Think of organization groups as individual branches on a family tree, with each leaf as a device user. Workspace ONE UEM powered by AirWatch identifies each leaf and establishes its standing in the family tree using organization groups (OG). Most customers make OG trees look like their corporate hierarchy: Executives, Management, Operations, Sales, and so forth.

You can also establish OGs based on Workspace ONE UEM features and content.

You can access organization groups by navigating to Groups & Settings > Groups > Organization Groups > List View or through the organization group drop-down menu.

  • Build groups for entities within your organization (Management, Salaried, Hourly, Sales, Retail, HR, Exec, and so on).
  • Customize hierarchies with parent and child levels (for example, 'Salaried' and 'Hourly' as children under 'Management').
  • Integrate with multiple internal infrastructures at the tier level.
  • Delegate role-based access and management based on a multi-tenant structure.
Note: The Organization Groups List View defines "Active Devices" as only those devices that have reported back to the Workspace ONE UEM console within the prior 8 hour period.

Characteristics of Organization Groups

Organization groups can accommodate functional, geographic, and organization entities and enable a multi-tenancy solution.

  • Scalability – Flexible support for exponential growth.
  • Multi-tenancy – Create groups that function as independent environments.
  • Inheritance – Streamline the setup process by setting child groups to inherit parent configurations.

Using the example of the organization group drop-down menu, profiles, features, applications, and other MDM settings can be set at the 'World Wide Enterprises' level.

Settings are inherited down to child organization groups, such as AsiaPacific and EMEA or even further down to grand-child AsiaPacific > Manufacturing or even great grand-child AsiaPacific > Operations > Corporate.

Settings between sibling organization groups such as AsiaPacific and EMEA take advantage of the multi-tenant nature of OGs, by keeping these settings separate from one another. However, these two sibling OGs do inherit settings from their parent OG, World Wide Enterprises.

Alternatively, you can opt to override settings at a lower level and alter only the settings that you want to change or keep. These settings can be altered or carried down at any level.

Considerations for Setting Up Organization Groups

Before setting up your organization group (OG) hierarchy in the Workspace ONE UEM console, first decide on the group structure. The group structure allows you to make the best use of settings, applications, and resources.

  • Delegated Administration – You can delegate administration of subgroups to lower-level administrators by restricting their visibility to a lower organization group.
  • Corporate administrators can access and view everything in the environment.
  • LA manager has access to the LA OG and can manage only those devices.
  • NY manager has access to the NY OG and can manage only those devices.
  • System Settings – Settings can be applied at different levels in the organization group tree and inherited down. They can also be overridden at any level. Settings include device enrollment options, authentication methods, privacy setting, and branding.
  • Overall company establishes an enrollment against the company Active Directory server.
  • Driver devices override the parent authentication and allow a token-based enrollment.
  • Warehouse devices inherit the AD settings from the parent group.
  • Device Use Case – A profile can be assigned to one or several organization groups. Devices in those groups can then receive that profile. Refer to the Profiles section for more information. Consider configuring devices using profile, application, and content settings according to attributes such as device make, model, ownership type, or user groups before creating organization groups.
  • Executive devices cannot install applications and have access to the Wi-Fi sales network.
  • Sales devices are allowed to install applications and have VPN access.

Compare Two Organization Groups

You can compare the settings of one organization group to another to mitigate version migration issues. The Organization Group Compare feature is only available for on-premises customers.

You can perform the following tasks when you compare OG settings.

  • Upload XML files containing the OG settings from different Workspace ONE UEM software versions.
  • Eliminate the possibility of a difference in configuration causing problems during version migration.
  • Filter the comparison results, allowing you to display only the settings you are interested in comparing.
  • Search for a single setting by name with the search function.

An example of a version migration scenario is when a User Acceptance Testing (UAT) server has been upgraded, configured, and tested, you can compare the UAT settings to the production settings directly.

  1. Navigate to Groups & Settings > All Settings > Admin > Settings Management > Settings Comparison.
  2. Select an OG in your environment from the left drop-down menu (labeled with the numeral 1). Alternatively, upload the XML settings file by selecting the Upload button and selecting an exported OG setting XML file.
  3. Select the comparison OG on the right drop-down menu (labeled with the numeral 2).
  4. Display a list of all settings for both selected organization groups by selecting the Update button.
    • Differences between the two sets of OG settings are automatically highlighted.
    • You can optionally enable the Show Differences Only check box. This check box displays only those settings that apply to one OG but not the other.
    • Individual settings that are empty (or not specified) display in the comparison listing as 'NULL'.

Create Organization Groups

You must create an organization group (OG) for each business entity where devices are deployed. Understand that the OG you are currently in is the parent of the child OG you are about to create.

  1. Navigate to Groups & Settings > Groups > Organization Groups > Details.
  2. Select the Add Child Organization Group tab and complete the following settings.
    Setting Description
    Name Enter a name for the child organization group (OG) to be displayed. Use alphanumeric characters only. Do not use odd characters.
    Group ID

    Enter an identifier for the OG for the end users to use during the device login. Group IDs are used during the enrollment of group devices to the appropriate OG.

    Ensure that users sharing devices receive the Group ID as it might be required for the device to log in depending on your Shared Device configuration.

    If you are not in an on-premises environment, the Group ID identifies your organization group across the entire shared SaaS environment. For this reason, all Group IDs must be uniquely named.

    Type Select the preconfigured OG type that reflects the category for the child OG.
    Country Select the country where the OG is based.
    Locale Select the language classification for the selected country.
    Customer Industry This setting is only available when Type is Customer. Select from the list of Customer Industries.
    Time Zone Select the time zone for the OG's location.
  3. Select Save.

Identify the Group ID for Any Organization Group

You can identify the group ID for any organization group by taking the following steps.

  1. Move to the organization group you want to identify by selecting it from the organization group drop-down menu.
  2. Hover your pointer over the OG label. A popup displays the name and group ID for the currently selected organization group.

Inheritance, Multi-Tenancy, and Authentication

The concept of overriding settings on a per-organization group basis, when combined with organization group (OG) characteristics such as inheritance and multi-tenancy, can be further combined with authentication. This combination provides for flexible configurations.

The following organization group model illustrates this flexibility.

This diagram shows an organization group hierarchy model consisting of a Parent, a child, and a grandchild.

In this model, Administrators, generally in possession of greater permissions and functionality, are positioned at the top of this OG branch. These administrators log into their OG using SAML that is specific to admins.

Corporate users are subservient to administrators so their OG is arranged as its child. Being users and not administrators, their SAML login setting cannot inherit the administrator setting. Therefore, the Corporate users' SAML setting is overridden.

BYOD users differ from Corporate users. Devices used by BYOD users belong to the users themselves and likely contain more personal information. So these device profiles might require slightly different settings. BYOD users might have a different terms of use agreement. BYOD devices might need different enterprise wipe parameters. For all these reasons and more, it might make sense for BYOD users to log into a separate OG.

And while not subservient to Corporate users in a corporate hierarchy sense, placing BYOD users as a child of Corporate users has advantages. This arrangement means that BYOD users inherit settings applicable to ALL corporate user devices simply by applying them to the Corporate users OG.

Inheritance also applies to SAML authentication settings. Since BYOD users is a child of Corporate users, BYOD users inherit their SAML for users' authentication settings.

An alternate model is to make BYOD users a sibling of Corporate users.

This diagram shows an organization group hierarchy model consisting of a Parent and two children.

Under this alternate model, the following is true.

  • All device profiles meant to apply globally to ALL devices, including compliance policies, and other globally applicable device settings are applied to two organization groups instead of one. The reason for this duplication need is because inheritance from Corporate users to BYOD users is no longer a factor in this model. Corporate users and BYOD users are peers and therefore there is no inheritance.
  • Another SAML override must be applied to BYOD users. This override is necessary because the system assumes it is inheriting SAML settings from its parent, Administrators. Such an assumption is a mistake because BYOD users are not administrators and do not have the same access and permissions.
  • BYOD users continue to be handled separately from Corporate users. This alternate model means that they continue to enjoy their own device profile settings.

What factor determines which model is the best? Compare the number of globally applicable device settings with the number of group-specific device settings. Basically, if you want to treat all devices in generally the same way, then consider making BYOD users a child of Corporate users. If maintaining separate settings is more important, then consider making BYOD users a sibling of Corporate users.

Organization Group Restrictions

If you attempt to configure an organization group (OG)-limited setting, the settings pages under Groups & Settings > All Settings notify you of the limitation.

This setting can be enabled only at organization group of type "customer".

The following restrictions apply to creating Customer-level organization groups.

  • Whether you are in a software-as-a-service (SaaS) or on-premises environment, you cannot create nested customer OGs.

Organization Group Type Functions

The type of an organization group can have an impact on what settings an admin can configure.

  • Global – The top-most organization group. Usually, this group is called Global and has type Global.
    • For hosted SaaS environments, you are not able to access this group.
    • On-premises customers can turn on Verbose logging at this level.
  • Partner – Top-level organization group for partners (third-party resellers of Workspace ONE UEM).
  • Customer – The top-level organization group for each customer.
    • A customer organization group cannot have any children/parent organization groups that are of the customer type.
    • Some settings can only be configured at a Customer group. These settings filter down to lower organizations. Some examples of such settings include autodiscovery email domains, Volume Purchase Program settings, Device Enrollment Program settings (before AirWatch 8.0), and personal content.
  • Container – The default organization group type.
    • All organization groups beneath a customer organization group must be of the container type. You can have containers between Partner and Customer groups.
  • Prospect – Potential customers. Similar to a customer organization group. Might have less functionality than a true customer group.

There are additional Organization Group types such as Division, Region, and the ability to define your own Organization Group type. These types do not have any special characteristics and function identically to the Container Organization Group type.

Adding Devices at Global

The Global organization group (OG) is designed to house Customer and other types of OGs. Given the way inheritance works, if you add devices to Global and configure Global with settings intended to affect those devices, you are also affecting all the Customer OGs underneath. This undermines the benefits of multitenancy and inheritance.

For more information, see Reasons You Should Not Enroll Devices in Global.