You can maintain settings, push, or revoke features and content, and much more with admin accounts in Workspace ONE Express and Workspace ONE UEM.
Admin Account List View
You can implement key management functions for ongoing maintenance and upkeep of admin accounts by navigating to.
Display the Add/Edit Admin page by selecting the hypertext link in the user name column. This link enables you to update current roles assigned quickly or change roles within your organization quickly to keep their privileges up-to-date. You can also alter general admin information and reset a password.
You can Filter the list of administrators to include all roles or limit the listing to only a specific role you want to see. You can also export an XLSX or CSV (comma-separated values) file of the filtered or unfiltered Administrators List View. You can then view and analyze this file with MS Excel. Select the Export button and choose a download location.
Display the action buttons applicable to that admin by selecting the radio button next to the administrator user name.
- View History – Track when admins log in and out of the Workspace ONE UEM console or Workspace ONE Express.
- Deactivate – Change the status of an admin account from active to inactive. This feature allows you to suspend the management functions and privileges temporarily. At the same time, this feature enables you to keep the defined roles of the admin account for later use.
- Activate – Change the status of an admin account from inactive to active.
- Delete – Remove the admin account from the console. Such an action is useful for when an administrator ends employment.
- Reset Password – Available to basic administrators only. Sends an email to the basic admin email address on record. The email contains a link that expires in 48 hours. To reset the password, the basic admin must select the link and answer the password recovery question. This link enables the basic admin to change their own password.
Directory-based administrators must reset their passwords using the active directory system.
Temporary administrators cannot reset their password. Another admin must delete then re-create the temporary admin account.
Create an Admin Account
You can add Admin Accounts from the Administrators List View page, providing access to advanced features of the Workspace ONE UEM console and Workspace ONE Express. Each admin that maintains and supervises the console must have an individual account.
- Navigate to Add, then Add Admin. The Add/Edit Admin page displays. , select
- Under the Basic tab, for the User Type setting, select either Basic or Directory.
- If you select Basic, then fill in all required settings on the Basic tab, including user name, password, First Name, and Last Name.
- You can enable Two-Factor Authentication where you select between Email and SMS as a delivery method and the token expiration time in minutes.
- You can also select a Notification option, choosing between None, Email, and SMS. The Admin receives an auto-generated response.
- If you select Directory, then enter the Domain and user name of the admin user.
- Select the Details tab and enter additional information, if necessary.
- Select the Roles tab and then select the Organization Group followed by the Role you want to assign to the new admin. Add new roles by using Add Role.
- Select the API tab and choose the Authentication type.
- Select the Notes tab and enter additional Notes for the admin user.
- Select Save to create the admin account with the assigned role.
Create a Temporary Admin Account
You can grant temporary administrative access to your environment for support, demonstrations, and other time limited use cases.
- Navigate to Add. Select the Add Temporary Admin option.
Alternatively, you can select the Help button from the header bar that appears at the top-right corner of almost every page of Workspace ONE UEM and Workspace ONE Express and select Add Temporary Admin.
- In the Basic tab, select to add a temporary admin account based on Email Address or user name and complete the following settings.
Setting Description Email Address Enter the email address on which the temporary admin account is based. Available only when Email Address radio button is selected. User name Enter the user name on which the temporary admin account is based. Available only when the user name radio button is selected. Password / Confirm Password Enter and confirm the password that is associated with the Email Address or user name. Expiration Period Select an Expiration Period which defaults to 6 hours. You can also set this drop-down menu to Inactive to create the account now and activate it later. Ticket Number Optionally, you can add the Ticket Number from ZenDesk, Bugzilla, Jira, or other help desk tool as a reference marker.
- In the Roles tab, you can add, edit, and delete roles applicable to the temporary admin account.
- Add a role by selecting the Add Role button and then select the organization group and role for which the temporary admin account applies.
- Edit an existing role by selecting the edit icon () and select a different organization group and role.
- Delete a role by selecting the delete icon ().
Directory User Status Syncing
When you make users inactive in your directory service, it impacts the corresponding Workspace ONE UEM and Workspace ONE Express account in a similar way but only assuming these prerequisite conditions.
- Syncing of removed users works with Active Directory only.
- The user name you entered in the Bind User Name option must have Active Directory administrator privileges.
- Check on this name by navigating to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services, and in the Server tab, look for the Bind User Name text box.
- Workspace ONE Express customers can find the Bind User Name text box in the same Server tab by navigating to Groups & Settings, then select Directory Services from the Name column.
- You can allow non administrators in Active Directory access to the deleted objects container provided you follow the steps outlined in the following Microsoft Support article. https://support.microsoft.com/en-in/help/892806/how-to-let-non-administrators-view-the-active-directory-deleted-object.
- Furthermore, the recycle bin must be enabled using the Active Directory Administrative Center but only if you are deleting users in AD.
- Open the Active Directory Administrative Center.
- Select the domain, then right click the domain.
- Select Enable Recycle Bin. Once enabled, the recycle bin cannot be deactivated.
Navigate to Accounts > Administrators > System Activity > Login History and you can view a listing of all administrator logins including date & time, their IP address, browser, and platform. Select a Username from the listing to see the entire login history of the selected admin.