You can set options to auto merge and sync changes between your directory service groups and groups in Workspace ONE Express and Workspace ONE UEM powered by AirWatch.

AD passwords are not stored in the Workspace ONE UEM database except the Bind account password used to link directory services into your Workspace ONE UEM environment.

The Bind account password is stored in an encrypted form in the database and is not accessible from the console. Unique session keys are used for each sync connection to the Active Directory server. This AD password storage arrangement is the same for Workspace ONE Express.

In some instances, global catalogs are used to manage multiple domains or AD Forests. Delays while searching for or authenticating users might be due to a complex directory structure. You can integrate directly with the global catalog to query multiple forests using one Lightweight Directory Access Protocol (LDAP) endpoint for better results.

Prerequisites

To integrate with the global catalog directly, configure the following settings.
  • Encryption Type = None
  • Port = 3268
  • Verify that your firewall allows for this traffic on port 3268.
Complete the following steps to auto merge and sync changes between your Directory Service Groups and Groups in the Workspace ONE UEM console.

Procedure

  1. Navigate to Accounts > Administrators > Administrator Settings > Directory Services.
  2. If necessary, select 'Override' as the Current Setting so that changes can be made to this settings page.
  3. Ensure your organization's Directory Service is selected in the Directory Type.
  4. Select the Group tab. By default, only the Base DN information displays.
  5. For Base DN, select the Fetch DN plus sign (+) next to the Base DN setting to display a list of Base DNs. Populate this text box by selecting from the list.
    1. If a list of Base DNs does not display, revisit the settings you entered on the Server tab before continuing.
  6. Enter data in the following settings.
    Setting Description
    Group Object Class Enter the appropriate Object Class. In most cases this value should be group.
    Organizational Unit Object Class Enter the appropriate Organizational User Object Class.
  7. To display more settings, select Advanced. Enter data in the following text boxes.
    Setting Description
    Group Search Filter Enter the search parameter used to associate user groups with directory service accounts.
    Auto Sync Default Select this checkbox to automatically add or remove users in Workspace ONE UEM configured user groups based on their membership in your directory service.
    Auto Merge Default Select this check box to automatically apply sync changes without administrative approval.
    Maximum Allowable Changes

    Enter the number of maximum allowable group membership changes to be merged into Workspace ONE UEM. Any number of changes detected upon syncing with the directory service database under this number are automatically merged.

    If the number of changes exceed this threshold, an administrator must manually approve the changes before they are applied. A single change is defined by a user either leaving or joining a group. A setting of 100 Maximum Allowable Changes means the Console does not need to sync with your directory service as much.

    Conditional Group Sync Enable this option to sync group attributes only after changes occur in Active Directory. Disable this option to sync group attributes regularly, regardless of changes in Active Directory.
    Auto-Update Friendly Name

    When enabled, the friendly name is updated with group name changes made in active directory.

    When disabled, the friendly name can be customized so admins can tell the difference between user groups with identical common names. This can be useful if your implementation includes organizational unit (OU)-based user groups with the same common name.

    Attribute Review and edit the Mapping Value for the listed Attribute, if necessary. These columns show the mapping between Workspace ONE UEM user attributes (left) and your directory service attributes (right). By default these attributes are values most commonly used in AD. Update these mapping values to reflect the values used for your own or other directory service types.
  8. Select Test Connection to verify connectivity.

    The server connection is tested for all the domains listed on the page, using the server name, bind user name, and the password provided by the administrator. You can rerun the test by clicking the Test Again button.

    From the User tab, you can perform the following actions:

    1. Select the Domain name from the drop-down menu.
    2. Enter the user's directory user name and select Check User. If the system finds a match, the user's information is auto-populated. The remaining settings in this section are only available after you have successfully located an active directory user with the Check User button.

    From the Group tab, you can perform the following actions:

    1. Select the External Type of the group you are adding.
      • Group – Refers to the group object class on which your user group is based. Customize this class by navigating to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services > Group.
      • Organizational Unit – Refers to the organizational unit object class on which your user group is based. Customize this class by navigating to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services > Group.
    2. Enter the directory user group name in the Search text.
    3. Directory Name is the pre-populated setting that identifies the Active Directory name.
    4. Select the Domain name from the drop-down menu.
    5. Group Base DN displays a list of Domain Names from which you can select.
    6. Select Check Group to verify the group information.