VMware AirWatch Directry Services Guide Integrating yur Directry Services AirWatch v9.1 Have dcumentatin feedback? Submit a Dcumentatin Feedback supprt ticket using the Supprt Wizard n supprt.air-watch.cm. This prduct is prtected by cpyright and intellectual prperty laws in the United States and ther cuntries as well as by internatinal treaties. VMware prducts are cvered by ne r mre patents listed at http://www.vmware.cm/g/patents. VMware is a registered trademark r trademark f VMware, Inc. in the United States and ther jurisdictins. All ther marks and names mentined herein may be trademarks f their respective cmpanies. 1
Table f Cntents Chapter 1: Overview 4 What's New 5 Intrductin t Directry Services 6 Requirements fr Directry Services 7 Chapter 2: Directry Services Setup 8 Directry Services Setup Overview 9 Set up Directry Services with a Wizard 9 Set up Directry Services Manually 10 VMware Identity Manager and Directry Services 14 Integrate VMware Identity Manager With Directry Services 15 Manage the VMware Identity Manager Integratin 16 Map Directry Services User Infrmatin 16 Map Directry Services Grup Infrmatin 18 Chapter 3: Directry User Integratin 20 Directry Service User Integratin Overview 21 Adding Directry Users Int AirWatch 21 Add Individual Directry Users One at a Time 22 Batch Imprt Directry Users 24 Directry Service User Self-Enrllment 25 Chapter 4: Directry User Grup Integratin 26 Directry User Grup Integratin Overview 27 Organizatin Grups vs. User Grups 27 Adding Directry Service User Grups t AirWatch 28 Add Directry User Grups One at a Time 29 Batch Imprt Directry User Grups 31 Edit User Grup Permissins 32 Mapping User Grups fr Enrllment and Cnsle Access 33 Deplying Apps, Plicies, and Prfiles by User Grup 34 Deactivate and Reactivate Users Autmatically 34 2
Perfrm Autmatic Enterprise Wipe fr Users That D Nt Belng t a User Grup 35 Set Disabled Users t Inactive Autmatically 35 Remve Users Frm User Grups Based n Directry Service Grup Membership 35 Synchrnizatin Errrs 36 Accessing Other Dcuments 37 3
Chapter 1: Overview What's New 5 Intrductin t Directry Services 6 Requirements fr Directry Services 7 4
Chapter 1: Overview What's New This guide has been updated with the latest features and functinality frm the mst recent release f AirWatch v9.1. The list belw includes these new features and the sectins and pages n which they appear. T aid custmers using OU based user grups with the same cmmn name, a Friendly Name setting has been added s admins can tell the difference between these grups. See Map Directry Services Grup Infrmatin n page 18. 5
Chapter 1: Overview Intrductin t Directry Services AirWatch integrates with yur rganizatin's existing directry service such as Active Directry, Ltus Dmin, and Nvell e-directry t prvide directry-based accunt access. This type f accunt access lets users authenticate with AirWatch apps and enrll devices using their existing directry service credentials. Integrating with directry services eliminates the need t create basic user accunts in yur rganizatin and can help simplify the enrllment prcess fr end users by applying infrmatin they already knw. Onging LDAP synchrnizatin detects any changes within the system and can autmatically perfrm necessary updates acrss all devices fr affected users r require administrative apprval befre any changes ccur. Yu may als migrate Basic Users t LDAP Users, checking against existing directry users. Fr mre infrmatin, please see the Migrating Basic users t Directry (AD) users KB article: https://supprt.airwatch.cm/slutins/1859. Integrating AirWatch with yur directry service prvides many benefits. Cnduct enrllment fr bth users and administratrs. Map directry grups t AirWatch user grups. Cntrl AirWatch Cnsle access. Apply existing credentials fr VMware Cntent Lcker access. Assign apps, prfiles, and plicies by user grup. Autmatically retire end users when they g inactive. The fllwing sectins explain hw t integrate yur AirWatch envirnment with yur directry service f chice. Als, hw t add directry user accunts t AirWatch and hw t integrate user grups in AirWatch. Requirements, Setup, and User Integratin Learn abut which Lightweight Directry Access Prtcl (LDAP)-based directry services yu need, which prts t use, and what rganizatin grup t designate as the primary rt. The Directry Services page in system settings enables yu t integrate AirWatch with yur rganizatin's dmain cntrller. Security Assertin Markup Language (SAML) settings can als be cnfigured n this page. Integrate yur directry users t prvide everyne in yur rganizatin with an AirWatch accunt, which is required if they intend t use an AirWatch managed device. Directry User Grup Integratins If yu have user grups in yur active directry structure, yu can make the same user grups in AirWatch. Take advantage f this feature t enable integrated updates s when yu change yur active directry user grup assignments, thse same changes get made in AirWatch. 6
Chapter 1: Overview Requirements fr Directry Services AirWatch supprts integratin with Lightweight Directry Access Prtcl (LDAP)-based directry services. Micrsft Active Directry Ltus Dmin Nvell e-directry The default prt fr unencrypted LDAP cmmunicatin is 389. Sftware as a Service (SaaS) envirnments can use SSL encrypted traffic using prt 636. Ensure the Directry Sync Service and the Scheduler Service are running n the same server, since they write t and read frm the same queues. Yu must designate an existing rganizatin grup (OG) as the primary rt OG frm which yu manage devices and users. Directry services (and VMware Enterprise Systems Cnnectr when used) must be enabled in AirWatch at the level f this rt OG. Fr example, if the rt rganizatin grup is Internal and VMware Enterprise Systems Cnnectr integratin is in place, then enable VMware Enterprise Systems Cnnectr integratin with the selected internal rganizatin grup. 7
Chapter 2: Directry Services Setup Directry Services Setup Overview 9 Set up Directry Services with a Wizard 9 Set up Directry Services Manually 10 VMware Identity Manager and Directry Services 14 Integrate VMware Identity Manager With Directry Services 15 Manage the VMware Identity Manager Integratin 16 Map Directry Services User Infrmatin 16 Map Directry Services Grup Infrmatin 18 8
Chapter 2: Directry Services Setup Directry Services Setup Overview Directry services setup requires yu t integrate yur AirWatch envirnment with yur directry service including attribute mapping fr users and user grups. Use the Directry Services page t cnfigure the settings that let yu integrate yur AirWatch server with yur rganizatin's dmain cntrller (the server hsting yur directry services system). Security Assertin Markup Language (SAML) settings can als be cnfigured n this page. Fr mre infrmatin, refer t the VMware AirWatch SAML Integratin Guide, available n AirWatch Resurces. After entering server settings, yu can filter searches t identify users and grups and set ptins t aut merge and sync between yur AirWatch cnfigured grups and directry service grups. Yu can als map attribute values between AirWatch user attributes and yur directry attributes. Nte: Fr Sftware as a Service (SaaS) custmers, directry services integratin requires yu t install the VMware Enterprise Systems Cnnectr. Fr mre infrmatin, refer t the VMware Enterprise Systems Cnnectr Guide, available at https://www.vmware.cm/supprt/pubs/wrkspacene-pubs.html. Set up Directry Services with a Wizard The AirWatch Cnsle prvides a simplified wizard t streamline the directry services setup prcess. The wizard includes steps t integrate either Security Assertin Markup Language (SAML), Lightweight Directry Access Prtcl (LDAP) r bth. The wizard als autmates the prvisining f AirWatch applicatins t VMware Identity Manager, greatly simplifying the prcess. Fr mre infrmatin abut integrating AirWatch with Identity Manager and deplying Wrkspace ONE with single signn t devices, see the Wrkspace ONE Quick Cnfiguratin Guide, available at https://resurces.airwatch.cm/view/8hn3vx99793xb8xgm362. 1. Access the directry services setup wizard frm tw places. The main AirWatch Cnsle Getting Started Wizard. r Navigate t Grups & s > All s > System > Enterprise Integratin > Directry Services and select Launch Setup Wizard. 9
Chapter 2: Directry Services Setup 2. Upn launching the wizard, select Cnfigure t fllw the steps. Alternately, yu can Skip wizard and cnfigure manually t cnfigure settings n yur wn. Nte: The AirWatch Cnsle detects if SAML r LDAP settings are already cnfigured. Set up Directry Services Manually If yu want t custmize yur directry service settings, yu can skip the wizard and cnfigure yur settings manually. 1. Navigate t Accunts > Administratrs > Administratr s > Directry Services and select the Server tab. 2. Enter yur server infrmatin. Directry Type LDAP Select the type f directry service that yur rganizatin uses. Nte: AirWatch supprts pen surce LDAP fr directry services. Fr mre infrmatin, see the fllwing knwledgebase article: https://supprt.airwatch.cm/resurces/115001696028. Enable DNS SRV Server Encryptin Type Prt Enable this ptin t allw the Dmain Name System Service Recrd t decide which server in its priritized list f servers can best supprt LDAP requests, which ensure cntinuity f services in a high availability envirnment. The default setting is Disabled. With this ptin disabled, AirWatch uses yur existing directry server, f which yu enter the address in the Server setting. Enter the address f yur directry server. This setting is nly available when Enable DNS SRV is Disabled. Select the type f encryptin t use fr directry services cmmunicatin. The ptins available are Nne (unencrypted), SSL, and Start TLS. Enter the Transmissin Cntrl Prtcl (TCP) prt that is used t cmmunicate with the dmain cntrller. The default fr unencrypted directry service cmmunicatin is 389. Only SaaS envirnments allw Secure Sckets Layer (SSL) encrypted traffic using prt 636 (AirWatch SaaS IP range: 205.139.50.0 /23). When yu change the Encryptin Type setting t SSL, the Prt setting autmatically changes t 636. When yu select the Add Dmain buttn, the Prt setting autmatically changes t 3268. Verify SSL Certificate This setting nly becmes visible when the Encryptin Type is SSL r Start TLS. Select the check bx t receive SSL errrs. 10
Chapter 2: Directry Services Setup Prtcl Versin Use Service Accunt Credentials Bind Authenticatin Type Bind Username Dmain /Server Select the versin f the Lightweight Directry Access Prtcl (LDAP) that is in use. Active Directry uses LDAP versins 2 r 3. If yu are unsure f which Prtcl Versin t use, try the cmmnly used value f '3'. Enable t use the App pl credentials frm the server n which the VMware Enterprise Systems Cnnectr is installed fr authenticating with the dmain cntrller. Enabling this ptin hides the Bind Username and Bind Passwrd settings. Select the type f bind authenticatin that is used t enable the AirWatch server t cmmunicate with the dmain cntrller. If yu are unsure f which prtcl versin t use, try the cmmnly used value f GSS-NEGOTIATE. Enter the credentials used t authenticate with the dmain cntrller. This accunt (which the entered username identifies) allws read-access permissin n yur directry server and binds the cnnectin when authenticating users. Select the Clear Bind Passwrd check bx t clear the bind passwrd frm the database. Enter the default dmain and server name fr any directry-based user accunts. If nly ne dmain is used fr all directry user accunts, fill in the text bx with the dmain s that users are authenticated withut explicitly stating their dmain. Nte: Yu can add mre dmains by selecting the Add Dmain ptin. In this case, AirWatch autmatically changes the prt setting t 3268 fr glbal catalg. Yu may chse t change the prt setting t 3269 fr SSL encrypted traffic, r verride it cmpletely by entering a separate prt. Is there a trust relatinship between all dmains? This setting is available nly when yu have mre than ne dmain added. Select Yes if the binding accunt has permissin t access ther dmains yu have added, which means the binding accunt can successfully lg in frm mre dmains. The fllwing ptins are available after selecting the Advanced sectin drp-dwn. Search Subdmains Cnnectin Timeut Request Timeut Search withut base DN Advanced Select t enable subdmain searching t find nested users. Leaving this ptin disabled can make searches faster and avids netwrk issues, but users and grups lcated in subdmains under the base Dmain Name (DN) are nt identified. Enter the LDAP cnnectin timeut value (in secnds). Enter the LDAP query request timeut value (in secnds). Enable this ptin when using a glbal catalg and when yu d nt want t require a base DN t search fr users and grups. 11
Chapter 2: Directry Services Setup Use Recursive OID at Enrllment Use Recursive OID Fr Grup Sync Object Identifier Data Type Srt Cntrl Enable this ptin t task the server t verify user grup membership at the time f enrllment. As the system runs this feature at enrllment time, yur perfrmance may decrease with sme directries. Enable this ptin t task the server t verify user grup membership at the time f Grup synchrnizatin. Select the unique identifier that never changes fr a user r grup. The ptins available are Binary and String. Typically, the Object Identifier is in Binary frmat. Optin t enable srting. If this ptin is disabled, it can make searches faster and yu can avid sync timeuts. 3. The fllwing settings are available after enabling the Use Azure AD fr Identity Services ptin and are nly applicable if yu are integrating with Azure Active Directry. Azure AD integratin with AirWatch must be cnfigured at the tenant where Active Directry (such as LDAP) is cnfigured. MDM Enrllment URL MDM Terms f Use URL Tenant Identifier Tenant Name AZURE ACTIVE DIRECTORY Enter the URL address used t enrll devices. Enter the URL address f yur terms f use agreement. Enter the identificatin number used t authenticate yur Azure AD license. The Azure Tenant Identifier is fund in yur Azure AD Directry Instance URL. Fr example, if yur URL is acme.cm/ws/adext/dir/0a12bc34-56d7-93f1-g2h3-i4-jk56lm78n, nly the last sectin (0a12bc34-56d7-93f1-g2h3-i4-jk56lm78n) is yur Tenant Identifier. Enter the tenant name f yur Azure AD instance. 4. The fllwing Security Assertin Markup Language (SAML) ptins are available after enabling the Use SAML fr Authenticatin ptin and are nly applicable if yu are integrating with a SAML identity prvider: Enable SAML authenticatin fr Yu have the chice f using SAML authenticatin fr Admins, Users, r Bth. 12
Chapter 2: Directry Services Setup Use new SAML Authenticatin endpint Imprt Identity Prvider s Service Prvider (AirWatch) ID Identity Prvider ID Request Binding Type Identify Prvider Single Sign On URL NameID Frmat Authenticatin Request Security Respnse Binding Type Sp Assertin URL Authenticatin Respnse Security Identity Prvider Certificate A new SAML authenticatin endpint has been created fr end-user authenticatin (device enrllment and lgin t SSP), replacing the tw dedicated enrllment and SSP endpints with a single endpint. While yu may chse t keep yur existing settings, AirWatch recmmends updating yur SAML settings t take advantage f the new cmbined endpint. If yu wuld like t make use f the new endpint, enable this field, save the page, and then use the Exprt Service Prvider s t exprt the new metadata file and uplad it t yur IdP. Ding s establishes trust between the new endpint and yur IdP. SAML 2.0 Uplad a metadata file btained frm the identity prvider. This file shuld be in Extensible Markup Language (XML) frmat. Enter the Unifrm Resurce Identifier (URI) with which AirWatch identifies itself t the identity prvider. This string must match the ID that has been established as trusted by the identity prvider. Enter the URI that the identity prvider uses t identify itself. AirWatch checks authenticatin respnses t verify that the identity matches the ID prvided here. REQUEST Select the binding types f the request. The ptins include Redirect, POST, and Artifact. Enter the identity prvider's Unifrm Resurce Lcatr (URL) that AirWatch uses t send requests. Enter the frmat in which the identity prvider shuld send a NameID fr an authenticated user. This value is nt required as AirWatch btains the username frm the FriendlyName uid required attribute. Select the value specifying whether r nt AirWatch shuld sign authenticatin request messages. RESPONSE Select the binding types f the respnse. The ptins include Redirect, POST and Artifact. Enter the AirWatch URL that the identity prvider cnfigures t direct its authenticatin respnses. Assertins regarding the authenticated user are included in success respnses frm the identity prvider. Select the value specifying whether r nt the respnse is signed. CERTIFICATE Uplad the identity prvider certificate. 13
Chapter 2: Directry Services Setup Service Prvider (AirWatch) Certificate Exprt Service Prvider s buttn Uplad the service prvider certificate. Select this buttn t exprt the metadata file fr uplading t yur Identity Prvider (IdP). This setting establishes trust between the new SAML endpint (fr enrllment and SSP lgin) and yur IdP. Nte: Fr additinal infrmatin abut using SAML fr authenticatin, refer t the VMware AirWatch SAML Integratin Guide, available n AirWatch Resurces. 5. Select the Test Cnnectin buttn t verify that yu have established prper cnnectivity. 6. Select Save. VMware Identity Manager and Directry Services After cnfiguring directry integratin settings between yur AirWatch instance and VMware Identity Manager, yur end users must sign in nly nce using Wrkspace One. This single sign n enables access all yur rganizatin s available recmmended apps withut the need t sign in each time. VMware Identity Manager tgether with AirWatch enable yu t cnslidate a list f all yur rganizatin s recmmended Web apps and native mbile apps in unified applicatin catalgs. This functinality des nt allw fr AirWatch t receive directry changes frm Identity Manager. Fr mre infrmatin abut integrating AirWatch with Identity Manager and deplying Wrkspace ONE with single signn t devices, see the Wrkspace ONE Quick Cnfiguratin Guide, available at https://resurces.airwatch.cm/view/8hn3vx99793xb8xgm362. Requirements There are steps yu must take befre yu can integrate directry services with VMware Identity manager. Accept the End User License Agreement (EULA) fund in the VMware Identity Manager cnsle. This is the EULA that displays when yu first pen the cnsle. VMware Enterprise Systems Cnnectr must be set up and cnfigured fr yur AirWatch envirnment. Directry service integratin must be set up and cnfigured fr the chsen rganizatin grup and nt inheriting settings frm a parent rganizatin grup. Synchrnizatin Between AirWatch and VMware Identity Manager Synchrnizatin f directry infrmatin between AirWatch and VMware Identity Manager ccurs n the same schedule as the AirWatch directry sync. Users are als synced t VMware Identity Manager immediately when added by an administratr manually r frm bulk imprt. Als, the integratin with VMware Identity Manager supprts Just-in-Time prvisining (JIT). This means users with directry accunts have their accunts synced t VMware Identity Manager the first time they lg in using enrllment r 14
Chapter 2: Directry Services Setup self-service prtal. Manual synchrnizatin is nt required t add a single user t VMware Identity Manager immediately. Integrate VMware Identity Manager With Directry Services Use the fllwing instructins t cnfigure server-related settings. Fr mre infrmatin abut integrating AirWatch with Identity Manager and deplying Wrkspace ONE with single signn t devices, see the Wrkspace ONE Quick Cnfiguratin Guide, available at https://resurces.airwatch.cm/view/8hn3vx99793xb8xgm362. 1. Navigate t Grups & s > All s > System > Enterprise Integratin > VMware Identity Manager and select the Cnfigure buttn frm the Server sectin. 2. Enter yur server infrmatin: URL Admin Username Admin Passwrd Enter the URL f yur VMware Identity Manager tenant t bind t AirWatch. A valid license fr VMware Identity Manager is required. Enter the administratr username, which is case-sensitive. Enter the administratr passwrd, which is case-sensitive. 3. Select the Test Cnnectin buttn t verify that yu have established prper cnnectivity. 4. Select the Save buttn t save yur selectins and prceed t the next cnfiguratin screen. Directry Enable Custm Mapping Passwrd ExternalID rles UserStre AirWatch imprts the directry name based n yur existing directry in AirWatch. Enter the same directry name as used by VMware Identity Manager. Enable custm mapping as applicable t map the directry integratin in AirWatch t VMware Identity Manager s they are in sync. Mst directry service cnfiguratins use Standard mapping. Custm mapping attributes are fr custmers wh have a nn-standard directry service database value mapping r an therwise custmized cnfiguratin between directry service and AirWatch. Directry services user's passwrd. MAPPING ATTRIBUTES Identifies the surce f a user, in case multiple users have the same username. Default rle f the directry service user. The name f the user stre t which a user belngs. 15
Chapter 2: Directry Services Setup Email* username* firstname* lastname* phne disabled emplyeeid distinguishedname userprincipalname Directry service user's email address. The email address mapped accrding t this attribute must be the same as that which was used in the riginal cnfiguratin between directry services and AirWatch. Otherwise this setting, and by extensin the user's entire accunt, will nt sync crrectly. Username assciated with the directry services. Directry service user's first name. Directry service user's last name. Phne number f the directry service user. Indicates whether the directry accunt is disabled. Select the emplyee ID frm the drp-dwn listing. Select the distinguished name fr the directry services user frm the drp-dwn listing. Select the principal username fr Directry services user frm the drp-dwn listing. * Required settings fr bth Standard and Custm attribute mapping. Nte: The mapping attribute fields presented here are default fields. Yu can add mre attributes. 5. Select the Save buttn t save yur cnfiguratin and refresh the page. 6. Select the Sync Nw buttn t initiate a synchrnizatin f the structures within yur directry services and VMware Identity Management. Manage the VMware Identity Manager Integratin After yu bind yur directry settings between AirWatch and Identity Manager, yu can perfrm sme management actins n the Grups & s > All s > System > Enterprise Integratin > VMware Identity Manager settings page. Select the Edit buttn t make changes t the VMware Identity Management fr Directry Services cnfiguratin. Select the Delete buttn t delete the cnfiguratin. Select the Test Cnnectin buttn t verify that yu have established prper cnnectivity. Map Directry Services User Infrmatin After entering server settings, yu can filter searches t identify users and map values between AirWatch user attributes and yur directry attributes. Use the fllwing instructins t cnfigure user-related settings. 16
Chapter 2: Directry Services Setup 1. Navigate t Accunts > Administratrs > Administratr s > Directry Services. 2. Select the User tab. By default, nly the Base DN infrmatin displays. 3. Base DN Select the Fetch DN plus sign (+) next t the Base DN clumn, which displays a list f Base DNs frm which yu can select t ppulate this text bx. If it des nt, revisit the settings yu entered n the Server tab befre cntinuing. 4. Enter data in the fllwing settings. User Object Class User Search Filter Enter the apprpriate Object Class. In mst cases this value is "user." Enter the search parameter used t assciate user accunts with Active Directry accunts. The recmmended frmat is "<LDAPUserIdentifier>={EnrllmentUser}" where <LDAPUserIdentifier> is the parameter used n the directry services server t identify the specific user. Fr AD servers, use "(&(bjectcategry=persn)(samaccuntname={enrllmentuser}))" exactly. Fr ther LDAP servers, use "CN={EnrllmentUser}" r "UID={EnrllmentUser}" 5. Select Shw Advanced t display mre settings. Aut Merge Autmatically Set Disabled Users t Inactive Enable setting t allw user grup updates frm yur directry service t autmatically merge with the assciated users and grups in AirWatch. Select Enable t deactivate the assciated user in AirWatch when that user is disabled in yur LDAP directry service (fr example, Nvell e-directry). Value Fr Disabled Status Enter a numeric value and select the type f Lightweight Directry Access Prtcl (LDAP) attribute used t represent a user s status. Select Flag Bit Match if the user status is designated by a bitwise flag (which is the default fr Active Directry). When Flag Bit Match is selected, directry services cnsiders the user t be disabled if any bits frm the prperty match the entered numeric value. This field is nly visible when the field Autmatically Set Disabled Users t Inactive is checked. Nte: If yu select this ptin, then AirWatch administratrs set as inactive in yur directry service are nt able t lg int the AirWatch Cnsle. In additin, enrlled devices assigned t users wh are set as inactive in yur directry service are autmatically unenrlled. Enable Custm Attributes Select t enable custm attributes, which is a sectin that appears under the main Attribute Mapping Value table. Yu must scrll dwn t the bttm f the page t see the Custm Attributes. 17
Chapter 2: Directry Services Setup Attributes Sync Attributes buttn Review and edit the Mapping Values fr the listed Attributes, if necessary. These clumns shw the mapping between AirWatch user attributes (left) and yur directry service attributes (right). By default these attributes are values mst cmmnly used in Active Directry (AD). Yu shuld update these mapping values t reflect the values used fr yur wn r ther directry service types. Select t manually sync the attributes mapped here t the user recrds in AirWatch. Nte that attributes sync autmatically n the time schedule cnfigured fr the AirWatch envirnment. Map Directry Services Grup Infrmatin After entering server settings, yu can filter searches t identify user grups, and set ptins t aut merge and sync changes between yur AirWatch grups and directry service grups. Use the fllwing instructins t cnfigure user grup-related settings. 1. Navigate t Accunts > Administratrs > Administratr s > Directry Services. 2. Select the Grup tab. By default, nly the Base DN infrmatin displays. 3. Base DN Select the Fetch DN plus sign (+) next t the Base DN setting t display a list f Base DNs frm which yu can select t ppulate this text bx. If it des nt, revisit the settings yu entered n the Server tab befre cntinuing. 4. Enter data in the fllwing settings. Grup Object Class Organizatinal Unit Object Class Enter the apprpriate Object Class. In mst cases this value shuld be grup. Enter the apprpriate Organizatinal User Object Class. 5. T display mre settings, select Advanced. Enter data in the fllwing text bxes. Grup Search Filter Aut Sync Default Aut Merge Default Enter the search parameter used t assciate user grups with directry service accunts. Select this checkbx t autmatically add r remve users in AirWatch cnfigured user grups based n their membership in yur directry service. Select this check bx t autmatically apply sync changes withut administrative apprval. 18
Chapter 2: Directry Services Setup Maximum Allwable Changes Cnditinal Grup Sync Aut Friendly Name Update Attributes Enter the number f maximum allwable grup membership changes t be merged int AirWatch. Any number f changes detected upn syncing with the directry service database under this number are autmatically merged. If the number f changes exceed this threshld, an administratr must manually apprve the changes befre they are applied. A single change is defined by a user either leaving r jining a grup. A setting f 100 Maximum Allwable Changes means the Cnsle des nt need t sync with yur directry service as much. Enable this ptin t sync grup attributes nly after changes ccur in Active Directry. Disable this ptin t sync grup attributes regularly, regardless f changes in Active Directry. When enabled, the friendly name is updated with grup name changes made in active directry. When disabled, the friendly name can be custmized s admins can tell the difference between user grups with identical cmmn names. This can be useful if yur implementatin includes rganizatinal unit-based user grups with the same cmmn name. Review and edit the Mapping Values fr the listed Attributes, if necessary. These clumns shw the mapping between AirWatch user attributes (left) and yur directry service attributes (right). By default these attributes are values mst cmmnly used in AD. Update these mapping values t reflect the values used fr yur wn r ther directry service types. Nte: N AD passwrds are stred in the AirWatch database except the Bind accunt passwrd used t link directry services int yur AirWatch envirnment. The Bind accunt passwrd is stred in an encrypted frm in the database and is nt accessible frm the cnsle. Unique sessin keys are used fr each sync cnnectin t the Active Directry server. Nte: In sme instances, glbal catalgs are used t manage multiple dmains r AD Frests. Delays while searching fr r authenticating users may be due t a cmplex directry structure. Yu can integrate directly with the glbal catalg t query multiple frests using ne Lightweight Directry Access Prtcl (LDAP) endpint fr better results. T integrate with the glbal catalg directly, cnfigure the fllwing settings: Encryptin Type = Nne Prt = 3268 Verify that yur firewall allws fr this traffic n prt 3268. 19
Chapter 3: Directry User Integratin Directry Service User Integratin Overview 21 Adding Directry Users Int AirWatch 21 Add Individual Directry Users One at a Time 22 Batch Imprt Directry Users 24 Directry Service User Self-Enrllment 25 20
Chapter 3: Directry User Integratin Directry Service User Integratin Overview Every directry user yu want t manage thrugh AirWatch Mbile Device Management (MDM) must have a crrespnding user accunt in the AirWatch Cnsle. Yu can directly add yur existing directry services users t AirWatch using ne f the fllwing methds. Batch uplad a file cntaining all yur directry services users. The act f batch imprting autmatically creates a user accunt. Create AirWatch user accunts ne at a time by entering the directry username and selecting Check User t autppulate remaining details. Neither batch imprt nr manually create user accunts and instead allw all directry users t self-enrll at enrllment time. A furth ptin, applying AirWatch user grups linked t directry service grups, is explained in the next sectin and can be used with these methds r by itself. Nte: Fr infrmatin abut hw these methds affect varius directry services enrllment ptins, refer t the VMware AirWatch Mbile Device Management Guide, available n AirWatch Resurces. Managing Directry Service Users in AirWatch If yu chse t use directry services in AirWatch, nte the fllwing. Directry users can nly be created at the same level as the rganizatin grup where directry services settings are enabled. Yu can see users at the rganizatin grup level where they have a device enrlled, but they can nly be managed at the same level as the directry service settings. T delete r edit a user accunt, yu must be at the same level as the directry services settings. T add a device t an existing AirWatch user accunt, yu must be at a lwer level than the rt rganizatin grup where directry services are enabled. Adding Directry Users Int AirWatch Yu can add directry users int AirWatch ne at a time r use a batch imprt prcess. Adding individual directry users ne at a time is ideal fr when yu have a few users t add. Batch imprting directry users is preferred fr when yu have many users t add. Using the batch imprt methd means uplading a list f directry services users in a CSV (cmma-separated values) template file, which has specific clumns. T make cnverting yur existing directry service user data easier, cnsider mapping the text bxes AirWatch requires t existing attributes in yur database. Yu can then use custm queries t create a spreadsheet which yu can cpy and paste. Prs This ptin creates AirWatch user accunts, which enable yu t use enrllment ptins that require user accunts, such as registratin tkens. If yu have users nt included in Mbile Device Management (MDM), yu can mit them frm the CSV file thus restricting enrllment t nly knwn users. Cns Back-end cnfiguratin is required t autmate the creatin f a CSV batch file that can be used t uplad 21
Chapter 3: Directry User Integratin users. The alternative is t enter each user manually. This means user assignment t rganizatin grups must be thught ut befrehand t ensure prper prfile, plicy, cntent, and app assignments. Add Individual Directry Users One at a Time AirWatch enables yu t add directry users in small numbers r if yu have a 'ne-ff' additin t make. 1. Navigate t Accunts > Users > List View and select Add and then Add User. The Add / Edit User page displays. 2. In the General tab, cmplete the fllwing settings t add a directry user. Security Type Directry Name Dmain User name Full Name Display Name Email Address Email user name Dmain (email) Phne Number Enrllment Organizatin Grup Allw user t enrll int additinal Organizatin Grups User Rle Chse Directry t add an Active Directry user. This pre-ppulated setting identifies the Active Directry name. Chse the dmain name frm the drp-dwn menu. Enter the user's directry user name and select Check User. If the system finds a match, the user's infrmatin is autmatically ppulated. The remaining settings in this sectin are nly available after yu have successfully lcated an active directry user with the Check User buttn. Use Edit Attributes t allw any ptin that syncs a blank value frm the directry t be edited. Edit Attributes als enables yu t ppulate matching user's infrmatin autmatically. If a setting syncs an actual value frm the directry, then that setting must be edited in the directry itself. The change takes effect n the next directry sync. Cmplete any blank ptin returned frm the directry in Full Name and select Edit Attributes t save the additin. Enter the name that displays in the admin cnsle. Enter r edit the user's email address. Enter r edit the user's email user name. Select the email dmain frm the drp-dwn menu. Enter the user's phne number including plus sign, cuntry cde, and area cde. If yu intend t use SMS t send ntificatins, the phne number is required. Enrllment Select the rganizatin grup int which the user enrlls. Chse whether r nt t allw the user t enrll int mre than ne rganizatin grup. If yu select Enabled, then cmplete the Additinal Organizatin Grups. Select the rle fr the user yu are adding frm this drp-dwn menu. 22
Chapter 3: Directry User Integratin Message Type Message Template Ntificatin Chse the type f message yu may send t the user, Email, SMS, r Nne. Selecting SMS requires a valid entry in the Phne Number text bx. Chse the template fr email r SMS messages frm this drp-dwn setting. Optinally, select the Message Preview t preview the template and select the Cnfigure Message Templates link t create a template. 3. Yu may ptinally select the Advanced tab and cmplete the fllwing settings. Email Passwrd Cnfirm Email Passwrd Distinguished Name Manager Distinguished Name Categry Department Emplyee ID Cst Center Custm Attribute 1 5 (fr Directry users nly) Use S/MIME Separate Encryptin Certificate Advanced Inf Sectin Enter the email passwrd f the user yu are adding. Cnfirm the email passwrd f the user yu are adding. Fr directry users recgnized by VMware AirWatch, this text bx is pre-ppulated with the distinguished name f the user. Distinguished Name is a string representing the user name and all authrizatin cdes assciated with an Active Directry user. Enter the distinguished name f the user's manager. This text bx is ptinal. Chse the user categry fr the user being added. Enter the user's department fr yur cmpany's administrative purpses. Enter the user's emplyee ID fr yur cmpany's administrative purpses. Enter the user's cst center fr yur cmpany's administrative purpses. Enter yur previusly cnfigured custm attributes, where applicable. Yu may define these custm attributes by navigating t Grups & s > All s > Devices & Users > Advanced > Custm Attributes. Nte: Custm attributes can be cnfigured nly at Custmer rganizatin grups. Certificates Sectin Enable r disable the use f Secure/Multipurpse Internet Mail Extensins (S/MIME). If enabled, yu must have an S/MIME-enabled prfile and yu must uplad an S/MIME certificate by selecting Uplad. Enable r disable the use f a separate encryptin certificate. If enabled, yu must uplad an encryptin certificate using Uplad. Generally, the same S/MIME certificate is used fr signing and encryptin, unless a different certificate is expressly being used. 23
Chapter 3: Directry User Integratin Old Encryptin Certificate Enable Device Staging Enable r disable a legacy versin encryptin certificate. If enabled, yu must Uplad an encryptin certificate. Staging Sectin Enable r disable the staging f devices. If enabled, yu must chse between Single User Devices and Multi User Devices. If Single User Devices, yu must select between Standard, where users themselves lg in and Advanced, where a device is enrlled n behalf f anther user. 4. Select Save t save nly the new user r select Save and Add Device t save the new user and prceed t the Add Device page. Batch Imprt Directry Users If yu have many directry users t add t AirWatch, yu can save time by initiating a batch imprt prcess. 1. Navigate t Accunts > Users > Batch Status r Devices > Lifecycle > Enrllment Status > Add and select Batch Imprt. 2. Enter the basic infrmatin including a Batch Name and Batch in the AirWatch Cnsle. 3. Select the applicable batch type frm the Batch Type drp-dwn menu. 4. Select and dwnlad the template that best matches the kind f batch imprt yu are making. Blacklisted Devices Imprt a list f knwn, nn-cmpliant devices by IMEI, Serial Number, r UDID. Blacklisted devices are nt allwed t enrll. If a blacklisted device attempts t enrll, it is autmatically blcked. Whitelisted Devices Imprt pre-apprved devices by IMEI, Serial Number, r UDID. Use this imprt a list f knwn, trusted devices. The wnership and grup ID assciated t this device is autmatically applied t the device during enrllment. User And/Or Device Chse between a Simple CSV template, featuring nly the mst ften-used ptins and an Advanced CSV template, featuring the full, unabridged cmpliment f ptins. 5. Open the CSV file, which cnsists f a CSV (cmma-separated values) file that is ppulated with a single rw cmpleted with a sample device data. The CSV file features several clumns crrespnding t the setting that display n the Add / Edit User page. The GrupID clumn crrespnds t the Enrllment Organizatin Grup setting n the Add / Edit User page. The enrllment rganizatin grup is the ne which the user is enrlled if the Grup ID Assignment Mde is set t Default in Grups & s > All s > Devices & Users > General > Enrllment in the Gruping tab. Fr directry-based enrllment, the Security Type fr each user is Directry. 6. Enter data fr yur rganizatin's users, including device infrmatin if applicable and save the file. 7. Return t the Batch Imprt page and select Chse File t lcate and uplad the CSV file that yu had previusly dwnladed and filled ut. 8. Select Save. 24
Chapter 3: Directry User Integratin The user accunt and device details, if included, are added t the AirWatch Cnsle. Frm here, yu can send users enrllment message prmpts t initiate enrllment r registratin tkens fr simplified single-click r dual-factr enrllment. Fr mre infrmatin abut these ptins, refer t "Device Enrllment" in the VMware AirWatch Mbile Device Management Guide, available n AirWatch Resurces. Directry Service User Self-Enrllment User Self-Enrllment applies yur existing directry service envirnment t aut discver users based n their email. There are ther cnsideratins. Prs Requires the least amunt f effrt while still supprting the ability t sync changes t user attributes that are made in yur directry service. Self-enrllment als creates an AirWatch user accunt. Cns Des nt allw yu t restrict enrllment t specific users r user grups, which means any directry user with a valid email address can enrll a device. Enable All Directry Users t Self-Enrll Yu can enable all yur directry users t enrll themselves based n their email addresses, which requires the least amunt f effrt while retaining the ability t sync user attributes. Hwever, yu are unable t restrict enrllment t specific users r user grups. 1. Navigate t Grups & s > All s > Devices & Users > General > Enrllment and select the Restrictins tab. 2. Scrll t the Enrllment Restrictins sectin f this page and ensure that the Restrict Enrllment T Knwn Users and Restrict Enrllment T Cnfigured Grups check bxes are bth deselected. When deselected, all yur directry users and members f user grups (as cnfigured in the directry services settings page) are allwed t enrll prvided they have a valid email address. Nte: Fr additinal infrmatin abut these check bxes and hw they apply t enrllment with directry services integratin, refer t "Device Enrllment" in the VMware AirWatch Mbile Device Management Guide, available n AirWatch Resurces. 25
Chapter 4: Directry User Grup Integratin Directry User Grup Integratin Overview 27 Organizatin Grups vs. User Grups 27 Adding Directry Service User Grups t AirWatch 28 Add Directry User Grups One at a Time 29 Batch Imprt Directry User Grups 31 Edit User Grup Permissins 32 Mapping User Grups fr Enrllment and Cnsle Access 33 Deplying Apps, Plicies, and Prfiles by User Grup 34 Deactivate and Reactivate Users Autmatically 34 Perfrm Autmatic Enterprise Wipe fr Users That D Nt Belng t a User Grup 35 Set Disabled Users t Inactive Autmatically 35 Remve Users Frm User Grups Based n Directry Service Grup Membership 35 Synchrnizatin Errrs 36 26
Chapter 4: Directry User Grup Integratin Directry User Grup Integratin Overview An alternative t custm user grups withut active directry integratin is thrugh user grup integratin that leverages yur existing active directry structure, prviding many benefits. Once yu imprt existing directry service user grups as AirWatch user grups, yu can perfrm the fllwing. User Management Reference yur existing directry service grups (such as security grups r distributin lists) and align user management in AirWatch with the existing rganizatinal systems. Prfiles and Plicies Assign prfiles, applicatins, and plicies acrss an AirWatch deplyment t grups f users. Integrated Updates Autmatically update user grup assignments based n grup membership changes. Management Permissins Set management permissins t nly allw apprved administratrs t change plicy and prfile assignments fr certain user grups. Enrllment Allw users t enrll with existing credentials and autmatically assign an rganizatin grup. Organizatin Grups vs. User Grups Organizatin grups (OG) are still the primary means f perfrming the fllwing tasks in AirWatch. User grups d nt replace rganizatin grups in AirWatch, rather, they are used t represent security grups and business rles. Organizatin Grups The primary difference between rganizatin grups and user grups is that devices are always tied t an OG. Yu set the administratin management permissins in the AirWatch Cnsle thrugh an rganizatin grup. Prfiles, plicies, and applicatins are assigned t rganizatin grups. Even thugh it is pssible t assign these resurces t user grups, user grups nly act as an extra filter n tp f rganizatin grups. Tracking assets n AirWatch dashbards. Organizatin grups are still the primary filter n all cnsle pages fr all dashbards and views. OGs define at which business units the devices live, s cnsider the device grupings yu want t view n the AirWatch dashbards. Cnfiguring system cnfig settings. System settings are tied t rganizatin grups. Yu must define different rganizatin grups if yu need different system settings. Examples f imprtant settings t cnsider include: Enrllment s and Restrictins Terms f Use Privacy Plicies Existing MDM assignments are nt affected nce yu imprt user grups. Facilitate the transitin prcess and ensure that users d nt experience any disruptin t their current cnfiguratins by applying plicies t user grups manually as needed. 27
Chapter 4: Directry User Grup Integratin User Grups AirWatch recmmends that yu use user grups t represent security grups r business rles within yur rganizatin. Users can belng t multiple user grups, but devices still belng t nly ne rganizatin grup. AirWatch currently supprts the assignment f prfiles, plicies, and internal apps t user grups. Transitin Optins fr Best Practices If yu have already defined OGs t represent user security grups, ne f the fllwing ptins may help yu recnfigure yur rganizatin grup and user grup structure t be mre streamlined. Recnfigure yur system t assciate prfiles, applicatins, and enrllment restrictins with user grups. Assign each prfile, app, and enrllment restrictin t the apprpriate user grups. Change the rganizatin grup assignment t ne rganizatin grup up. Add user grup assignment. Yu may chse t recnfigure yur hierarchy t remve ld r unused rganizatin grups. Mve up devices ne rganizatin grup (frm child t parent). Delete ld rganizatin grups. Yu can chse t leave yur structure as-is. At this pint, the rganizatin grup can be cnsidered the Primary Security Grup f the device. The user grups are used fr assigning prfiles and plicies. The ld, unused rganizatin grups can remain fr asset tracking purpses. Adding Directry Service User Grups t AirWatch Yu can add directry service user grups int AirWatch ne at a time r use a batch imprt prcess. Adding directry user grups ne at a time is ideal fr when yu have a limited number f grups t add. Batch imprting directry user grups is preferred fr when yu have many user grups t add. Using the batch imprt methd means uplading a list f yur existing directry service grups in a.csv (cmmaseparated values) template file. While this methd des nt immediately create AirWatch user accunts fr each f yur directry service accunts, it des ensure AirWatch recgnizes them as belnging t a cnfigured grup. Yu can then use this recgnitin as a means f restricting wh can enrll. User grups in AirWatch can be synced autmatically if cnfigured with a scheduler with yur directry service grups t merge changes r add missing users. Prs Yu have the ptin f restricting enrllment t nly knwn grups, which lets yu restrict n a user grup level wh can enrll. This methd als keeps yur existing directry service grup infrastructure and allws yu t assign prfiles, plicies, cntent, and apps based n these existing grup setups. 28
Chapter 4: Directry User Grup Integratin Cns Uplading directry service user grups des nt autmatically create AirWatch user accunts. If yu have restricted enrllment fr knwn users, yu need t add thse user accunts int the AirWatch Cnsle manually. Add Directry User Grups One at a Time If yu have just a few user grups t add t AirWatch, then take the fllwing steps t add a directry service user grup. 1. Navigate t Accunts > User Grups > List View, select Add, then Add User Grup. 2. Cmplete the settings in the Add User Grup screen as applicable, ensuring the user grup Type is Directry. Type Select the type f User Grup. Directry Create a user grup that is aligned with yur existing active directry structure. Custm Create a user grup utside f yur rganizatin's existing Active Directry structure, granting access t features and cntent fr basic and directry users t custmize user grups accrding t yur deplyment. Custm user grups can nly be added at a custmer level rganizatin grup. External Type Select the external type f grup yu are adding. Grup Refers t the grup bject class n which yur user grup is based. Custmize this class by navigating t Grups & s > All s > System > Enterprise Integratin > Directry Services > Grup. Organizatinal Unit Refers t the rganizatinal unit bject class n which yur user grup is based. Custmize this class by navigating t Grups & s > All s > System > Enterprise Integratin > Directry Services > Grup. Custm Query Yu can als create a user grup cntaining users yu lcate by running a custm query. Selecting this external type replaces the Search Text functin but displays the Custm Query sectin. Search Text Directry Name Dmain and Grup Base DN Enter the search criteria t identify the name f a user grup in yur directry and select Search t search fr it. If a directry grup cntains yur search text, a list f grup names displays. This ptin is unavailable when External Type is set t Custm Query. Read-nly setting displaying the address f yur directry services server. This infrmatin autmatically ppulates based n the directry services server infrmatin yu enter n the Directry Services page (Grups & s > System > Enterprise Integratin > Directry Services). Select the Fetch DN plus sign (+) next t the Grup Base DN setting, which displays a list f distinguished name elements frm which yu can select. 29
Chapter 4: Directry User Grup Integratin Custm Object Class Grup Name Distinguished Name Custm Base DN Organizatin Grup Assignment User Grup s Query Custm Lgic Management Permissins Default Rle Default Enrllment Plicy Identifies the bject class under which yur query runs. The default bject class is 'persn' but yu can supply a custm bject class t identify yur users with greater success and accuracy. This ptin is available nly when Custm Query is selected as External Type. Select a Grup Name frm yur Search Text results list. Selecting a grup name autmatically alters the value in the Distinguished Name setting. This ptin is available nly after yu have cmpleted a successful search with the Search Text setting. This read-nly setting displays the full distinguished name f the grup yu are creating. This ptin is available nly when Grup r Organizatinal Unit is selected as External Type. Identifies the base distinguished name which serves as the starting pint f yur query. The default is 'airwatch' and 'ss' but yu can supply a custm base distinguished name if yu want t run the query with a different starting pint. This ptin is available nly when Custm Query is selected as External Type. This ptinal setting enables yu t assign the user grup yu are creating t a specific rganizatin grup. This ptin is available nly when Grup r Organizatinal Unit is selected as External Type. Chse between Apply default settings and Use Custm settings fr this user grup. See the Custm s sectin fr additinal setting descriptins. Cnfigure this frm the permissin settings after the grup is created. This ptin is available nly when Grup r Organizatinal Unit is selected as External Type. Custm Query This setting displays the currently laded query that runs when yu select the Test Query buttn and when yu select the Cntinue buttn. Changes yu make t the Custm Lgic setting r the Custm Object Class setting are reflected here. Add yur custm query lgic here, such as user name r admin name. Fr example, "cn=jsmith". Yu can include as much r as little f the distinguished name as yu like. The Test Query buttn allws yu t see if the syntax f yur query is crrect befre selecting the Cntinue buttn. Custm s Yu can allw r disallw all administratrs t manage the user grup yu are creating. Chse a default rle fr the user grup frm the drp-dwn menu. Chse a default enrllment plicy frm the drp-dwn menu. 30