Making user groups with directory integration fosters an aligned approach to device management: device enrollment plus subsequent updates, administrative overview, and user management are each in lockstep with your existing directory service structure.

Prerequisites

Ensure that the user group Type is Directory.

Procedure

  1. Navigate to Accounts > User Groups > List View, select Add then Add User Group.
    Setting Description
    Type

    Select the type of User Group.

    • Directory – Create a user group that is aligned with your existing active directory structure.
    • Custom – Create a user group outside of your organization's existing Active Directory structure. This user group type grants access to features and content for basic and directory users to customize user groups according to your deployment. Custom user groups can only be added at a customer level organization group.
    External Type

    Select the external type of group you are adding.

    • Group – Refers to the group object class on which your user group is based. Customize this class by navigating to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services > Group.
    • Organizational Unit – Refers to the organizational unit object class on which your user group is based. Customize this class by navigating to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services > Group.
    • Custom Query – You can also create a user group containing users you locate by running a custom query. Selecting this external type replaces the Search Text function but displays the Custom Query section.
    Search Text

    Identify the name of a user group in your directory by entering the search criteria and selecting Search to search for it. If a directory group contains your search text, a list of group names displays.

    This option is unavailable when External Type is set to Custom Query.

    Directory Name Read-only setting displaying the address of your directory services server.

    Domain and Group Base DN

    This information automatically populates based on the directory services server information you enter on the Directory Services page (Groups & Settings > System > Enterprise Integration > Directory Services).

    Select the Fetch DN plus sign (+) next to the Group Base DN setting, which displays a list of distinguished name elements from which you can select.

    Custom Object Class

    Identifies the object class under which your query runs. The default object class is 'person' but you can supply a custom object class to identify your users with a greater success and accuracy.

    This option is available only when Custom Query is selected as External Type.

    Group Name

    Select a Group Name from your Search Text results list. Selecting a group name automatically alters the value in the Distinguished Name setting.

    This option is available only after you have completed a successful search with the Search Text setting.

    Distinguished Name

    This read-only setting displays the full distinguished name of the group you are creating.

    This option is available only when Group or Organizational Unit is selected as External Type.

    Custom Base DN

    Identifies the base distinguished name which serves as the starting point of your query. The default base distinguished name is 'AirWatch' and 'sso'. However, if you want to run the query with a different starting point, you can supply a custom base distinguished name.

    This option is available only when Custom Query is selected as External Type.

    Organization Group Assignment

    This optional setting enables you to assign the user group you are creating to a specific organization group.

    This option is available only when Group or Organizational Unit is selected as External Type.

    User Group Settings

    Select between Apply default settings and Use Custom settings for this user group. See the Custom Settings section for additional setting descriptions. You can configure this option from the permission settings after the group is created.

    This option is available only when Group or Organizational Unit is selected as External Type.

    Custom Query - Query This setting displays the currently loaded query that runs when you select the Test Query button and when you select the Continue button. Changes you make to the Custom Logic setting or the Custom Object Class setting are reflected here.
    Custom Logic Add your custom query logic here, such as user name or admin name. For example, "cn=jsmith". You can include as much or as little of the distinguished name as you like. The Test Query button allows you to see if the syntax of your query is correct before selecting the Continue button.
    Custom Settings - Management Permissions You can allow or disallow all administrators to manage the user group you are creating.
    Default Role Select a default role for the user group from the drop-down menu.
    Default Enrollment Policy Select a default enrollment policy from the drop-down menu.
    Auto Sync with Directory

    This option enables the directory sync, which detects user membership from the directory server and stores it in a temporary table. Administrators approve changes to the console unless the Auto Merge option is selected.

    If you want to prevent user groups from automatically syncing during a scheduled sync, this setting must be disabled.

    Auto Merge Changes Enable this option to apply sync changes automatically from the database without administrative approval.
    Maximum Allowable Changes

    Use this setting to set a threshold for the number of automatic user group sync changes that can occur before approval must be given.

    Changes more than the threshold need admin approval and a notification is sent to this effect.

    This option is available only when Auto Merge Changes is enabled.

    Add Group Members Automatically

    Enable this setting to add users to the user group automatically.

    If you want to prevent user groups from automatically syncing during a scheduled sync, this setting must be disabled.

    Send Email to User when Adding Missing Users Enable to send an email to users when missing users are being added to the user group. Adding missing users means combining the temporary user group table with the Active Directory table.
    Message Template

    This option is available only when Send Email to User when Adding Missing Users is enabled.

    Select a message template to be used for the email notification during the addition of missing users to the user group.

    When adding active directory users new to the Workspace ONE UEM console, the message template availability depends upon the enrollment mode as configured in Groups & Settings > All Settings > Devices & Users > General > Enrollment selecting Authentication, and making a choice in the Devices Enrollment Mode option.

    When Open Enrollment is selected as the Devices Enrollment Mode, a User Activation email template is available in the Message Template drop-down. This email message enables the new AD user to enroll.

    When Registered Devices Only is selected as the Devices Enrollment Mode, a Device Activation email template is available in the Message Template drop-down. This email message enables the new AD user to enroll their devices. If Require Registration Token is enabled, the device can be registered with the token embedded in the message.

    For more information on Distinguished Name, search for Microsoft's TechNet article entitled "Object Naming" at https://technet.microsoft.com/.

  2. Select Save.