When setting up users and devices in Workspace ONE UEM, Workspace ONE UEM uses organization groups (OG) to organize and group users and to establish permissions. When Workspace ONE UEM is integrated with VMware Identity Manager, the admin and enrollment user REST API keys can only be configured at the Workspace ONE UEM organization group of type Customer.

In Workspace ONE UEM environments configured for multi-tenancy, many organization groups are created for users and devices. Devices become registered or enrolled into an organization group. Organization groups can be set up in unique configurations in a multi-tenancy environment. For example, organization groups by separate geographies, departments, or use cases.

You can link domains configured in VMware Identity Manager to specific organization groups in Workspace ONE UEM to manage device registration through Workspace ONE. When users log in to Workspace ONE, a device registration event is triggered within VMware Identity Manager. During the device registration, a request is sent to Workspace ONE UEM to pull any applications that the user and device combination is entitled to.

The device organization groups must be identified when Workspace ONE UEM is integrated with VMware Identity Manager so that identity manager can locate the user and successfully register the device into the appropriate organization group.

When you configure the Workspace ONE UEM settings in the VMware Identity Manager service, you can enter device organization group IDs and the API keys to map multiple OG to a domain. When users sign in to Workspace ONE from their devices, the user records are verified and the device is registered to the appropriate organization group in Workspace ONE UEM.

To learn more about how to configure multiple organization groups, see Deployment Strategies for Setting Up Multiple Workspace ONE UEM Organization Groups.

Note: When Workspace ONE UEM is integrated with VMware Identity Manager and multiple Workspace ONE UEM organization groups are configured, the Active Directory Global Catalog option cannot be configured for use with the VMware Identity Manager service.