Go to Configuration > System Configuration > System > Enterprise Integration > Directory Services
All issues that arise during a scheduler iteration will appear in the scheduler logs
The Add Missing Users, User Group Membership Sync, and Sync User Attributes processes can all be triggered manually by clicking a button in the console
manual user attribute sync will only sync enrollment users, not administrator attributes
If any issues arise during one of these processes when they are triggered manually, the BulkProcessingServiceLogFile.txt in the Services folder will contain the backend information. If it appears there is a UI issue with the buttons, the WebLogFile.txt file in the WebConsole folder will contain the information needed to troubleshoot.
select ExternalID, SecurityTypeID, * from mobileManagement.EnrollmentUser EU join dbo.LocationGroup LG on LG.LocationGroupID = EU.LocationGroupID where LG.Name = 'ams'
- ExternalID – the ExternalID column contains a hashed value of the attribute configured for Object Identifier. This value is used to match the AirWatch user with the customer’s directory user. If for whatever reason this value is null or incorrect, the AirWatch user will not sync.
- SecurityTypeID – this column determines the type of user. 1 denotes a directory user, 2 denotes a basic user, and 3 denotes an authentication proxy user.
- LocationGroupID – the Organization Group ID where the user is imported. Note that all directory users will always reside at the same level Directory Services is configured, even if imported or added at a child.
- LDAPDefinitionID – the ID of the LDAP Definition the user is associated with.
select LD.UserSearchFilter, LD. * from dbo.LDAPDefinition LD join dbo.LocationGroup LG on LG.LocationGroupID = EU.LocationGroupID where LG.Name = 'ams'
- LastSyncDurationInMinutes – this column contains the time it took to sync the entire Organization Group in minutes.
- LastSyncedOn – last date the Organization Group synced with the directory.
- MemberPageSize – the MemberPageSize value can be configured, but should not exceed 5000 if the customer is using EIS. This value determines the chunk size of information being sent back and forth between ACC\EIS
- IsSortControlSupported – determines if the directory type supports sorting results at the directory server before the response is sent.
select MAP. * from dbo.UserGroupEnrollment(Core)UserMapSync MAP join dbo.UserGroup UG on UG.UserGroupSyncID = MAP.UserGroupSyncID where UG.FriendlyName = 'ams'
select UG. * from dbo.UserGroup UG join dbo.LocationGroup LG on UG.RootLocationGroupID = LG.LocationGroupID where LG.Name = 'ams'
select UGS. * from dbo.UserGroupSync UGS join dbo.LocationGroup LG on UG.RootLocationGroupID = LG.LocationGroupID where LG.Name = 'ams'
A user’s primary group in Active Directory cannot be added to AirWatch, as the primary group has no memberOf attribute on the user object. This is an AD limitation.
LDAP Admin is the LDAP browser most commonly used internally. An LDAP browser is an excellent way to troubleshoot certain queries and determine which attributes should be configured in Directory Services. The tool can be download at http://www.ldapadmin.org/
Test connection failures are usually due to one of two error codes, either 49 or 81. An 81 error code indicates the console cannot find the directory server, which can happen if the hostname was entered incorrectly, ACC\EIS is not functioning properly, the directory server is firewalled, or there is no route to the directory server from the console server.
When an administrator encounters a 49 error it is important to note that this error is generated by the directory server, not AirWatch. In 99% of cases this is because the bind authentication type is not supported, or the account and passwords are incorrect. To verify that the console is not sending a bad username or password, SSL must be turned off and the authentication type must be set to basic so the bind request can be sniffed off the network in plaintext. Use Wireshark!
“System.DirectoryServices.Protocols.LdapException: Error code:81”
Groups & Settings > All Settings > Enterprise Integration > Directory Services, Advanced section
Use Recursive OID At Enrollment = Disable
Add Missing Users: