VMware Workspace ONE Community
ArnoldssonLena
Contributor
Contributor

User status does not sync

Hi, I have come to the realization that our users synced in to airwatch never get disabled/deleted from the console even though they are deleted or disabled in the active directory.

Using an LDAP setup with the following rules

Auto Merge - Enabled
Automatically Sync Enabled or Disabled user status - Enabled
Value For Disabled Status - 2 Flag Bit Match
Enable Custom Attributes - Disabled
Labels (1)
Reply
0 Kudos
18 Replies
TimWelbourn
Contributor
Contributor

Hi Arnoldsson,

Did you ever find a solution? We are seeing the same thing in our environment.

Thanks,
Tim
Reply
0 Kudos
chengtmskcc
Expert
Expert

I could be wrong, but I believe with AirWatch it's a one-way sync from AD. Meaning user account is never deleted from AirWatch when it's deleted from AD.
Reply
0 Kudos
TimWelbourn
Contributor
Contributor

Hi Tomas,

We are trying to follow these steps (https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.5/vmware-airwatch-guides-95/GUID-AW95-SetDisab...) to set Workspace ONE UEM users to inactive when their corresponding user object in Active Directory is disabled. We are looking for a one-way user attribute sync from AD to Workspace ONE UEM.

-Tim
Reply
0 Kudos
chengtmskcc
Expert
Expert

Thanks for sharing Tim. That should work but wouldn't delete the account in the console.
Reply
0 Kudos
LukeDC
Expert
Expert

I use a script that calls the REST API to remove accounts with no devices enrolled for housekeeping, you could do the same against inactive flagged accounts.
Reply
0 Kudos
TimWelbourn
Contributor
Contributor

This script to clean up inactive accounts is a great idea Luke. Right now, my goal is for the disabled AD accounts to move to inactive in the console. 🙂 I have a case open, will post the solution.
Reply
0 Kudos
RichB2u2
Hot Shot
Hot Shot

In our system when a user is disabled in AD they get disabled in AirWatch. Ours is syncing so it can be done.
Reply
0 Kudos
henkor
Enthusiast
Enthusiast

someone can share his scripts?
does someone knows how long it takes the user account status to change in the console to inactive after he is disable in AD?
Reply
0 Kudos
TimWelbourn
Contributor
Contributor

Our syncing issue was resolved by enabling Auto Merger In Directory Services.

Hen K. - In Scheduler, set Sync Directory User and Admin Attributes to sync on whatever schedule you prefer.
Reply
0 Kudos
henkor
Enthusiast
Enthusiast

hey Tim W.
this setting is already enabled in my environment.
you mention to set in Scheduler few things...
where is this ' Scheduler'  (we are in SAAS)
Reply
0 Kudos
TimWelbourn
Contributor
Contributor

Scheduler is a Global OG setting in our on-premise environment. Not sure how it would work in SAAS. I'd guess there's a setting all customers are subject to.
Reply
0 Kudos
ManuelDiensthub
Contributor
Contributor

Hey,

Same thing in our SAAS environment. Any solution?

Thanks,
M
Reply
0 Kudos
henkor
Enthusiast
Enthusiast

i opened a ticket and they so duplicates accounts that cause my sync process not to work as it should

Reply
0 Kudos
MRFVMUser
Enthusiast
Enthusiast

We have ACC to help sync users from our on-prem Active Directory to AirWatch MDM.  In Enterprise Integration - Directory Services - Group (Advanced) settings, I had the ' Conditional Group Sync'  = Enabled.  Because of this setting, whenever a user was deleted from our Active Directory, the user was not removed from direct sync AW User Groups.  Conditional Group Sync will only sync changes that occur in AD.  When the AD User record is deleted, the reference for change is lost with it.  That is why user membership was not removed from the AW User Group.  We disabled the ' Conditional Group Sync'  and now the sync happens the way we expect.  I manually remove all AW Users that have 0 enrolled devices and 0 User Group memberships.  Being a member of 0 groups would be the indicator that the user has been removed from our AD.  I too am looking to create PowerShell scripts that invoke the REST API to remove users that have zero group memberships.  Haven't figured it out yet so if anyone has, please share.
Reply
0 Kudos
chengtmskcc
Expert
Expert

I would appreciate the script as well. Right now, this setting does what it's supposed to do by setting account ' Inactive'  once it's disabled in AD. However, if another user with the same username comes onboard, s/he won't be able to register a device due to the presence of the ' Inactive'  account. One option, of course, is to delete any account in AirWatch once it's disabled in AD. Another option is to ensure the same username cannot be used again even if the user has the same first and last name.
Reply
0 Kudos
MRFVMUser
Enthusiast
Enthusiast

Thomas, I have similar concerns.  This thread inspired me to write a PowerShell script that invokes the REST API to remove users from AirWatch once their user is deleted in AD.  ' Deleted,'  not disabled.  When an AD User is deleted, then the username becomes useable again, but with a different guid.  So, we would definitely want to remove the AirWatch user once the AD user no longer exists.  In the past, we never ' deleted'  AD User records, so that option will work if it fits your Directory needs.  Our Directory would be too big if we kept disabled user records.
Reply
0 Kudos
chengtmskcc
Expert
Expert

Thanks, Myles. I don't have control over retention policy in AD, but I would think the same account should be deleted in AirWatch once it's disabled in AD to avoid this issue ever. Is your script on GitHub by any chance?
Reply
0 Kudos
MRFVMUser
Enthusiast
Enthusiast

It depends on how things work for your organization.  For our AD policy, we keep disabled AD user records in a ' Terminated Users'  OU for 60 days.  We do this because it is possible the same user may come back to the company or have their contract extended and we want to re-activate the AD user record.  So, given the AW Scheduled User Group Sync, we will have disabled users in AirWatch for at least those 60 days.  After 60 days, the AD user record is deleted.  We run a daily PS script that loops through AW Users, detects the AD user doesn't exist anymore, and deletes the AW User at that time.  I don't have a script on GitHub, unfortunately.  I'm not a programmer; more of a hack that can find his way around scripts and figure stuff out using a lot of Google searching. 🙂
Reply
0 Kudos