You can group sets of users into user groups which, like organization groups, act as filters for assigning profiles and applications. When configuring your environment in Workspace ONE UEM, align user groups with security groups and business roles within your organization.

You can assign profiles, compliance policies, content, and applications to users and devices with user groups. You can add your existing directory service groups into Workspace ONE UEM or create user groups from scratch.

As an alternative to user groups, you can also manage content by assigning devices according to a preconfigured range of network IP address or custom attributes.

User Groups List View

The User Groups List View page features useful tools for common user group maintenance and upkeep, including viewing, merging, deleting user groups, adding missing users, and syncing user groups.

You can use the User Groups List View to create lists of user groups immediately, based on criteria that is most important to you. You can also add new user groups individually or in bulk.

Navigate to Accounts > User Groups > List View.

Action Description

Filters

Display only the desired user groups by using the following filters.

  • User Group Type.
  • Sync Status.
  • Merge Status.
Add  

Add User Group.

Perform a one-off addition of either a Directory-Based User Group or a Custom User Group.

Batch Import

Import new user groups in bulk by using a comma-separated values (CSV) file. You can organize multiple user groups at a time by entering a unique name and description.
Sorting and Resizing Columns Columns in the List View that are sortable are Group Name, Last Sync On, Users, and Merge Status. Columns that can be resized are Group Name and Last Sync On.
Details View View basic user group information in the Details View by selecting the link in the Group Name column. This information includes group name, group type, external type, manager, and number of users. Details View also includes a link to the group-mapping settings in All Settings > Devices & Users > General > Enrollment in the Grouping tab.
Export () Save an XLSX or CSV (comma-separated values) file of the entire unfiltered or filtered List View. Both file formats can be viewed and analyzed with MS Excel.

The User Groups List View also features a selection check box and Edit icon to the left of the user. Selecting the Edit icon (The edit icon is shaped like a gray pencil.) enables you to make basic changes to the user group. You can make bulk actions on user groups by selecting one or more groups which reveals the action buttons for the listing.

More Actions for User Groups

You can select more than one user group by selecting as many check boxes as you like. Doing so modifies the available action buttons and also makes the available actions apply to multiple groups and their respective users.

Action Description
Sync Copy recently added user group users to the temporary table, manually, ahead of the scheduled, automated Active Directory sync by Workspace ONE UEM and Workspace ONE Express.
Note: The user attributes synchronization process continues even if a duplicate user is encountered. When such a sync failure occurs, an entry is made to the console event log for troubleshooting purposes, called DuplicateUserSyncFailure. Review this and other console event log entries by navigating to Monitor > Reports and Analytics > Events > Console Events.
View Users Displays the User Group Members screen, enabling you to review the user names of all the members in the selected user group.
More Actions  

View and Merge

View, Add, and Remove users recently added to the temporary user group table. User group users that appear in this table await the automated user group sync in Workspace ONE UEM and Workspace ONE Express.

Add Missing Users

Combine the temporary user group table with the Active Directory table, making the addition of these new users in the user group official.

Delete

Delete a user group.

Add Users to User Groups

You can add users to user groups as the need arises. If you do not want to wait for the Active Directory synchronization of user groups, which is a scheduled, automatic occurrence, then you can manually sync user groups.

When you have a new user to add to one or more user groups, follow these steps.

  1. Navigate to Accounts > Users > List View.
  2. Select one or more users in the listing by inserting a check mark in the check box to the left.
  3. Select the More Actions button and then select Add To User Group. The Add Selected Users Into Custom User Group page displays.
  4. You can add users to an Existing User Group or create a New User Group.
  5. Select the Group Name.
  6. Select Save.
  7. Navigate to Accounts > User Groups > List View.
    1. The Active Directory (AD) synchronization (which is an automated, scheduled process) copies these pending user group users to a temporary table. Then these user group users are reviewed, added, or removed.
    2. If you do not want to wait for the automated AD sync, you can synchronize manually. Start a manual synchronization by selecting the user group to which you added users, then select the Sync button.
      Note: The user attributes synchronization process continues even if a duplicate user is encountered. When such a sync failure occurs, an entry is made to the console event log for troubleshooting purposes, called DuplicateUserSyncFailure. Review this and other console event log entries by navigating to Monitor > Reports and Analytics > Events > Console Events.
  8. You can optionally select More > View and Merge to perform maintenance tasks such as review, add, and remove pending user group users.
  9. Combine the temporary table of pending user group users with the Active Directory user group users by selecting More > Add Missing Users.

Add User Groups Without Directory Integration, Custom

Creating a user group outside of your existing Active Directory structure allows you to create specialized groups of users at any time. Customize user groups according to your deployment by specifically designing access to features and content, which might be preferred depending upon the kind of user group you need.

For instance, you can create a temporary user group for a specific project requiring specialized apps, device profiles, and compliance policies.

For more information about adding user groups in bulk, see Batch Import User Groups.

Custom user groups can only be added at a customer level organization group.

  1. Navigate to Accounts > User Groups > List View and select Add and then Add User Group.
  2. Change the user group Type option to Custom.
  3. Enter the Group Name and Description used to identify the user group in the Workspace ONE UEM console.
  4. Confirm the organization group that manages the user group and select Save.
  5. You can then add users to this new user group by navigating to Accounts > Users > List View.

Add multiple users by selecting check boxes to the far-left of each listed user name. Next, select the Management button above the column headings and select Add to User Group.

Add User Groups With Directory Integration

An alternative to custom user groups without active directory integration is through user group integration that applies your existing active directory structure, providing many benefits.

Once you import existing directory service user groups as Workspace ONE UEM user groups, you can perform the following.

  • User Management – Reference your existing directory service groups (such as security groups or distribution lists) and align user management in Workspace ONE UEM with the existing organizational systems.
  • Profiles and Policies – Assign profiles, applications, and policies across a Workspace ONE UEM deployment to groups of users.
  • Integrated Updates – Automatically update user group assignments based on group membership changes.
  • Management Permissions - Set management permissions to allow only approved administrators to change policy and profile assignments for certain user groups.
  • Enrollment – Allow users to enroll with existing credentials and automatically assign an organization group.

The administrator must designate an existing organization group as the primary root location from which the administrator manages devices and users. Directory services must be enabled at this root organization group.

You can add your existing directory service groups into Workspace ONE UEM. While integration does not immediately create user accounts for each of your directory service accounts, it ensures that Workspace ONE UEM recognizes them as user groups. You can use this group to restrict who can enroll.

For more information about adding directory user groups in bulk, see Batch Import User Groups.

Making user groups with directory integration fosters an aligned approach to device management: device enrollment plus subsequent updates, administrative overview, and user management are each in lockstep with your existing directory service structure.

Before you begin: Ensure that the user group Type is Directory.

  1. Navigate to Accounts > User Groups > List View, select Add then Add User Group.
    Setting Description
    Type

    Select the type of User Group.

    • Directory – Create a user group that is aligned with your existing active directory structure.
    • Custom – Create a user group outside of your organization's existing Active Directory structure. This user group type grants access to features and content for basic and directory users to customize user groups according to your deployment. Custom user groups can only be added at a customer level organization group.
    External Type

    Select the external type of group you are adding.

    • Group – Refers to the group object class on which your user group is based. Customize this class by navigating to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services > Group.
    • Organizational Unit – Refers to the organizational unit object class on which your user group is based. Customize this class by navigating to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services > Group.
    • Custom Query – You can also create a user group containing users you locate by running a custom query. Selecting this external type replaces the Search Text function but displays the Custom Query section.
    Search Text

    Identify the name of a user group in your directory by entering the search criteria and selecting Search to search for it. If a directory group contains your search text, a list of group names displays.

    This option is unavailable when External Type is set to Custom Query.

    Directory Name Read-only setting displaying the address of your directory services server.

    Domain and Group Base DN

    This information automatically populates based on the directory services server information you enter on the Directory Services page (Groups & Settings > System > Enterprise Integration > Directory Services).

    Select the Fetch DN plus sign (+) next to the Group Base DN setting, which displays a list of distinguished name elements from which you can select.

    Custom Object Class

    Identifies the object class under which your query runs. The default object class is 'person' but you can supply a custom object class to identify your users with a greater success and accuracy.

    This option is available only when Custom Query is selected as External Type.

    Group Name

    Select a Group Name from your Search Text results list. Selecting a group name automatically alters the value in the Distinguished Name setting.

    This option is available only after you have completed a successful search with the Search Text setting.

    Distinguished Name

    This read-only setting displays the full distinguished name of the group you are creating.

    This option is available only when Group or Organizational Unit is selected as External Type.

    Custom Base DN

    Identifies the base distinguished name which serves as the starting point of your query. The default base distinguished name is 'AirWatch' and 'sso'. However, if you want to run the query with a different starting point, you can supply a custom base distinguished name.

    This option is available only when Custom Query is selected as External Type.

    Organization Group Assignment

    This optional setting enables you to assign the user group you are creating to a specific organization group.

    This option is available only when Group or Organizational Unit is selected as External Type.

    User Group Settings

    Select between Apply default settings and Use Custom settings for this user group. See the Custom Settings section for additional setting descriptions. You can configure this option from the permission settings after the group is created.

    This option is available only when Group or Organizational Unit is selected as External Type.

    Custom Query - Query This setting displays the currently loaded query that runs when you select the Test Query button and when you select the Continue button. Changes you make to the Custom Logic setting or the Custom Object Class setting are reflected here.
    Custom Logic Add your custom query logic here, such as user name or admin name. For example, "cn=jsmith". You can include as much or as little of the distinguished name as you like. The Test Query button allows you to see if the syntax of your query is correct before selecting the Continue button.
    Custom Settings - Management Permissions You can allow or disallow all administrators to manage the user group you are creating.
    Default Role Select a default role for the user group from the drop-down menu.
    Default Enrollment Policy Select a default enrollment policy from the drop-down menu.
    Auto Sync with Directory

    This option enables the directory sync, which detects user membership from the directory server and stores it in a temporary table. Administrators approve changes to the console unless the Auto Merge option is selected.

    If you want to prevent user groups from automatically syncing during a scheduled sync, this setting must be disabled.

    Auto Merge Changes Enable this option to apply sync changes automatically from the database without administrative approval.
    Maximum Allowable Changes

    Use this setting to set a threshold for the number of automatic user group sync changes that can occur before approval must be given.

    Changes more than the threshold need admin approval and a notification is sent to this effect.

    This option is available only when Auto Merge Changes is enabled.

    Add Group Members Automatically

    Enable this setting to add users to the user group automatically.

    If you want to prevent user groups from automatically syncing during a scheduled sync, this setting must be disabled.

    Send Email to User when Adding Missing Users Enable to send an email to users when missing users are being added to the user group. Adding missing users means combining the temporary user group table with the Active Directory table.
    Message Template

    This option is available only when Send Email to User when Adding Missing Users is enabled.

    Select a message template to be used for the email notification during the addition of missing users to the user group.

    When adding active directory users new to the Workspace ONE UEM console, the message template availability depends upon the enrollment mode as configured in Groups & Settings > All Settings > Devices & Users > General > Enrollment selecting Authentication, and making a choice in the Devices Enrollment Mode option.

    When Open Enrollment is selected as the Devices Enrollment Mode, a User Activation email template is available in the Message Template drop-down. This email message enables the new AD user to enroll.

    When Registered Devices Only is selected as the Devices Enrollment Mode, a Device Activation email template is available in the Message Template drop-down. This email message enables the new AD user to enroll their devices. If Require Registration Token is enabled, the device can be registered with the token embedded in the message.

    For more information on Distinguished Name, search for Microsoft's TechNet article entitled "Object Naming" at https://technet.microsoft.com/.

  2. Select Save.

Edit Your User Group Permissions

Fine-tuning user group permissions allows you to reconsider who inside your organization can edit certain groups. For example, if your organization has a user group for company executives, you might not want lower-level administrators to have management permissions for that user group.

Use the Permissions page to control who can manage certain user groups and who can assign profiles, compliance policies, and applications to user groups.

  1. Navigate to Accounts > User Groups > List View.
  2. Select the Edit icon of an existing user group row.
  3. Select the Permissions tab, then select Add.
  4. Select the Organization Group you want to define permissions for. You must select an organization group (OG) that is within the root OG hierarchy of the user group.
  5. Select the Permissions you want to enable.
    • Manage Group (Edit/Delete) – Activate the ability to edit and delete user groups.
    • Manage Users Within Group and Allow Enrollment – Manage users within the user group and to allow a device enrollment in the OG. This setting can only be enabled when Manage Group (Edit/Delete) is also enabled. If Manage Group (Edit/Delete) is disabled, then this setting is also disabled.
    • Use Group For Assignment – Use the group to assign security policies and enterprise resources to devices. This setting can only be changed if Manage Group (Edit/Delete) is disabled. If Manage Group (Edit/Delete) is enabled, then this setting becomes locked and uneditable.
      • This setting is disabled when the user group is managed by a parent OG and you want to assign the group from one of its children OGs.
  6. Select the Scope of these permissions, that is, which groups of administrators are allowed to manage or use this user group. Only one of the following options may be active.
    • Administrator Only – The permissions affect only those administrators at the parent OG.
    • All Administrators at or below this Organization Group – The permissions affect the administrators in the OG and all administrators in all child OGs underneath.

Access User Details

After your users and user groups are in place, you can view all user information regarding user details, associated devices, and interactions.

Access user information from any location in the Workspace ONE UEM console where the user name is displayed, including each of the following pages in the console.

  • User Group Members (Accounts > User Groups > Details View > More > View Users)
  • Users List View (Accounts > Users > List View)
  • Administrators List View (Accounts > Administrators > List View).

The User Details page is a single-page view.

  • All associated user groups.
  • All Devices associated with the user over time and a link to all enrolled devices.
  • All devices a user has checked-out in a Shared Device Environment and a link to complete check-in/check-out device history.
  • All device- and user-specific event logs.
  • All assigned, accepted, and declined Terms of Use.

Encrypt Personal Details

You can encrypt personally identifiable information including first name, last name, email address, and phone number.

  1. Navigate to Groups & Settings > All Settings > System > Security > Data Security from the Global or Customer-level organization group for which you want to configure encryption.
  2. Enable the Encrypt User Information setting, then select individual user data settings to activate encryption. Doing so disables the search, sort, and filter functionality.
  3. Click Save to encrypt user data so it is not accessible in the database. Doing so limits some features in the Workspace ONE UEM console, such as search, sort, and filter.