Workspace ONE UEM uses organization groups (OG) to identify users and establish permissions. When Workspace ONE UEM is integrated with VMware Identity Manager, the admin and enrollment user REST API keys are configured at the Workspace ONE UEM organization group type called Customer.

When users sign in to Workspace ONE from a device, a device registration event is triggered within VMware Identity Manager. A request is sent to Workspace ONE UEM to pull any applications that the user and device combination is entitled to. The request is sent using the REST API to locate the user within Workspace ONE UEM and to place the device in the appropriate organization group.

To manage organization groups, two options can be configured in VMware Identity Manager.

  • Enable Workspace ONE UEM auto discovery.

  • Map Workspace ONE UEM organization groups to domains in the VMware Identity Manager service.

If neither of these two options are configured, Workspace ONE attempts to locate the user at the organization group where the REST API key is created. That is the Customer group.

Using Workspace ONE UEM Auto Discovery

Set up Auto Discovery when a single directory is configured at a child group to the Customer Organization Group, or when multiple directories are configured below the Customer group with unique email domains.

Figure 1. Example 1

In example 1, the email domain of the organization is registered for auto discovery. Users enter only their email address in the Workspace ONE sign-in page.

In this example, when users in the NorthAmerica domain sign in to Workspace ONE, they enter the complete email address as user1@domain1.com. The application looks for the domain and verifies that the user exists or can be created with a directory call in the NorthAmerica organization group. The device can be registered.

Using Workspace ONE UEM Organization Group Mapping to VMware Identity Manager Domains

Configure the VMware Identity Manager service to the Workspace ONE UEM organization group mapping when multiple directories are configured with the same email domain. You enable Map Domains to Multiple Organization Groups in the AirWatch configuration page in the VMware Identity Manager console.

When the Map Domains to Multiple Organization Groups option is enabled, domains configured in VMware Identity Manager can be mapped to the Workspace ONE UEM organization group IDs. The admin REST API key is also required.

In example 2, two domains are mapped to different organization groups. An admin REST API key is required. The same admin REST API key is used for both organization group IDs.

Figure 2. Example 2

In the AirWatch configuration page in the VMware Identity Manager console, configure a specific Workspace ONE UEM organization group ID for each domain.

Figure 3. Example 2 Organization Group Configuration

With this configuration, when users logs in to Workspace ONE from their device, the device registration request attempts to locate users from Domain3 in the organization group Europe and users from Domain4 in organization group AsiaPacific.

In example 3, one domain is mapped to multiple Workspace ONE UEM organization groups. Both directories share the email domain. The domain points to the same Workspace ONE UEM organization group.

Figure 4. Example 3

In this configuration, when users sign in to Workspace ONE, the application prompts the users to select which group they want to register into. In this example, users can select either Engineering or Accounting.

Figure 5. Organization Groups Where Directories Share the Same Domain

Placing Devices in the Correct Organization Group

When a user record is successfully located, the device is added to the appropriate organization group. The Workspace ONE UEM enrollment setting Group ID Assignment Mode determines the organization group to place the device. This setting is in the System Settings > Device & Users > General > Enrollment > Grouping page in the Workspace ONE UEM console.

Figure 6. Workspace ONE UEM Group Enrollment for Devices

In example 4, all users are at the Corporate organization group level.

Figure 7. Example 4

Device placement depends on the selected configuration for the Group ID Assignment Mode at the Corporate organization group.

  • If Default is selected, the device is placed in to the same group where the user is located. For example 4, the device is placed into the Corporate group.

  • If Prompt User to Select Group ID is selected, users are prompted to select which group to register their device into. For example 4, users see a drop-down menu within the Workspace ONE app with Engineering and Accounting as options.

  • If Automatically Selected Based on User Group is selected, devices are placed into either Engineering or Accounting based on their user group assignment and corresponding mapping in the Workspace ONE UEM console.

Understanding the Concept of a Hidden Group

In example 4, when users are prompted to select an organization group from which to register, users also can enter a group ID value that is not in the list presented from the Workspace ONE app. This is the concept of a hidden group.

In example 5, in the Corporate organization group structure, North America and Beta are configured as groups under Corporate.

Figure 8. Example 5

In example 5, users enter their email address into Workspace ONE. After authentication, users are shown a list that displays Engineering and Accounting from which to choose. Beta is not an option that is displayed. If users know the organization group ID, they can manually enter Beta in to the group selection text box and successfully register their device into Beta.