Basic vs. Directory Services Enrollment

You can enroll existing users and groups of directory services like Active Directory (AD), Lotus Domino, and Novell e-Directory. If you do not have such an infrastructure or you choose not to integrate with it, you must perform Basic Enrollment in Workspace ONE UEM.

Basic Enrollment refers to the process of manually creating user accounts and user groups for each of your users. If your organization is not integrating Workspace ONE UEM with a directory service, basic enrollment is how you create user accounts.

If you have a few basic accounts to create, then create them one at a time as described in Create Basic User Accounts.

For basic enrollments involving larger end-user numbers, you can save time by filling out and uploading CSV (comma-separated values) template files. These files contain all user information you add and are introduced to UEM through the batch import feature. For more information, see the topic Batch Import Users or Devices.

Note: While Workspace ONE UEM supports a mix of both Basic and Directory-based users, you typically use one or the other for the initial enrollment of users and devices.

Pros and Cons

Pros Cons
Basic Enrollment - Can be used for any deployment method.

- Requires no technical integration.

- Requires no enterprise infrastructure.

- Can enroll into potentially multiple organization groups.

- Can edit custom attributes currently in use.
- Credentials only exist in Workspace ONE UEM and do not necessarily match existing corporate credentials.

- Offers no federated security.

- Single sign on not supported.

- Workspace ONE UEM stores all user names and passwords.

- Cannot be used for Workspace ONE Direct Enrollment.
Directory Service Enrollment - End users authenticate with existing corporate credentials.

- Detects and syncs changes from the directory system into Workspace ONE UEM automatically. For instance, when you deactivate users in AD, the corresponding user account in Workspace ONE UEM console is marked inactive.

- Secure method of integrating with your existing directory service.

- Standard integration practice.

- Can be used for Workspace ONE Direct Enrollment.

- SaaS deployments using the AirWatch Cloud Connector require no firewall changes and offers a secure configuration to other infrastructures, such as Microsoft ADCS, SCEP, and SMTP servers.
- Requires an existing directory service infrastructure.

- SaaS deployments require additional configuration due to the AirWatch Cloud Connector being installed behind the firewall or in a DMZ.

- Cannot edit custom attributes currently in use.

Enrollment Considerations, Basic Versus Directory

When considering end-user enrollment, in addition to the existing pros and cons of Basic versus Directory users, there are other questions to consider.

Consideration #1: Who Can Enroll?

In answering this question, consider the following.

  • Is the intent of your MDM deployment to manage devices for all your organization’s users at or below the base DN ** you configured? If so, the easiest way to achieve this arrangement is to allow all users to enroll by ensuring the Restrict Enrollment check boxes are deselected.

    You can allow all users to enroll during the initial deployment rollout and then afterward, restrict the enrollment to prevent unknown users from enrolling. As your organization adds new employees or members to existing user groups, these changes are synced and merged.

  • Are there certain users or groups who are not to be included in MDM? If so, you must either add users one at a time or batch import a CSV (comma-separated value) file of only eligible users.

** The base DN, or distinguished name, is the point from which a server searches for users. A distinguished name is a name that uniquely identifies an entry in the directory. Every entry in the directory has a DN.

Consideration #2: Where Will Users Be Assigned?

Another consideration to make when integrating your Workspace ONE UEM environment with directory services is how you assign directory users to organization groups during an enrollment. In answering this question, consider the following.

  • Have you created an organization group structure that logically maps to your directory service groups? You must complete this task before you can edit user group assignments.
  • If your users are enrolling their own devices, the option to select a Group ID from a list is simple. Human error is a factor in this simplicity and can lead to incorrect group assignments.

You can automatically select a Group ID based on a user group or allow users to select a Group ID from a list. These Group ID Assignment Mode options are available by navigating to Devices > Device Settings > Devices & Users > General > Enrollment and selecting the Grouping tab.

Enabling Directory Service-Based Enrollment

Directory service enrollment refers to the process of integrating Workspace ONE UEM with your directory service infrastructure. Integrating your directory service in this manner means you can import users automatically and, optionally, user groups such as security groups and distribution lists.

When integrating with a directory service such as Active Directory (AD), you have options for how you import users.

  • Allow all directory users to enroll – You can allow all your directory service users to enroll. Also, you can set up your environment to auto discover users based on their email. Then create a Workspace ONE UEM user account for them when they perform an enrollment.
  • Add users one by one – After integrating with a directory service, you can add users individually in the same manner as creating basic Workspace ONE UEM user accounts. The only difference is you must enter their user name and select Check User to auto populate remaining information from your directory service.
  • Batch upload a CSV file – Using this option, you can import a list of directory services accounts in a CSV (comma-separated values) template file. This file has specific columns, some of which cannot be left blank.
  • Integrate with user groups (Optional) – With this method, you can use your existing user group memberships to assign profiles, apps, compliance policies, and so on.

Note: For information about how to integrate your Workspace ONE UEM environment with your directory service, including SAML provider integration, refer to the Integrate Directory Service Guide.

Directory Service Integration and Enrollment Restrictions

When directory service integration is configured on Workspace ONE UEM, directory service accounts inherit enrollment settings from the organization group (OG) from which the directory service is configured. Basic accounts, however, abide by local settings including overrides.

The diagram shows a simple organization group model of a parent and a child OG.

Taking the above organization group model as an example, assume the option Enterprise Wipe devices of users that are removed from configured groups is enabled on the OG named ‘Customer’.

Given this scenario, directory enrollment users in the Sales01 child OG who leave a configured group see their devices wiped despite the enrollment restriction override configured in that OG. This is true even if those accounts have devices enrolled on a different OG because enrollment settings are user-centric, not device centric.

However, in this same scenario, devices belonging to basic enrollment users of Sales01 OG who leave a configured group are not wiped. This is because basic enrollment users in Sales01 are not a part of the directory service-integrated OG and therefore recognize and abide by the enrollment restriction override.

Parent topic: Device Enrollment

check-circle-line exclamation-circle-line close-line
Scroll to top icon