You can enroll existing users and groups of directory services like Active Directory (AD), Lotus Domino, and Novell e-Directory. If you do not have such an infrastructure or you choose not to integrate with it, you must perform Basic Enrollment in Workspace ONE UEM.
Basic Enrollment refers to the process of manually creating user accounts and user groups for each of your organization's users. If your organization is not integrating Workspace ONE UEM with a directory service, basic enrollment is how you create user accounts.
If you have a few basic accounts to create, then create them one at a time as described in Create Basic User Accounts.
For basic enrollments involving larger end-user numbers, you can save time by filling out and uploading CSV (comma-separated values) template files. These files contain all user information you add and are introduced to UEM through the batch import feature. For more information, see the topic Batch Import Users or Devices.
Note: While Workspace ONE UEM supports a mix of both Basic and Directory-based users, you typically use one or the other for the initial enrollment of users and devices.
|Basic Enrollment||- Can be used for any deployment method.
- Requires no technical integration.
- Requires no enterprise infrastructure.
- Can enroll into potentially multiple organization groups.
|- Credentials only exist in Workspace ONE UEM and do not necessarily match existing corporate credentials.
- Offers no federated security.
- Single sign on not supported.
- Workspace ONE UEM stores all user names and passwords.
- Cannot be used for Workspace ONE Direct Enrollment.
|Directory Service Enrollment||- End users authenticate with existing corporate credentials.
- Detects and syncs changes from the directory system into Workspace ONE UEM automatically. For instance, when you disable users in AD, the corresponding user account in Workspace ONE UEM console is marked inactive.
- Secure method of integrating with your existing directory service.
- Standard integration practice.
- Can be used for Workspace ONE Direct Enrollment.
- SaaS deployments using the AirWatch Cloud Connector require no firewall changes and offers a secure configuration to other infrastructures, such as Microsoft ADCS, SCEP, and SMTP servers.
|- Requires an existing directory service infrastructure.
- SaaS deployments require additional configuration due to the AirWatch Cloud Connector being installed behind the firewall or in a DMZ.
When considering end-user enrollment, in addition to the existing pros and cons of Basic versus Directory users, there are other questions to consider.
In answering this question, consider the following.
Is the intent of your MDM deployment to manage devices for all your organization's users at or below the base DN * you configured? If so, the easiest way to achieve this arrangement is to allow all users to enroll by ensuring the Restrict Enrollment check boxes are deselected.
You can allow all users to enroll during the initial deployment rollout and then afterward, restrict the enrollment to prevent unknown users from enrolling. As your organization adds new employees or members to existing user groups, these changes are synced and merged.
Are there certain users or groups who are not to be included in MDM? If so, you must either add users one at a time or batch import a CSV (comma-separated value) file of only eligible users.
The base DN, or distinguished name, is the point from which a server searches for users. A distinguished name is a name that uniquely identifies an entry in the directory. Every entry in the directory has a DN.
Another consideration to make when integrating your Workspace ONE UEM environment with directory services is how you assign directory users to organization groups during an enrollment. In answering this question, consider the following.
You can automatically select a Group ID based on a user group or allow users to select a Group ID from a list. These Group ID Assignment Mode options are available by navigating to Devices > Device Settings > Devices & Users > General > Enrollment and selecting the Grouping tab.
Directory service enrollment refers to the process of integrating Workspace ONE UEM with your organization's directory service infrastructure. Integrating your directory service in this manner means you can import users automatically and, optionally, user groups such as security groups and distribution lists.
When integrating with a directory service such as Active Directory (AD), you have options for how you import users.
Note: For information about how to integrate your Workspace ONE UEM environment with your directory service, including SAML provider integration, refer to the Integrate Directory Service Guide.
When directory service integration is configured on Workspace ONE UEM, directory service accounts inherit enrollment settings from the organization group (OG) from which the directory service is configured. Basic accounts, however, abide by local settings including overrides.
Taking the above organization group model as an example, assume the option Enterprise Wipe devices of users that are removed from configured groups is enabled on the OG named 'Customer'.
Given this scenario, directory enrollment users in the Sales01 child OG who leave a configured group see their devices wiped despite the enrollment restriction override configured in that OG. This is true even if those accounts have devices enrolled on a different OG because enrollment settings are user-centric, not device centric.
However, in this same scenario, devices belonging to basic enrollment users of Sales01 OG who leave a configured group are not wiped. This is because basic enrollment users in Sales01 are not a part of the directory service-integrated OG and therefore recognize and abide by the enrollment restriction override.
Parent topic: Device Enrollment