User Visibility module

The User Visibility module manages mobile devices based on corporate directory structure. With this module, administrators can manage user devices that belong to specific groups, and target apps, policies, and content to user devices that are members of a specific directory group.

The User Visibility module integrates with your Active Directory (AD) or LDAP environment to discover users, groups, and their membership associations from the corporate directory. The User Visibility module collects information about these directory objects and uploads that information to the MaaS360® Cloud. The module uses the user and group information to assign and distribute policies, apps, and docs, including administrative role-based access.

The Cloud Extender® facilitates AD/LDAP visibility in the following ways:
  • Discovery of User Objects from the directory within a specific scope (no sensitive information collected)
  • Discovery of User Groups from the directory within a specific scope
  • On-demand discovery of members of specific groups. Use customized configuration options to limit data that is exported from the directory and from within a specific scope instead of exporting the entire directory.
  • Map attributes that are read from the corporate directory for the user object for specific use cases.

When the User Visibility module is configured correctly, the administrator can view all users and groups from the corporate directory within the MaaS360 Portal. The MaaS360 platform allows the administrators to import these User Groups into MaaS360 to trigger a discovery of users within that specific group.

The User Visibility module runs on a schedule and uploads data (users, groups, user attributes, and group memberships) in increments (changes from the last upload) every four hours and also uploads the full scope of data once a month. The MaaS360 Portal constantly updates any changes to user attributes or any changes or deletions to group membership.

Modes of operation

The Cloud Extender integrates with the corporate directory by using the following modes:
  • Active Directory Mode: This mode is specific to Microsoft Active Directory environments. The Cloud Extender runs as a service account and runs scripts to discover users and groups within your directory. If you have multiple trusting forests or resource forests in your environment, some additional configuration is required.
  • LDAP Mode: This mode is used for any corporate directory. The Cloud Extender offers standard LDAP templates to integrate with Domino® LDAP, Oracle LDAP, Novell eDirectory, and OpenLDAP. In addition to these standard LDAPs, use this mode to configure against any customized LDAP. The Cloud Extender also provides a template to help you configure Microsoft Active Directory in LDAP mode.

To determine which implementation mode to use for your environment, consider these guidelines:

  • If you are not using Microsoft Active directory (AD), use LDAP mode.
  • If you are using Microsoft Active directory (AD), the following table provides LDAP options for your environment:
    Table 1. Determining which LDAP implementation mode to use for your environment
    Scenario Active Directory Mode LDAP Mode
    Ability to limit authentication scope to a certain OU, subtree, or group  
    Requirement that the Cloud Extender needs to be part of your domain  
    Ability to support trusted forest/domain visibility
    Ability to support untrusted forest/domain visibility Requires a separate instance of the Cloud Extender for each untrusted forest Requires a separate instance of the Cloud Extender for each untrusted forest
    Ability to customize attributes that are read from AD  
    Support for User Custom Attributes1  
    Ability to customize user and group filters for optimized user search performance  
    Support for High Availability    
    Ease of configuration Easy Medium
    Implementation technology .NET libraries LDAP libraries
    Configured along with User Authentication on the same Cloud Extender2

In most situations, the LDAP mode of user visibility is the implementation of choice even in Microsoft Active Directory environments with consideration to the advantages listed in the table and easy adaptability to future requirements.

Requirements and scaling

The User Visibility module requires one instance of the Cloud Extender for LDAP or Active Directory, which scales up to 100,000 users. If your directory scope for the Cloud Extender is greater than 100,000 users, you must implement additional instances of the Cloud Extender. The following table provides hardware requirements for the User Visibility module:

Table 2. Hardware requirements for the User Visibility module
Item Minimum requirement
Hardware component CPU: 2 cores
Memory: 2 GB to 8 GB
Storage: 50 GB
Scaling:
  • One Cloud Extender for 100,000 users.
  • Supports installation on multiple instances of the Cloud Extender, but does not support High Availability. Each Cloud Extender that implements User Visibility must have an exclusive scope and must not overlap with other instances of the Cloud Extender that implement User Visibility.
  • Install on a dedicated Cloud Extender or enabled on Cloud Extender with User Authentication or Certificate Authority Integration services enabled.

For accurate scaling of your environment, see the Cloud Extender scaling document at Setup > Services > Enterprise Email Integration.
Limits: 100,000 users
Network traffic Traffic exchange between the Cloud Extender and LDAP/AD:
  • First-time upload data usage: 0.5 MB
  • Steady state data usage per month: 90 MB
Traffic exchange between the Cloud Extender and MaaS360:
  • First-time upload data usage: 0.15 MB
  • Steady state data usage per month: 0.87 MB
Test metrics (usage based on 1,000 users):
  • Data upload frequency
    • Incremental data uploads frequency = 4 hours
    • Full data uploads frequency = 1 week
  • Incremental data uploads (uploads only changes from last successful upload)
    • Every incremental query, one percent of users with attribute changes
    • Average data packet size per user: 0.5 KB
  • Average ratio of encryption and compression of data upload to MaaS360 = 70 percent
Active Directory Hardware specs meet minimum requirements
PowerShell 3.0+ installed
Windows operating system is joined to the domain
Service Account
  • Domain User
  • Password does not expire
  • Non-interactive account
  • Local Administrator on the Cloud Extender server
LDAP Hardware specs meet minimum requirements
Service Account
  • User name and password to bind to LDAP server
  • Password does not expire
  • Non-interactive account
1 User Custom Attributes is a feature in MaaS360 where you define your own attribute and use this attribute in various configuration workflows.

For example: You define a User Custom Attribute that is called Employee Serial Number and use this value in MaaS360 policies for device configuration, application configuration, or a part of Identity Certificates. This attribute can be read directly from your directory by using the LDAP configuration.

2 Consider whether to configure the User Visibility service along with the User Authentication service for your Cloud Extender. If so, then the mode of configuration for both these services is either Active Directory or LDAP. For example, User Authentication as AD and User Visibility as LDAP on the same Cloud Extender is not possible. If you require this combination, you must use separate instances of the Cloud Extender.