AirWatch Cloud Connector
What is the AirWatch Cloud Connector?
The AirWatch Cloud Connector is an application that facilitates connection from Workspace ONE UEM to an on-premise Active Directory domain. Instead of having to expose your domain controller (or a read-only domain controller) to be available to the UEM console, the AirWatch Cloud Connector will perform outbound-only connections to the UEM console for authentication and enumeration of the directory.
Architecture
The below picture depicts the architecture of deployment of the ACC with SaaS-based Workspace ONE. Note the connection is only performed outbound over port 443. The main requirement for the ACC is that it is installed on Windows Server 2016 + (at time of writing). This can be on a virtual or physical machine. Guidance for sizing can be found here.
Configuration
(Assumption being made that there is a SaaS tenant of Workspace ONE, and that there is a virtual machine of Windows Server 2016 + that has been joined to the domain)
In the Workspace ONE console, go to Groups and Settings - All Settings - System - Enterprise Integration - Cloud Connector. Change the "current setting" option to be set to Override, and then turn "Enable AirWatch Cloud Connector" to be set to Enabled. Scroll down and save changes. Then download the AirWatch Cloud Connector Installer.
2. Next, run the installer on the domain-joined virtual machine. After it is installed and the VM restarts, return to the console, scroll down, and click "test connection". Verify that the ACC is reachable
3. In the UEM console, go to Groups and Settings - All Settings - System - Enterprise Integration - Directory Services. Set the directory type to be "LDAP - Active Directory" and fill in the rest of the fields with the proper information to connect to Active Directory, including binding credentials.
4. In the "User" tab under the same Directory Services page, verify that the base dn is populated correctly. Expand the "advanced" section to make sure the attributes are correct, as well, though the defaults generally will suffice here.
5. At the bottom of the page, click Test Connection. In the page that comes up, verify that UEM is able to connect and bind with the desired AD domain.
6. On this same page, enter a username and click "Check User". This way, you can verify that users are being queried from AD correctly and the attributes are coming through as expected.
A common issue is that you may have to affix the domain to the user when checking for user. Ex. mydomain\user as opposed to just typing user. If you're experiencing this, you may need to adjust your base DN in the above configuration to ensure that it is querying the right user objects in AD.