Directory User Group Integration

An alternative to custom user groups in Workspace ONE Express without active directory integration is through user group integration that applies your existing active directory structure, providing many benefits.

After you import existing directory service user groups as Workspace ONE Express user groups, you can perform tasks in the following areas.

User Management – Reference your existing directory service groups (such as security groups or distribution lists) and align user management in Workspace ONE Express with the existing organizational systems.
Profiles and Policies – Assign profiles, applications, and policies across a WorkspaceWorkspace ONE Express deployment to groups of users.
Integrated Updates – Automatically update user group assignments based on group membership changes.
Management Permissions – Set management permissions to allow approved administrators only to change policy and profile assignments for certain user groups.
Enrollment – Allow users to enroll in Workspace ONE Express using their existing credentials.

Similar to the way data mapping works on an individual user, mapping user group data integrates your existing directory service groups into Workspace ONE Express user groups. For more information, see Filter Your Searches to Map the Directory Services User Information.

Merge and Sync Changes Between Your Directory Service Groups and Groups in Workspace ONE

You can set options to auto merge and sync changes between your directory service groups and groups in Workspace ONE Express and Workspace ONE UEM.

AD passwords are not stored in the Workspace ONE UEM database except the Bind account password used to link directory services into your Workspace ONE UEM environment.

The Bind account password is stored in an encrypted form in the database and is not accessible from the console. Unique session keys are used for each sync connection to the Active Directory server. This AD password storage arrangement is the same for Workspace ONE Express.

In some instances, global catalogs are used to manage multiple domains or AD Forests. Delays while searching for or authenticating users might be due to a complex directory structure. You can integrate directly with the global catalog to query multiple forests using one Lightweight Directory Access Protocol (LDAP) endpoint for better results.

To integrate with the global catalog directly, configure the following settings.

Encryption Type = None
Port = 3268
Verify that your firewall allows for this traffic on port 3268.

Complete the following steps to auto merge and sync changes between your Directory Service Groups and Groups in the Workspace ONE UEM console.

Navigate to Accounts > Administrators > Administrator Settings > Directory Services.
If necessary, select 'Override' as the Current Setting so that changes can be made to this settings page.
Ensure your organization's Directory Service is selected in the Directory Type.
Select the Group tab. By default, only the Base DN information displays.
For Base DN, select the Fetch DN plus sign (+) next to the Base DN setting to display a list of Base DNs. Populate this text box by selecting from the list.
If a list of Base DNs does not display, revisit the settings you entered on the Server tab before continuing.

Enter data in the following settings.


Setting	Description
Group Object Class	Enter the appropriate Object Class. In most cases this value should be group.
Organizational Unit Object Class	Enter the appropriate Organizational User Object Class.

To display more settings, select Advanced. Enter data in the following text boxes.


Setting	Description
Group Search Filter	Enter the search parameter used to associate user groups with directory service accounts.
Auto Sync Default	Select this checkbox to automatically add or remove users in Workspace ONE UEM configured user groups based on their membership in your directory service.
Auto Merge Default	Select this check box to automatically apply sync changes without administrative approval.
Maximum Allowable Changes	Enter the number of maximum allowable group membership changes to be merged into Workspace ONE UEM. Any number of changes detected upon syncing with the directory service database under this number are automatically merged. If the number of changes exceed this threshold, an administrator must manually approve the changes before they are applied. A single change is defined by a user either leaving or joining a group. A setting of 100 Maximum Allowable Changes means the Console does not need to sync with your directory service as much.
Conditional Group Sync	Enable this option to sync group attributes only after changes occur in Active Directory. Deactivate this option to sync group attributes regularly, regardless of changes in Active Directory.
Auto-Update Friendly Name	When enabled, the friendly name is updated with group name changes made in active directory. When deactivated, the friendly name can be customized so admins can tell the difference between user groups with identical common names. This can be useful if your implementation includes organizational unit (OU)-based user groups with the same common name.
Attribute	Review and edit the Mapping Value for the listed Attribute, if necessary. These columns show the mapping between Workspace ONE UEM user attributes (left) and your directory service attributes (right). By default these attributes are values most commonly used in AD. Update these mapping values to reflect the values used for your own or other directory service types.

Select Test Connection to verify connectivity.
The server connection is tested for all the domains listed on the page, using the server name, bind user name, and the password provided by the administrator. You can rerun the test by clicking the Test Again button.
From the User tab, you can perform the following actions:
1. Select the Domain name from the drop-down menu.
2. Enter the user's directory user name and select Check User. If the system finds a match, the user's information is auto-populated. The remaining settings in this section are only available after you have successfully located an active directory user with the Check User button.
  From the Group tab, you can perform the following actions:
3. Select the External Type of the group you are adding.
  - Group – Refers to the group object class on which your user group is based. Customize this class by navigating to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services > Group.
  - Organizational Unit – Refers to the organizational unit object class on which your user group is based. Customize this class by navigating to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services > Group.
4. Enter the directory user group name in the Search text.
5. Directory Name is the pre-populated setting that identifies the Active Directory name.
6. Select the Domain name from the drop-down menu.
7. Group Base DN displays a list of Domain Names from which you can select.
8. Select Check Group to verify the group information.

Add Directory Service User Groups to Workspace ONE Express

User groups added in Workspace ONE Express can be synced – automatically when configured with a scheduler – with your directory service groups to merge changes or add missing users.

Pros
You have the option of restricting the enrollment to only known groups, which lets you restrict on a user group level who can enroll. This method also keeps your existing directory service group infrastructure and allows you to assign profiles, policies, content, and apps based on these existing group setups.
Cons
Uploading directory service user groups does not automatically create Workspace ONE Express user accounts. Therefore, if you have restricted enrollment for known users, you must add those user accounts into the Workspace ONE Express console manually.

Navigate to Accounts > User Groups > List View, select Add, then Add User Group.

Complete the settings in the Add User Group screen as applicable, ensuring the user group Type is Directory.


Setting	Description
Type	Select the type of User Group. Directory – Create a user group that is aligned with your existing active directory structure. Custom – Create a user group outside of your organization's existing Active Directory structure. This user group type grants access to features and content for basic and directory users to customize user groups according to your deployment. Custom user groups can only be added at a customer level organization group.
External Type	Select the external type of group you are adding. Group – Refers to the group object class on which your user group is based. Customize this class by navigating to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services > Group. Organizational Unit – Refers to the organizational unit object class on which your user group is based. Customize this class by navigating to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services > Group. Custom Query – You can also create a user group containing users you locate by running a custom query. Selecting this external type replaces the Search Text function but displays the Custom Query section.
Search Text	Identify the name of a user group in your directory by entering the search criteria and selecting Search to search for it. If a directory group contains your search text, a list of group names displays. This option is unavailable when External Type is set to Custom Query.
Directory Name	Read-only setting displaying the address of your directory services server.
Domain and Group Base DN	This information automatically populates based on the directory services server information you enter on the Directory Services page (Groups & Settings > System > Enterprise Integration > Directory Services). Select the Fetch DN plus sign (+) next to the Group Base DN setting, which displays a list of distinguished name elements from which you can select.
Custom Object Class	Identifies the object class under which your query runs. The default object class is 'person' but you can supply a custom object class to identify your users with a greater success and accuracy. This option is available only when Custom Query is selected as External Type.
Group Name	Select a Group Name from your Search Text results list. Selecting a group name automatically alters the value in the Distinguished Name setting. This option is available only after you have completed a successful search with the Search Text setting.
Distinguished Name	This read-only setting displays the full distinguished name of the group you are creating. This option is available only when Group or Organizational Unit is selected as External Type.
Custom Base DN	Identifies the base distinguished name which serves as the starting point of your query. The default base distinguished name is 'AirWatch' and 'sso'. However, if you want to run the query with a different starting point, you can supply a custom base distinguished name. This option is available only when Custom Query is selected as External Type.
Organization Group Assignment	This optional setting enables you to assign the user group you are creating to a specific organization group (OG). This option is available only when Group or Organizational Unit is selected as External Type. You must select a "Customer" type OG. Assigning the user group to a non-customer type OG is not allowed.
User Group Settings	Select between Apply default settings and Use Custom settings for this user group. See the Custom Settings section for additional setting descriptions. You can configure this option from the permission settings after the group is created. This option is available only when Group or Organizational Unit is selected as External Type.
Custom Query - Query	This setting displays the currently loaded query that runs when you select the Test Query button and when you select the Continue button. Changes you make to the Custom Logic setting or the Custom Object Class setting are reflected here.
Custom Logic	Add your custom query logic here, such as user name or admin name. For example, "cn=jsmith". You can include as much or as little of the distinguished name as you like. The Test Query button allows you to see if the syntax of your query is correct before selecting the Continue button.
Custom Settings - Management Permissions	You can allow or disallow all administrators to manage the user group you are creating.
Default Role	Select a default role for the user group from the drop-down menu.
Default Enrollment Policy	Select a default enrollment policy from the drop-down menu.
Auto Sync with Directory	This option enables the directory sync, which detects user membership from the directory server and stores it in a temporary table. Administrators approve changes to the console unless the Auto Merge option is selected. If you want to prevent user groups from automatically syncing during a scheduled sync, this setting must be deactivated.
Auto Merge Changes	Enable this option to apply sync changes automatically from the database without administrative approval.
Maximum Allowable Changes	Use this setting to set a threshold for the number of automatic user group sync changes that can occur before approval must be given. Changes more than the threshold need admin approval and a notification is sent to this effect. This option is available only when Auto Merge Changes is enabled.
Add Group Members Automatically	Enable this setting to add users to the user group automatically. If you want to prevent user groups from automatically syncing during a scheduled sync, this setting must be deactivated.
Send Email to User when Adding Missing Users	Enable to send an email to users when missing users are being added to the user group. Adding missing users means combining the temporary user group table with the Active Directory table.
Message Template	This option is available only when Send Email to User when Adding Missing Users is enabled. Select a message template to be used for the email notification during the addition of missing users to the user group. When adding active directory users new to the Workspace ONE UEM console, the message template availability depends upon the enrollment mode as configured in Groups & Settings > All Settings > Devices & Users > General > Enrollment selecting Authentication, and making a choice in the Devices Enrollment Mode option. When Open Enrollment is selected as the Devices Enrollment Mode, a User Activation email template is available in the Message Template drop-down. This email message enables the new AD user to enroll. When Registered Devices Only is selected as the Devices Enrollment Mode, a Device Activation email template is available in the Message Template drop-down. This email message enables the new AD user to enroll their devices. If Require Registration Token is enabled, the device can be registered with the token embedded in the message.

Select Save.

Remove Users From User Groups Based on the Directory Service Group Membership

You can enable Workspace ONE UEM and Workspace ONE Express to detect when a directory service user account is removed and automatically remove its associated user account from the associated group.

Navigate to Accounts > User Groups > Settings > Directory Services.
Select the Group tab.
See advanced configuration options by selecting the Advanced drop-down.
Select the Auto Sync Default check box to add and remove users in user groups automatically based on membership in directory service.