Integrating with an existing directory service enables you to pull in users automatically. It eliminates the need of having to add users manually to the Workspace ONE UEM.

Every directory user you want to manage through Workspace ONE UEM must have a corresponding user account in the UEM console.

You can directly add your existing directory services users to Workspace ONE UEM using one of the following methods.

  • Batch upload a file containing all your directory services users. The act of batch importing automatically creates a user account.
  • Create user accounts one at a time by entering the directory user name and selecting Check User to auto-populate remaining details.
  • Do not import in bulk nor manually create user accounts and instead allow all directory users to self-enroll at enrollment time.

Pros

  • End users authenticate with existing corporate credentials.
  • Detects and syncs changes from the directory system into Workspace ONE UEM automatically. For instance, when you disable users in AD, the corresponding user account in Workspace ONE UEM console is marked inactive.
  • Secure method of integrating with your existing directory service.
  • Standard integration practice.
  • Can be used for Workspace ONE Direct Enrollment.
  • SaaS deployments using the AirWatch Cloud Connector require no firewall changes and offers a secure configuration to other infrastructures, such as Microsoft ADCS, SCEP, and SMTP servers.

For more information regarding syncing of account statuses, see the section below entitled Directory User Status Syncing.

Cons

  • Requires an existing directory service infrastructure.
  • SaaS deployments require additional configuration due to the AirWatch Cloud Connector being installed behind the firewall or in a DMZ.

Directory User Status Syncing

When you make users inactive in your directory service, it impacts the corresponding Workspace ONE UEM and Workspace ONE Express account in a similar way but only assuming these prerequisite conditions.

  • Syncing of removed users works with Active Directory only.
  • The user name you entered in the Bind User Name option must have Active Directory administrator privileges.
    • Check on this name by navigating to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services, and in the Server tab, look for the Bind User Name text box.
    • Workspace ONE Express customers can find the Bind User Name text box in the same Server tab by navigating to Groups & Settings, then select Directory Services from the Name column.
  • You can allow non administrators in Active Directory access to the deleted objects container provided you follow the steps outlined in the following Microsoft Support article. https://support.microsoft.com/en-in/help/892806/how-to-let-non-administrators-view-the-active-directory-deleted-object.
  • Furthermore, the recycle bin must be enabled using the Active Directory Administrative Center but only if you are deleting users in AD.
    1. Open the Active Directory Administrative Center.
    2. Select the domain, then right-click the domain.
    3. Select Enable Recycle Bin. Once enabled, the recycle bin cannot be disabled.

Create a Directory-Based User Account

You must create accounts for each user in the Workspace ONE UEM system and directory users authenticate using your existing corporate credentials.

This topic details creating user accounts one at a time. To create user accounts in bulk, see Batch Import Users and Devices.

  1. Navigate to Accounts > Users > List View and select Add and then Add User. The Add / Edit User page displays.
  2. In the General tab, complete the following settings to add a directory user.
    Setting Description
    Security Type Add an Active Directory user by choosing Directory as the Security Type.
    Directory Name This pre-populated setting identifies the Active Directory name.
    Domain Choose the domain name from the drop-down menu.
    User name

    Enter the user's directory user name and select Check User. If the system finds a match, the user's information is automatically populated. The remaining settings in this section are only available after you have successfully located an active directory user with the Check User button.

    Full Name

    Use Edit Attributes to allow any option that syncs a blank value from the directory to be edited. Edit Attributes also enables you to populate matching user's information automatically.

    If a setting syncs an actual value from the directory, then that setting must be edited in the directory itself. The change takes effect on the next directory sync. Complete any blank option returned from the directory in Full Name and select Edit Attributes to save the addition.

    Display Name Enter the name that displays in the admin console.
    Email Address Enter or edit the user's email address.
    Email user name Enter or edit the user's email user name.
    Domain (email) Select the email domain from the drop-down menu.
    Phone Number Enter the user's phone number including plus sign, country code, and area code. If you intend to use SMS to send notifications, the phone number is required.
    Enrollment
    Enrollment Organization Group Select the organization group into which the user enrolls.
    Allow the user to enroll into additional Organization Groups Choose whether or not to allow the user to enroll into more than one organization group. If you select Enabled, then complete the Additional Organization Groups.
    User Role Select the role for the user you are adding from this drop-down menu.
    Notification
    Message Type Choose the type of message you may send to the user, Email, SMS, or None. Selecting SMS requires a valid entry in the Phone Number text box.
    Message Template Choose the template for email or SMS messages from this drop-down setting. Optionally, select the Message Preview to preview the template and select the Configure Message Templates link to create a template.
  3. You may optionally select the Advanced tab and complete the following settings.
    Setting Description
    Advanced Info Section
    Email Password Enter the email password of the user you are adding.
    Confirm Email Password Confirm the email password of the user you are adding.
    Distinguished Name For directory users recognized by Workspace ONE UEM, this text box is pre-populated with the distinguished name of the user. Distinguished Name is a string representing the user name and all authorization codes associated with an Active Directory user.
    Manager Distinguished Name Enter the distinguished name of the user's manager. This text box is optional.
    Category Choose the user category for the user being added.
    Department Enter the user's department for your company's administrative purposes.
    Employee ID Enter the user's employee ID for your company's administrative purposes.
    Cost Center Enter the user's cost center for your company's administrative purposes.
    Custom Attribute 1–5 (for Directory users only)

    Enter your previously configured custom attributes, where applicable. You may define these custom attributes by navigating to Groups & Settings > All Settings > Devices & Users > Advanced > Custom Attributes.

    Note: Custom attributes can be configured only at Customer organization groups.
    Certificates Section
    Use S/MIME

    Enable or disable the use of Secure/Multipurpose Internet Mail Extensions (S/MIME). If enabled, you must have an S/MIME-enabled profile and you must upload an S/MIME certificate by selecting Upload.

    Separate Encryption Certificate

    Enable or disable the use of a separate encryption certificate. If enabled, you must upload an encryption certificate using Upload. Generally, the same S/MIME certificate is used for signing and encryption, unless a different certificate is expressly being used.

    Old Encryption Certificate

    Enable or disable a legacy version encryption certificate. If enabled, you must Upload an encryption certificate.

    Staging Section
    Enable Device Staging

    Enable or disable the staging of devices.

    If enabled, you must choose between Single User Devices and Multi User Devices.

    If Single User Devices, you must select between Standard, where users themselves log in and Advanced, where a device is enrolled on behalf of another user.

    See Device Staging for more information.

  4. Select Save to save only the new user or select Save and Add Device to save the new user and proceed to the Add Device page.