generix
Contributor
Contributor

AD Sync Best Practice

I'm wondering the best practice for AD sync with a WS1 UEM and WS1 Access environment.  See attached image.

I understand that the AirWatch Cloud Connector (ACC) connects to AD and syncs to WS1 UEM.  Once in UEM, these users can then be synced TO WS1 Access.  There are some use cases that this method does not support (Horizon, etc)

I also understand that the WS1 Access Connector can be used to sync AD directly with WS1 Access.  This method supports all use cases and removes the dependency on WS1.

Questions:

  1. Can WS1 UEM sync users FROM WS1 Access (via the WS1 Access Connector) instead of from the ACC?  If so, why not always use the WS1 Access Connector route since it supports all use cases?
  2. Is it best practice to deploy both the ACC and the WS1 Access Connector if using WS1 UEM and WS1 Access for Hub Services?  What are some scenarios that dictate which direction to take?

I'd like to avoid over complicating things but unsure about what is best practice and why.  Thank you!

Tags (1)
0 Kudos
2 Replies
Noordan
Hot Shot
Hot Shot

Hi

Based on my understanding and knowledge, it is recommended to have both Workspace one Access connector and Airwatch Cloud Connector deployed.

You can provisioning users from WS1 access to Worksapce One UEM with the application called AirWatch provisioning. This is usually used when have a JIT directory in WS1 access. 

https://vpractices.wordpress.com/2020/06/11/airwatch-cloud-connector-vs-workspace-one-access-connect... 

0 Kudos
generix
Contributor
Contributor

Thank you for the reply and link.  For some reason your link escaped my searching.

For those coming across this later, here's an additional link regarding AirWatch Provisioning: https://docs.vmware.com/en/VMware-Workspace-ONE-Access/services/ws1access-awprovisiongapp/GUID-11206...

From the above link: You use the AirWatch Provisioning app with the Workspace ONE UEM service when an LDAP server cannot be used with the VMware AirWatch Cloud Connector to synchronize users. 

So to me this sounds like the ACC should be used if possible as a first resort, and then if not possible use the AirWatch Provisioning app.

From my additional research I have also concluded that running both the ACC and the WS1 Access Connector simultaneously seems to be the preferred route (for reasons I do not know).  Perhaps it is to remove the WS1 dependency for syncing users into WS1 Access, or something else similar.

 

0 Kudos