Directory services setup requires you to integrate your Workspace ONE Express environment with your directory service including attribute mapping for users and user groups.

Use the Directory Services page to configure the settings that let you integrate your Workspace ONE Express server with your organization's domain controller. The domain controller is the server that hosts your directory services system.

After entering server settings, you can filter searches to identify users and user groups. You can set options to auto merge and sync changes between your Workspace ONE Express configured groups and directory service groups. You can also map attribute values between Workspace ONE Express user attributes and your directory attributes.

Note: For Software as a Service (SaaS) customers, directory services integration requires you to install the AirWatch Cloud Connector.

Set Up Directory Services with a Wizard

During the initial setup, Workspace ONE Express provides a simplified wizard to streamline the directory services setup process. The wizard includes steps to integrate either Security Assertion Markup Language (SAML), Lightweight Directory Access Protocol (LDAP), or both.

Note: If SAML or LDAP settings are already configured, the Workspace ONE Express Console can detect it.
  1. Navigate to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services and select the Start Setup Wizard button.

  2. Upon launching the wizard, select Configure to follow the steps.

Set Up Directory Services Manually

If you want to customize your directory service settings, you can skip the wizard and configure your settings manually to get up and running with Workspace ONE Express or Workspace ONE UEM.

Navigate to Accounts > Administrators > Administrator Settings > Directory Services to manually configure the Server, User, and Group settings for the Directory service.

  1. Navigate to Accounts > Administrators > Administrator Settings > Directory Services > Server and configure LDAP settings.
    Setting Description
    Directory Type

    Select the type of directory service that your organization uses.

    Workspace ONE UEM and Workspace ONE Express supports open-source LDAP for directory services. For more information on the best practices that can be followed while configuring open-source LDAP Directory Service, see the Workspace ONE UEM Directory Service Integration guide.

    DNS SRV

    Allow the Domain Name System Service Record to decide which server in its prioritized list of servers can best support LDAP requests. This feature ensures continuity of services in a high availability environment. The default setting is Deactivated.

    With this option deactivated, Workspace ONE UEM uses your existing directory server, the address of which you enter in the Server setting.

    Supported DNS servers:

    • Active Directory integrated Microsoft DNS servers
    • Standalone Microsoft DNS servers
    Server Enter the address of your directory server. This setting is only available when Enable DNS SRV is Deactivated.
    Encryption Type Select the type of encryption to use for a directory services communication. The options available are None (unencrypted), SSL, and Start TLS.
    Port

    Enter the Transmission Control Protocol (TCP) port used to communicate with the domain controller.

    The default for the unencrypted LDAP directory service communication is port 389. To view a KnowledgeBase article that lists the most up-to-date Workspace ONE UEM SaaS data center IP ranges, refer to https://support.air-watch.com/articles/115001662168.

    • When you change the Encryption Type setting to SSL, the Port setting automatically changes to 636.
    • When you select the Add Domain button, the Port setting automatically changes to 3268.
    Verify SSL Certificate. This setting is only available when the Encryption Type is SSL or Start TLS. Receive SSL errors by selecting the SSL check box.
    Protocol Version Select the version of the Lightweight Directory Access Protocol (LDAP) that is in use. Active Directory uses LDAP versions 2 or 3. If you are unsure of which Protocol Version to use, try the commonly used value of '3'.
    Use Service Account Credentials. Use the App pool credentials from the server on which the VMware Enterprise Systems Connector is installed for authenticating with the domain controller. Enabling this option hides the Bind user name and Bind Password settings.
    Bind Authentication Type.

    Select the type of bind authentication to enable the AirWatch server to communicate with the domain controller.

    You can select Anonymous, Basic, Digest, Kerberos, NTLM, or GSS-NEGOTIATE. If you are unsure of which Bind Authentication Type to use, start by setting the bind authentication type to Basic. You know if your selection is not correct when you click Test Connection.

    Bind User Name. Enter the credentials used to authenticate with the domain controller. For example, you can enter either "Username or Domain\username". This account (which the entered user name identifies) allows a read-access permission on your directory server and binds the connection when authenticating users. If you are unsure of which Bind Authentication Type to use, try the commonly used GSS-NEGOTIATE. You know if your selection is not correct when you click Test Connection. Clear the bind password from the database by selecting the Clear Bind Password check box.
    Bind Password Enter the password for the bind user name to authenticate with the directory server.
    Domain /Server

    Enter the default domain and server name for any directory-based user accounts. If only one domain is used for all directory user accounts, fill in the text box with the domain. This entry means that users are authenticated without explicitly stating their domain.

    You can add more domains by selecting the Add Domain option. Make sure that all the domains are in the same forest. In this case, Workspace ONE UEM automatically changes the port setting to 3268 for global catalog. You can change the port setting to 3269 for SSL encrypted traffic, or override it completely by entering a separate port.

    Is there a trust relationship between all domains?

    This setting is available only when you have more than one domain added.

    Select Yes if the binding account has permission to access other domains you have added. This added permission means that the binding account can successfully log in from more domains.

    1. Complete the following options are available after selecting the Advanced section drop-down.
      Setting Description
      Search Subdomains

      Enable subdomain searching to find nested users.

      Leaving this option deactivated can make searches faster and avoids network issues. However, users and groups located in subdomains under the base Domain Name (DN) are not identified.

      Connection Timeout Enter the LDAP connection timeout value (in seconds).
      Request Timeout Enter the LDAP query request timeout value (in seconds).
      Search without base DN Enable this option when using a global catalog and when you do not want to require a base DN to search for users and groups.
      Use Recursive OID at Enrollment. Verify the user group membership at the time of enrollment. As the system runs this feature at enrollment time, your performance can decrease with some directories.
      Use Recursive OID For Group Sync. Verify the user group membership at the time of Group synchronization.
      Object Identifier Data Type Select the unique identifier that never changes for a user or group. The options available are Binary and String. Typically, the Object Identifier is in a Binary format.
      Sort Control Option to enable sorting. If this option is deactivated, it can make searches faster and you can avoid sync timeouts.
    2. (Optional) Configure Azure AD For Identity Services.

      The following settings are available only if enabling Use Azure AD for Identity Services and are only applicable if you are integrating with Azure Active Directory.

      Azure AD integration with Workspace ONE UEM must be configured at the tenant where Active Directory (such as LDAP) is configured.

      Setting Description
      MDM Enrollment URL Enter the URL address used to enroll devices.
      MDM Terms of Use URL

      Enter the URL address of your terms of use agreement.

      There is a helpful link that displays exactly where in the Workspace ONE UEM in the Azure AD config panel these MDM URLs belong. This link is labeled, "Where in AAD do I paste this info?"

      Directory ID

      Enter the identification number used to authenticate your Azure AD license.

      The Azure Directory ID is found in your Azure AD Directory Instance URL. For example, if your URL is acme.com/WS/ADExt/Dir/0a12bc34-56d7-93f1-g2h3-i4-jk56lm78n, only the last section (0a12bc34-56d7-93f1-g2h3-i4-jk56lm78n) is your Directory ID.

      Tenant Name

      Enter the tenant name of your Azure AD instance.

      There is a helpful link that displays exactly how to obtain the tenant info from your AAD Directory Instance. This link is labeled, "How To Obtain Tenant Info"

      Immutable ID-Mapping Attribute The Immutable ID-Mapping Attribute points to the sourceAnchor field in Active Directory that is mapped to Azure AD. This setting enables Workspace ONE UEM to match the Azure AD immutable ID to the correct local active directory attribute.
      Mapping Attribute Data Type Select the mapping attribute data type of the field used by Workspace ONE UEM as the sourceAnchor for Azure AD. The default type is Binary.
      Automatically revoke user tokens when wiping devices. Enable this option to revoke Microsoft Azure AD user tokens when a device or enterprise wipe is run. It is not a best practice to deactivate this functionality as it might reduce the security posture of your configuration. If a wiped device is lost, it can still contain a valid AAD authentication token.
    3. (Optional) Configure SAML For Authentication.

      The following Security Assertion Markup Language (SAML) options are available after enabling Use SAML for Authentication.

      These options are only applicable if you are integrating with a SAML identity provider.

      Setting Description
      Enable SAML authentication For

      You have the choice of using SAML authentication for Admin, Enrollment, or Self Service Portal.

      UEM console administrators can select all three, or any combination of two, or select any one of the three components.

      Use new SAML Authentication endpoint

      A new SAML authentication endpoint has been created for end-user authentication (device enrollment and login to SSP). This authentication replaces the two dedicated enrollment and SSP endpoints with a single endpoint.

      While you may choose to keep your existing settings, Workspace ONE UEM suggests updating your SAML settings to take advantage of the new combined endpoint.

      If you want to use the new endpoint, enable this setting and save the page. Then use the Export Service Provider Settings to export the new metadata file and upload it to your IdP. Doing so establishes trust between the new endpoint and your IdP.

      Table 1. SAML 2.0
      Setting Description
      Import Identity Provider Settings Upload a metadata file obtained from the identity provider. This file must be in Extensible Markup Language (XML) format.
      Service Provider (Workspace ONE UEM) ID Enter the Uniform Resource Identifier (URI) with which Workspace ONE UEM identifies itself to the identity provider. This string must match the ID that has been established as trusted by the identity provider.
      Identity Provider ID Enter the URI that the identity provider uses to identify itself. Workspace ONE UEM reviews authentication responses to verify that the identity matches the ID provided here.
      Table 2. RESPONSE
      Setting Description
      Response Binding Type Select the binding types of the response. The options include Redirect, POST, and Artifact.
      Sp Assertion URL Enter the Workspace ONE UEM URL that the identity provider configures to direct its authentication responses. “Assertions” regarding the authenticated user are included in success responses from the identity provider.
      Authentication Response Security This value specifies whether the IdP signs the response. You can select between None, Validate Response Signatures, and Validate Assertions Signatures. Consider selecting Validate Response Signatures for a more secure authentication.
      Table 3. CERTIFICATE
      Setting Description
      Identity Provider Certificate Upload the identity provider certificate.
      Service Provider (AirWatch) Certificate Upload the service provider certificate.Note:Currently we only support SHA256 based algorithms. For more information on all the providers that support SHA256, see https://docs.microsoft.com/en-us/windows/desktop/SecCertEnroll/cryptoapi-cryptographic-service-providers.
      Export Service Provider Settings button Exports the metadata file for uploading to your Identity Provider (IdP). This setting establishes trust between the new SAML endpoint (for enrollment and SSP login) and your IdP.
  2. Navigate to Accounts > Administrators > Administrator Settings > Directory Services > User and configure the User settings.
    Setting Description
    User Object Class Enter the appropriate Object Class. In most cases, this value is "user."
    User Search Filter

    Enter the search parameter used to associate user accounts with Active Directory accounts. The suggested format is "<LDAPUserIdentifier>={EnrollmentUser}" where <LDAPUserIdentifier> is the parameter used on the directory services server to identify the specific user.

    • For AD servers, use "(&(objectCategory=person)(sAMAccountName={EnrollmentUser}))" exactly.
    • For other LDAP servers, use "CN={EnrollmentUser}" or "UID={EnrollmentUser}"

    Advanced

    Setting Description
    Auto Merge Enable setting to allow user group updates from your directory service to merge with the associated users and groups in Workspace ONE UEM automatically.
    Automatically Sync Enabled Or Deactivated User Status

    Select Enabled to deactivate the associated user in Workspace ONE UEM when that user is deactivated in your LDAP directory service (for example, Active Directory, Novell e-Directory, and so on).

    • Value For Deactivated Status – Enter a numeric value and select the type of Lightweight Directory Access Protocol (LDAP) attribute used to represent a user’s status. Select “Flag Bit Match” if the user status is designated by a bitwise flag (which is the default for Active Directory).

      Select “Flag Bit Match” if the user status is designated by a bitwise flag (which is the default for Active Directory). When “Flag Bit Match” is selected, Directory Services will consider the user to be deactivated if any bits from the property match the given value.

      Note:If you select this option and you deactivate users in your directory service, the corresponding user account in Workspace ONE UEM is marked inactive and those administrators and users are not able to log in. In addition, enrolled devices assigned to users who are set as inactive in your directory service are automatically unenrolled.
    Enable Custom Attributes Enable custom attributes. Custom Attributes is a section that appears under the main Attribute – Mapping Value table. You must scroll down to the bottom of the page to see the Custom Attributes.
    Attributes

    Review and edit the Mapping Values for the listed Attributes, if necessary. These columns show the mapping between Workspace ONE UEM user attributes (left) and your directory service attributes (right). By default these attributes are values most commonly used in Active Directory (AD). Update these mapping values to reflect the values used for your own or other directory service types.

    If you add or remove a custom attribute, you should initiate a manual sync afterward by selecting the Sync Attributes button.

    Sync Attributes button Manually sync the attributes mapped here to the user records in Workspace ONE UEM. Attributes sync automatically on the time schedule configured for the Workspace ONE UEM environment.
  3. Navigate to Accounts > Administrators > Administrator Settings > Directory Services > Group and configure Group settings.
    Setting Description
    Group Object Class Enter the appropriate Object Class. In most cases this value should be group.
    Organizational Unit Object Class Enter the appropriate Organizational User Object Class.

    Advanced

    Setting Description
    Group Search Filter Enter the search parameter used to associate user groups with directory service accounts.
    Auto Sync Default Select this checkbox to automatically add or remove users in Workspace ONE UEM configured user groups based on their membership in your directory service.
    Auto Merge Default Select this check box to automatically apply sync changes without administrative approval.
    Maximum Allowable Changes

    Enter the number of maximum allowable group membership changes to be merged into Workspace ONE UEM. Any number of changes detected upon syncing with the directory service database under this number are automatically merged.

    If the number of changes exceed this threshold, an administrator must manually approve the changes before they are applied. A single change is defined by a user either leaving or joining a group. A setting of 100 Maximum Allowable Changes means the Console does not need to sync with your directory service as much.

    Conditional Group Sync Enable this option to sync group attributes only after changes occur in Active Directory. Deactivate this option to sync group attributes regularly, regardless of changes in Active Directory.
    Auto-Update Friendly Name

    When enabled, the friendly name is updated with group name changes made in active directory.

    When deactivated, the friendly name can be customized so admins can tell the difference between user groups with identical common names. This can be useful if your implementation includes organizational unit (OU)-based user groups with the same common name.

    Attribute Review and edit the Mapping Value for the listed Attribute, if necessary. These columns show the mapping between Workspace ONE UEM user attributes (left) and your directory service attributes (right). By default these attributes are values most commonly used in AD. Update these mapping values to reflect the values used for your own or other directory service types.
  4. Verify that you have established proper connectivity by selecting the Test Connection button.

    The server connection is tested for all the domains listed on the page using the server name, bind user name, and the password provided by the administrator. You can rerun the test by clicking the Test Again button.

  5. Select Save.

Best Practices for Configuring Open Source LDAP Directory Service Type

Workspace ONE UEM supports open source LDAP for directory services. For instance, similar to Microsoft Active Directory, Novell e-Directory, Lotus Domino, we have Samba OpenLDAP server for Directory services. Samba OpenLDAP is a widely used LDAP server in Linux environment.

If you choose to select any other LDAP server other than Active Directory, Novell e-Directory or Lotus Domino, you can refer through the following configuration tips that covers the most critical steps while configuring open source LDAP directory service.

Bind Authentication Type

You are required to select the type of bind authentication to enable the AirWatch server to communicate with the domain controller.

You can select Anonymous, Basic, Digest, Kerberos, NTLM, or GSS-NEGOTIATE. If unsure start by setting the bind authentication type to Basic. You will know if your selection is not correct when you click Test Connection.

Bind User Name

Enter the credentials used to authenticate with the domain controller. This account (which the entered user name identifies) allows a read-access permission on your directory server and binds the connection when authenticating users. It is considered to be a best practice to use the full base distinguished name for the bind username. For example, you can use CN=admin,DC=domain,DC=com.

User Search Filter

In the User Tab, enter the search parameter that is used to associate user accounts with Active Directory accounts and make sure your user search filter is appropriately configured. You could expect appropriate results if you set the search filter as (&(objectCategory=person)(sAMAccountName={EnrollmentUser})).