User Visibility module
The User Visibility module manages mobile devices based on corporate directory structure. With this module, administrators can manage user devices that belong to specific groups, and target apps, policies, and content to user devices that are members of a specific directory group.
The User Visibility module integrates with your Active Directory (AD) or LDAP environment to discover users, groups, and their membership associations from the corporate directory. The User Visibility module collects information about these directory objects and uploads that information to the MaaS360® Cloud. The module uses the user and group information to assign and distribute policies, apps, and docs, including administrative role-based access.
The Cloud Extender® facilitates AD/LDAP visibility in the following ways:- Discovery of User Objects from the directory within a specific scope (no sensitive information collected)
- Discovery of User Groups from the directory within a specific scope
- On-demand discovery of members of specific groups. Use customized configuration options to limit data that is exported from the directory and from within a specific scope instead of exporting the entire directory.
- Map attributes that are read from the corporate directory for the user object for specific use cases.
When the User Visibility module is configured correctly, the administrator can view all users and groups from the corporate directory within the IBM® MaaS360 Portal. The MaaS360 platform allows the administrators to import these User Groups into MaaS360 to trigger a discovery of users within that specific group.
The User Visibility module runs on a schedule and uploads data (users, groups, user attributes, and group memberships) in increments (changes from the last upload) every four hours and also uploads the full scope of data once a month. The IBM MaaS360 Portal constantly updates any changes to user attributes or any changes or deletions to group membership.
Modes of operation
- Active Directory Mode: This mode is specific to Microsoft Active Directory environments. The Cloud Extender runs as a service account and runs scripts to discover users and groups within your directory. If you have multiple trusting forests or resource forests in your environment, some additional configuration is required.
- LDAP Mode: This mode is used for any corporate directory. The Cloud Extender offers standard LDAP templates to integrate with Domino® LDAP, Oracle LDAP, Novell eDirectory, and OpenLDAP. In addition to these standard LDAPs, use this mode to configure against any customized LDAP. The Cloud Extender also provides a template to help you configure Microsoft Active Directory in LDAP mode.
To determine which implementation mode to use for your environment, consider these guidelines:
- If you are not using Microsoft Active directory (AD), use LDAP mode.
- If you are using Microsoft Active directory (AD), the
following table provides LDAP options for your environment:
Table 1. Determining which LDAP implementation mode to use for your environment Scenario Active Directory Mode LDAP Mode Ability to limit authentication scope to a certain OU, subtree, or group ✓ Requirement that the Cloud Extender needs to be part of your domain ✓ Ability to support trusted forest/domain visibility ✓ ✓ Ability to support untrusted forest/domain visibility Requires a separate instance of the Cloud Extender for each untrusted forest Requires a separate instance of the Cloud Extender for each untrusted forest Ability to customize attributes that are read from AD ✓ Support for User Custom Attributes1 ✓ Ability to customize user and group filters for optimized user search performance ✓ Support for High Availability Ease of configuration Easy Medium Implementation technology .NET libraries LDAP libraries Configured along with User Authentication on the same Cloud Extender2 ✓ ✓
In most situations, the LDAP mode of user visibility is the implementation of choice even in Microsoft Active Directory environments with consideration to the advantages listed in the table and easy adaptability to future requirements.
Requirements and scaling
The User Visibility module requires one instance of the Cloud Extender for LDAP or Active Directory, which scales up to 100,000 users. If your directory scope for the Cloud Extender is greater than 100,000 users, you must implement additional instances of the Cloud Extender. The following table provides hardware requirements for the User Visibility module:
Item | Minimum requirement |
---|---|
Hardware component | CPU: 2 cores |
Memory: 2 GB to 8 GB | |
Storage: 50 GB | |
Scaling:
For accurate scaling of your environment, see the Cloud Extender scaling document at . |
|
Limits: 100,000 users | |
Network traffic | Traffic exchange between the Cloud
Extender and LDAP/AD:
|
Traffic exchange between the Cloud
Extender and MaaS360:
|
|
Test metrics (usage based on 1,000 users):
|
|
Active Directory | Hardware specs meet minimum requirements |
PowerShell 3.0+ installed | |
Windows operating system is joined to the domain | |
Service Account
|
|
LDAP | Hardware specs meet minimum requirements |
Service Account
|
For example: You define a User Custom Attribute that is called Employee Serial Number and use this value in MaaS360 policies for device configuration, application configuration, or a part of Identity Certificates. This attribute can be read directly from your directory by using the LDAP configuration.