VMware Workspace ONE Community
Justin_5
Contributor
Contributor
‎11-06-2021 02:47 AM

Possible? AD Account Disabled but No Enterprise Wipe

Good morning 

Thank you for taking the time to review my post and for possibly answering my question. 

Our Active Directory and Security team have set a policy that disables a user in AD when an account is deemed "At Risk". 
Once the user is disabled in AD, after a short while an instruction is sent to all iPads (up to 4) enrolled with that account causing them to Enterprise wipe. Our enrolment process is manual and once the iPads are wiped, it's tiresome guiding the end user through the enrolment process. 

The AD&S team won't change their policy, and the user would only remain disabled for a few hours, possibly a few days (over the weekend). Is there a way to stop the Enterprise Wipe from happening in the first place? 

Or am I looking at this wrong, and there's a better solution? 

Kind Regards,
Justin 

Labels (2)
Reply
0 Kudos
2 Replies
mabdelhamid
Enthusiast
Enthusiast
‎11-07-2021 02:41 AM

I believe you have "Automatically Sync Enabled Or Disabled User Status" setting enabled.

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2008/Directory_Service_Integration/GUID-AWT-SETD...

So, when a user is disabled, his device will be automatically unenrolled.

Reply
Phil_Helmling
VMware Employee
VMware Employee
‎11-07-2021 07:34 PM

Default behaviour for devices registered to inactive users is Enterprise Wipe as described here:

https://kb.vmware.com/s/article/50120774 

However, even though not described properly in the below doc link, this can be set to "Restrict Additional Device Enrollment" which will suit your needs.

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/UEM_Managing_Devices/GUID-ConfigureEnro... 

Reply