Every directory user you want to manage through Workspace ONE Express must have a corresponding user account.

Integrating directory service users into Workspace ONE Express users is entirely optional. However, there are many benefits to applying the user data already stored within your directory service.

Integrating the two systems means that you gain the benefit of having the two systems linked. When a user becomes inactive in directory services, their linked user account status and device enrollment in Workspace ONE Express come to an end automatically. User inactivity includes employment termination, retirement, and so on.

Linking the two systems means mapping your directory service user information onto Workspace ONE Express.

Filter Your Searches to Map the Directory Services User Information

After entering server settings, you can filter searches to identify users and map values between Workspace ONE user attributes and your directory attributes.

  1. Navigate to Accounts > Administrators > Administrator Settings > Directory Services.
  2. Select the User tab. By default, only the Base DN information displays.
  3. Select the Fetch DN plus sign (+) next to the Base DN column.

    Result: This plus sign displays a list of Base DNs from which you can select to populate this text box. If it does not, revisit the settings you entered on the Server tab before continuing.

  4. Enter data in the following settings.
    Setting Description
    User Object Class Enter the appropriate Object Class. In most cases, this value is "user."
    User Search Filter

    Enter the search parameter used to associate user accounts with Active Directory accounts. The suggested format is "<LDAPUserIdentifier>={EnrollmentUser}" where <LDAPUserIdentifier> is the parameter used on the directory services server to identify the specific user.

    • For AD servers, use "(&(objectCategory=person)(sAMAccountName={EnrollmentUser}))" exactly.
    • For other LDAP servers, use "CN={EnrollmentUser}" or "UID={EnrollmentUser}"
  5. Display more settings by selecting Show Advanced.
    Setting Description
    Auto Merge Enable setting to allow user group updates from your directory service to merge with the associated users and groups in Workspace ONE UEM automatically.
    Automatically Sync Enabled Or Deactivated User Status

    Select Enabled to deactivate the associated user in Workspace ONE UEM when that user is deactivated in your LDAP directory service (for example, Active Directory, Novell e-Directory, and so on).

    • Value For Deactivated Status – Enter a numeric value and select the type of Lightweight Directory Access Protocol (LDAP) attribute used to represent a user’s status. Select “Flag Bit Match” if the user status is designated by a bitwise flag (which is the default for Active Directory).

      Select “Flag Bit Match” if the user status is designated by a bitwise flag (which is the default for Active Directory). When “Flag Bit Match” is selected, Directory Services will consider the user to be deactivated if any bits from the property match the given value.

      Note: If you select this option and you deactivate users in your directory service, the corresponding user account in Workspace ONE UEM is marked inactive and those administrators and users are not able to log in. In addition, enrolled devices assigned to users who are set as inactive in your directory service are automatically unenrolled.
    Enable Custom Attributes Enable custom attributes. Custom Attributes is a section that appears under the main AttributeMapping Value table. You must scroll down to the bottom of the page to see the Custom Attributes.
    Attributes

    Review and edit the Mapping Values for the listed Attributes, if necessary. These columns show the mapping between Workspace ONE UEM user attributes (left) and your directory service attributes (right). By default these attributes are values most commonly used in Active Directory (AD). Update these mapping values to reflect the values used for your own or other directory service types.

    If you add or remove a custom attribute, you should initiate a manual sync afterward by selecting the Sync Attributes button.
    Sync Attributes button Manually sync the attributes mapped here to the user records in Workspace ONE UEM. Attributes sync automatically on the time schedule configured for the Workspace ONE UEM environment.
  6. Select Test Connection to verify connectivity.

    The server connection is tested for all the domains listed on the page, using the server name, bind user name, and the password provided by the administrator. You can rerun the test by clicking the Test Again button.

    From the User tab, you can perform the following actions:

    1. Select the Domain name from the drop-down menu.
    2. Enter the user's directory user name and select Check User. If the system finds a match, the user's information is auto-populated. The remaining settings in this section are only available after you have successfully located an active directory user with the Check User button.

      From the Group tab, you can perform the following actions:

    3. Select the External Type of the group you are adding.
      • Group – Refers to the group object class on which your user group is based. Customize this class by navigating to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services > Group.
      • Organizational Unit – Refers to the organizational unit object class on which your user group is based. Customize this class by navigating to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services > Group.
    4. Enter the directory user group name in the Search text.
    5. Directory Name is the pre-populated setting that identifies the Active Directory name.
    6. Select the Domain name from the drop-down menu.
    7. Group Base DN displays a list of Domain Names from which you can select.
    8. Select Check Group to verify the group information.