VMware Workspace ONE Community
jvamosy
Contributor
Contributor
‎09-27-2019 11:04 AM

auto create AirWatch accounts from active directory

is it possible to have AW automatically create user accounts that are contained in AD groups? If so, can I have multiple AD groups and based on those AD groups the user accounts would be created in different AirWatch OUs?

Thank you in advance!

James
Labels (1)
Labels
0 Kudos
14 Replies
TarrenLuvene
Contributor
Contributor
‎09-27-2019 11:12 AM

What you are asking would use Airwatch Cloud Connector or you can use Identity Manager to intergrate to your AD. Both would pull and create users accounts based off what groups you want to sync. vIDM would use OUs and groups to create from
0 Kudos
M4dawin
Contributor
Contributor
‎09-27-2019 11:21 AM

Yes, you'll need at least ACC to point to your LDAP. You can configure the sync so that the AD group users will be imported to the certain AW / WSO OU's. Go to Enrollment under All Settings to sync them up.
0 Kudos
EricPlent
Enthusiast
Enthusiast
‎09-27-2019 11:25 AM

Yes, this works with AD. We have a number of internal support teams with AD groups configured. When someone comes on board, they drop the name in the AD group and a user account is created for them in WS1 automatically.
0 Kudos
jvamosy
Contributor
Contributor
‎09-30-2019 10:08 AM

Tarren, Darwin and Eric, thank you for your responses. so question(s).... I have an ACC in place and it's working. so my setup looks like this: (fictitious names) ACME Rockets (parent company or root) -> Production and Dev OUs -> Production or NA or Tech, Production or NA or marketing, production or NA or HR -> I hope you get the idea. when I manually add AD accounts, I choose the enrollment OU  or tech,  or marketing  or HR, and so on. now how do I configure the console to sync with AD and see if a user in AD is part of the tech AD group or marketing AD group or HR AD group for example that it creates those account in the proper enrollment OU in AirWatch? because whatever i'm doing wrong is causing the users accounts to be created at the ACME Rockets OU.

Thanks Again!
0 Kudos
FHLB
Contributor
Contributor
‎09-30-2019 12:26 PM

We use Identity manager to sync the ad groups and members automatically, which is daily automatically. Then in the WS1 Console, under administrators and admin groups you create a group (mine are the same as the AD group name but it doesn't have to be) In there you tell it what OU  and group to sync from. Then you tel it to auto sync, auto merge, and add group members automatically. I did have it set wrong where i didnt have add group members automatically so i had to ' add missing users'  to get it to add new people. So make sure to enable the add group members automatically. learn from my mistake. i just assumed auto sync was going to do that.....
0 Kudos
jvamosy
Contributor
Contributor
‎10-01-2019 08:01 AM

Jon K, thanks for the response. I'm able to get AirWatch to pull the user accounts from an AD group but it's putting those accounts at my corporate root level and not the OU that I map too. Anyone, have any ideas?
0 Kudos
FHLB
Contributor
Contributor
‎10-01-2019 09:29 AM

Ok well what did you select in the Roles tab for that group? In there you can change what level they go to.

0 Kudos
FHLB
Contributor
Contributor
‎10-01-2019 09:47 AM

When you created the groups, you also select in there what level you want it to be in, so my guess would be that you missed that field, by default it looks to use the root...
0 Kudos
FHLB
Contributor
Contributor
‎10-01-2019 01:46 PM

Any Luck?
0 Kudos
RichB2u2
Hot Shot
Hot Shot
‎10-01-2019 04:04 PM

Synchronized AD user groups and users all reside at the top company level. Users don't move from there. The devices they enroll will go to the proper sub-OG levels as configured.
We are on-premise and don't need ACC configured by the way, so it is disabled and still sync's fine with AD LDAP.
0 Kudos
jvamosy
Contributor
Contributor
‎10-11-2019 09:17 AM

i'm in out of the country at the moment training a vendor so i'll look into this again when i return to the states the end of October. thank you though to all of you for the ideas.
0 Kudos
jvamosy
Contributor
Contributor
‎10-31-2019 01:21 PM

so i'm back from India 🙂 so this is where I'm at. I have an AD group awdev_technology. I have 5 names in there. I have a user group in Airwatch called awdev_Technology when i go in the console and go to accounts->user groups->list view and look for awdev_technology i see it there and when i click on edit i see under the general tab:

type = directory
external type = group
group name = awdev_technology
Managed by =
Distinguished name = CN=awdev_Technology,OU=Security Groups,OU=Standard Groups,DC=,DC=com
Relative Distinguished Name = CN=awdev_Technology
Auto Sync with Directory = enabled
Auto Merge Changes = enabled
Maximum Allowable Changes = 500
Add Group Members Automatically = enabled
Send Email to User When Adding Missing Users = disabled

now, when i go to settings->devices & users->general->enrollment->grouping i see:
current settings = override
Group ID Assignment Mode = Automatically Select Based on User Group
Apply mapping on enrollment only = checked
under Edit group assignment = i see awdev_Technology with the organization group ID set correctly
User Group Sync->sync User Groups in Real Time for Workspace ONE = enabled

now with all that ' said' , when i sync the AD group to add missing users, it adds all the users in the AD group. HOWEVER, instead of adding them to the DEV_Technology group which is a sub group of the company, it adds the users the the root.

currently I manually create user accounts and under the enrollment section in the user account, I add them to their desired sub group. So here is my problem. How do i get the user accounts to automatically go the the proper sub group instead of the root of the organization?

THANK YOU IN ADVANCE!!!!

james

0 Kudos
RichB2u2
Hot Shot
Hot Shot
‎10-31-2019 04:36 PM

The order the groups are listed under settings->devices & users->general->enrollment->grouping is important! The sub groups must be listed above the company level group. Every time you add a new user group to the list it shows up at the bottom and needs to be moved above the company group. We have 205 AD groups defined and every one had to be moved up after creation! Like I said before the users all reside at the top level OG and only their enrolled devices are then put into the proper sub OG based on their AD groups. All of our user groups are at the top level OG and are populated with users from AD appropriately too.

0 Kudos
jvamosy
Contributor
Contributor
‎11-01-2019 05:59 AM

Rich,

Thanks. I just confirmed that all my sub groups are above the company groups. in contrast to your setup, ALL our user accounts PLUS devices reside in the sub groups...
0 Kudos