollment and SSP login) and your IdP.

User Tab

Setting Description
User Object Class Enter the appropriate Object Class. In most cases, this value is "user."
User Search Filter

Enter the search parameter used to associate user accounts with Active Directory accounts. The suggested format is "<LDAPUserIdentifier>={EnrollmentUser}" where <LDAPUserIdentifier> is the parameter used on the directory services server to identify the specific user.

  • For AD servers, use "(&(objectCategory=person)(sAMAccountName={EnrollmentUser}))" exactly.
  • For other LDAP servers, use "CN={EnrollmentUser}" or "UID={EnrollmentUser}"

Advanced

Setting Description
Auto Merge Enable setting to allow user group updates from your directory service to merge with the associated users and groups in Workspace ONE UEM automatically.
Automatically Sync Enabled Or Deactivated User Status

Select Enabled to deactivate the associated user in Workspace ONE UEM when that user is deactivated in your LDAP directory service (for example, Active Directory, Novell e-Directory, and so on).

  • Value For Deactivated Status – Enter a numeric value and select the type of Lightweight Directory Access Protocol (LDAP) attribute used to represent a user’s status. Select “Flag Bit Match” if the user status is designated by a bitwise flag (which is the default for Active Directory).

    Select “Flag Bit Match” if the user status is designated by a bitwise flag (which is the default for Active Directory). When “Flag Bit Match” is selected, Directory Services will consider the user to be deactivated if any bits from the property match the given value.

    Note: If you select this option and you deactivate users in your directory service, the corresponding user account in Workspace ONE UEM is marked inactive and those administrators and users are not able to log in. In addition, enrolled devices assigned to users who are set as inactive in your directory service are automatically unenrolled.
Enable Custom Attributes Enable custom attributes. Custom Attributes is a section that appears under the main AttributeMapping Value table. You must scroll down to the bottom of the page to see the Custom Attributes.
Attributes

Review and edit the Mapping Values for the listed Attributes, if necessary. These columns show the mapping between Workspace ONE UEM user attributes (left) and your directory service attributes (right). By default these attributes are values most commonly used in Active Directory (AD). Update these mapping values to reflect the values used for your own or other directory service types.

If you add or remove a custom attribute, you should initiate a manual sync afterward by selecting the Sync Attributes button.

Sync Attributes button Manually sync the attributes mapped here to the user records in Workspace ONE UEM. Attributes sync automatically on the time schedule configured for the Workspace ONE UEM environment.

Group Tab

Setting Description
Group Object Class Enter the appropriate Object Class. In most cases this value should be group.
Organizational Unit Object Class Enter the appropriate Organizational User Object Class.

Show Advanced

Setting Description
Group Search Filter Enter the search parameter used to associate user groups with directory service accounts.
Auto Sync Default Select this checkbox to automatically add or remove users in Workspace ONE UEM configured user groups based on their membership in your directory service.
Auto Merge Default Select this check box to automatically apply sync changes without administrative approval.
Maximum Allowable Changes

Enter the number of maximum allowable group membership changes to be merged into Workspace ONE UEM. Any number of changes detected upon syncing with the directory service database under this number are automatically merged.

If the number of changes exceed this threshold, an administrator must manually approve the changes before they are applied. A single change is defined by a user either leaving or joining a group. A setting of 100 Maximum Allowable Changes means the Console does not need to sync with your directory service as much.

Conditional Group Sync Enable this option to sync group attributes only after changes occur in Active Directory. Deactivate this option to sync group attributes regularly, regardless of changes in Active Directory.
Auto-Update Friendly Name

When enabled, the friendly name is updated with group name changes made in active directory.

When deactivated, the friendly name can be customized so admins can tell the difference between user groups with identical common names. This can be useful if your implementation includes organizational unit (OU)-based user groups with the same common name.

Attribute Review and edit the Mapping Value for the listed Attribute, if necessary. These columns show the mapping between Workspace ONE UEM user attributes (left) and your directory service attributes (right). By default these attributes are values most commonly used in AD. Update these mapping values to reflect the values used for your own or other directory service types.
  • Test Connection – Click this button to test your connection with your directory service endpoint.

Limitations and Caveats

  • No AD passwords are stored in the Workspace ONE UEM database with the exception of the Bind account password used to link directory services into your Workspace ONE UEM environment. That password is stored in encrypted form in the database and is not accessible from the console. Unique session keys are used for each sync connection to the Active Directory server.
  • In some instances global catalogs are used to manage multiple domains or AD Forests. If you experience delays when searching for or authenticating users, this may be due to a complex directory structure. You can integrate directly with the global catalog to query multiple forests using one Lightweight Directory Access Protocol (LDAP) endpoint for better results. To do this, configure the following settings:
    • Encryption Type = None
    • Port = 3268
    • Verify that your firewall allows for this traffic on port 3268.
  • Child Permission – Select the available behavior of child organization groups that exist below the currently selected organization group. Inherit only means child OGs are only allowed to inherit these settings. Override only means they override the settings, and Inherit or Override means you can choose to inherit or override settings in child OGs that exist below the currently selected OG.