Active Directory: On Prem Agent

SECURITY  Administrator or Super Administrator privileges in Workplace

NAVIGATION  Multiple paths with multiple steps, but in Workplace Online, configuration of this feature takes place on Configuration > Integrations > Active Directory tile > Setup or Manage button > Configure > On Prem Agent radio button.

Please read this...

This article is a supplement to the Active Directory integration guide. Only continue with this article after reading the Active Directory integration guide, and when you have a clear understanding of the integration functionality.

This article explains how to integrate with Active Directory using the OnPrem Agent method specifically.

NOTE  Workplace Desktop v10 cannot be used as an integration agent as it cannot be run as a service.

About OnPrem Agent AD

This AD method involves installing Workplace Server on a dedicated machine behind the firewall and bound to the AD domain, which then becomes responsible for authenticating users and syncing their full name, email address (username) and telephone number.

IMPORTANT  Integrating with Active Directory means that access to Workplace will be controlled by Active Directory through the link established by the steps in this article. It is imperative that you read these instructions carefully and execute the following steps precisely as indicated.

Local requirements

  • All users accessing Workplace via AD provisioned accounts must have login rights to the machine hosting the AD Integration Agent.
  • An Active Directory installation on the LAN.
  • A machine, connected to the LAN and bound to the AD domain, to act as the integration agent. This machine must meet the following requirements:
    • Must not be a domain controller
  • The latest Workplace Server version

NOTE  We recommend using Workplace Server as your AD Integration agent. The optimum configuration is a dedicated machine that is newly provisioned on the domain.

  • On the Domain Controller, the group policy that controls the maximum size of Active Directory searches should be disabled for the workstation serving as an Active Directory integration agent.

Workplace requirements

  • Administrator access on a Workplace team.
  • Enough licenses available for each user to be provisioned from Active Directory.

How to...

  1. Log into the computer designated to be an Active Directory integration agent.
  2. Download and install Workplace Server.
  1. Enter the Workplace team administrator account credentials when prompted.
  2. To verify the installation, log into Workplace Online and go to the Devices tab. The Active Directory Integration Agent should be visible in the Devices list.
  1. Login to Workplace Online.
  2. Go to Configuration > Integrations > Active Directory tile > Manage button > Configure button > On Prem Agent radio button.

  3. Complete the following fields:
Field Description
Authentication Domain Enter the domain to be used to authenticate users
Synchronization at (daily) Specify the time that automated daily AD synchronization will occur, or select Synchronize Manually to perform this activity manually, using the Synchronize button on the Active Directory page in Workplace Online. For more information about synchronization, refer to About synchronization.
LDAP Search Path Complete the LDAP search path as specified in the LDAP Search Path Syntax section of the Active Directory integration guide topic. To add multiple paths, click the Add path button.
Default phone number prefix This optional field allows you to enter a telephone prefix which will automatically be applied to any phone number that does not start with ‘+’. In AD environments where prefixes have not been entered, this allows the prefix to be automatically appended upon import into Workplace. Entries into this field must be in the format ‘+XX’, where ‘XX’ is the desired country code.
Load groups outside path If selected, all groups of which the users are members will be loaded, regardless of the specified LDAP path.
Add Integration Agent Select the device you wish to use as an AD integration agent.
Send alerts to:

The selections/entries you make here control who will be sent a notification in the event of an Active Directory alert.

In the Send alerts to: section, select the All administrators or Selected users radio button.

If you choose Selected users, enter the name or email address of an administrator in the field below the radio buttons, or click the icon to use a data selector.

IMPORTANT  If you choose Selected users and do not select any administrators in the associated field, no one will receive Active Directory alert messages, so it's very important to select one or more recipients.
Send alerts via: These radio button determine in what manner alert recipients will be notified of Active Directory alerts. Select either Email or Email and text message.
  1. Click Test Authentication for Active Directory.
  2. Click Save.
  1. Log into Workplace Online.
  2. Go to Configuration > Integrations > Active Directory tile > Manage button > Configure button > select the appropriate AD method radio button.
  3. Scroll to the bottom of the page for the Alert Settings area.
  4. In the Send alerts to: section, select the Selected users radio button.
  5. Enter the name or email address of an administrator in the field below the radio buttons, or click the icon to use a data selector. If Workplace identifies an email address as a Workplace user, it will appear in blue. All other email addresses, including the support email address, will appear in orange.

IMPORTANT  If you have chose Selected users and do not select any administrators in the associated field, no one will receive Active Directory alert messages, so it's very important to select one or more recipients.

NOTE  For purposes of reliability and redundancy , it is advisable to install an additional Active Directory integration agent. Multiple Active Directory integration agents can be configured – if one is unavailable, Workplace will automatically attempt to resolve LDAP queries with the other available integration agents.

  1. Log in to Workplace Online.
  2. Configuration > Integrations > Active Directory tile > Manage button > Configure button > On Prem Agent radio button.
  3. Click Configure.
  4. In the Integration Agents section, select Add Integration Agent.
  5. Select the desired Integration Agent, then click Select.
  6. Click Save Settings.

NOTE  Since the agent is running as system service, unmaintained on a server, you must occasionally check for updates. Follow the steps below to see the current version on the integration agent.

  1. Log into Workplace Online using the Administrator credentials associated with the integration agent.
  2. Go to Devices and locate the integration agent.
  3. Confirm that the version is current.