Page History

select ExternalID, SecurityTypeID, * from mobileManagement.EnrollmentUser EU 
join dbo.LocationGroup LG 
on LG.LocationGroupID = EU.LocationGroupID 
where LG.Name = 'ams'

dbo.LDAPDefinition table contains all of the configuration information from the Directory Services for an Organization Group

select LD.UserSearchFilter, LD. * from dbo.LDAPDefinition LD 
join dbo.LocationGroup LG 
on LG.LocationGroupID = EU.LocationGroupID 
where LG.Name = 'ams'

The dbo.UserGroupEnrollmentUserMapSync table will contain only the ExternalIDs of both the users and the groups that are members of the AirWatch group that was added

select MAP. * from dbo.UserGroupEnrollment(Core)UserMapSync MAP 
join dbo.UserGroup UG 
on UG.UserGroupSyncID = MAP.UserGroupSyncID
where UG.FriendlyName = 'ams'

select UG. * from dbo.UserGroup UG
join dbo.LocationGroup LG
on UG.RootLocationGroupID = LG.LocationGroupID
where LG.Name = 'ams'

select UGS. * from dbo.UserGroupSync UGS
join dbo.LocationGroup LG 
on UGUGS.RootLocationGroupID = LG.LocationGroupID
where LG.Name = 'ams'

Warning
A user’s primary group in Active Directory cannot be added to AirWatch, as the primary group has no memberOf attribute on the user object. This is an AD limitation.

Query Troubleshooting

Info
LDAP Admin is the LDAP browser most commonly used internally. An LDAP browser is an excellent way to troubleshoot certain queries and determine which attributes should be configured in Directory Services. The tool can be download at http://www.ldapadmin.org/

With some issues, AirWatch is not able to find certain users and/or groups. This is often due to an incorrect filter or lack of permissions in the directory. If we are unable to find the user and group objects with the LDAP Admin tool using the same settings from the console, we will be unable to find them using AirWatch. It will be necessary to test queries during troubleshooting. To run a custom query, click the magnifying glass icon in the toolbar, select the Custom tab in the window that appears, type the Base DN in the Path field, and type the query in the Filter field

Connection Troubleshooting

Test connection failures are usually due to one of two error codes, either 49 or 81. An 81 error code indicates the console cannot find the directory server, which can happen if the hostname was entered incorrectly, ACC\EIS is not functioning properly, the directory server is firewalled, or there is no route to the directory server from the console server.

When an administrator encounters a 49 error it is important to note that this error is generated by the directory server, not AirWatch. In 99% of cases this is because the bind authentication type is not supported, or the account and passwords are incorrect. To verify that the console is not sending a bad username or password, SSL must be turned off and the authentication type must be set to basic so the bind request can be sniffed off the network in plaintext. Use Wireshark!

Warning
“System.DirectoryServices.Protocols.LdapException: Error code:81”

Tip
LDAP error 81 = The LDAP library can't contact the LDAP server AirWatch is not able to communicate with the LDAP server. Verify that Airwatch services are enabled in AirWatch Cloud Connector. If not, the AirWatch Cloud Connector may require re-installation after enabling.

Optimization

Warning
title Optimization of slow enrollment into AD
Groups & Settings > All Settings > Enterprise Integration > Directory Services, Advanced section Use Recursive OID At Enrollment = Disable

LDAP Queries

Search Group:

(&(objectClass=group)(|(CN=*{inputName}*)(distinguishedName={inputName})))

Sync Group:

(&(objectClass=group)(|(objectGUID={ExternalID1})(objectGUID={ExternalID2})))

Search User:

(&(objectCategory=person)(sAMAccountName={InputUserName}))

Sync User:

(&(objectCategory=person)(sAMAccountName=*)(|(objectGUID={ExternalID1})(objectGUID={ExternalID2})))

Add Missing Users:

(&(objectCategory=person)(sAMAccountName=*)(|(distinguishedName={UserDN1})(distinguishedName={UserDN2})))